REA makes a distinction between a “Supplier” and a “Vendor” in our guidance for OMB M-22-18:
https://energycentral.com/c/pip/advice-software-vendors-prepare-omb-m-22-18-requirements Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of sherzberg via lists.spdx.org Sent: Tuesday, February 21, 2023 10:53 AM To: [email protected] Subject: Re: [spdx-tech] Package Supplier clarification I'd like to clarify "that was installed via apt(1) from the upstream repository". If we're using the default repositories, then it makes sense to use Ubuntu, or Canonical, as the Supplier. However, a user can update apt to use a different package repository, one not necessarily affiliated with Ubuntu/Canonical. If so, I would think that the Supplier should be based on that repository, and not based on Ubuntu, even if the user is using apt on an Ubuntu distro. Do you agree with that conclusion? (Sorry Alexios, accidentally responded to just you initially. Now responding to the group). -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4980): https://lists.spdx.org/g/Spdx-tech/message/4980 Mute This Topic: https://lists.spdx.org/mt/96551804/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
