I know there were quite a few responses to the RFC from CISA's paper (including ones i was involved with: Google, OpenSSF, GUAC). My gut feel to the CISA paper was more of a starting point for discussion than a guidance document. I am hoping that the responses will promote a forum for us to have these discussions with them and the broader community.
On Thu, Jan 18, 2024 at 2:33 PM Gary O'Neall <[email protected]> wrote: > One of the proposed solutions for package verification is to use OMNIBor > identifiers for verification purposes (see PR #602 > <https://github.com/spdx/spdx-3-model/pull/602> for documentation on this > approach). > > > > Since it relates to identifiers, I thought it might be useful to review > the recently release paper on identifiers from CISA > <https://www.cisa.gov/sites/default/files/2023-10/Software-Identification-Ecosystem-Option-Analysis-508c.pdf> > – there is a request for comment. > > > > Note that the goal of the paper seems focused on the correlation of > package artifacts with vulnerability management systems. There are other > use cases which don’t seem to be considered (or at least mentioned) in the > paper. > > > > A few things I noticed while scanning the paper related to the > verification code discussion: > > - It sadly doesn’t reference Software Heritage ID’s, which I > personally think is a well thought through identifier scheme. I wonder how > SWHID’s compare with OmniBOR in terms of some of the issues raised in the > paper. > - No mention of using the identifiers for verification purpose, > although there is a mention of “Inherent Identifiers” whose properties > include the ability to verify > - One of the criteria is “grouping” – which is stated to be unsolved > at this point > - Section 2.5 “Path 5: Unidentified Software Descriptor to Augment > Paths 2, 3, and 4” describes a path which seems quite implementable using > our current SPDX 3.0 model > > > > Gary > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5491): https://lists.spdx.org/g/Spdx-tech/message/5491 Mute This Topic: https://lists.spdx.org/mt/103815753/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
