Re: [spdx-tech] CISA document on identifiers

[叶涛]

发自我的 iPad 在 2024年1月19日，03:42，Dick Brooks <d...@reliableenergyanalytics.com> 写道：  I continue to believe that PURL/SWID, with a required namespace tag for software supplier identity, offers the most potential as an international unique software identifier.   There are constraints that limit the viable options for unique software identifiers.   Thanks,   Dick Brooks <image001.png>   <image004.png> Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership   Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: d...@reliableenergyanalytics.com Tel: +1 978-696-1788     From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> On Behalf Of Brandon Lum via lists.spdx.org Sent: Thursday, January 18, 2024 2:38 PM To: Gary O'Neall <g...@sourceauditor.com> Cc: spdx-tech@lists.spdx.org Subject: Re: [spdx-tech] CISA document on identifiers   I know there were quite a few responses to the RFC from CISA's paper (including ones i was involved with: Google, OpenSSF, GUAC). My gut feel to the CISA paper was more of a starting point for discussion than a guidance document. I am hoping that the responses will promote a forum for us to have these discussions with them and the broader community.   On Thu, Jan 18, 2024 at 2:33 PM Gary O'Neall <g...@sourceauditor.com> wrote: One of the proposed solutions for package verification is to use OMNIBor identifiers for verification purposes (see PR #602 for documentation on this approach).   Since it relates to identifiers, I thought it might be useful to review the recently release paper on identifiers from CISA – there is a request for comment.   Note that the goal of the paper seems focused on the correlation of package artifacts with vulnerability management systems.  There are other use cases which don’t seem to be considered (or at least mentioned) in the paper.   A few things I noticed while scanning the paper related to the verification code discussion: It sadly doesn’t reference Software Heritage ID’s, which I personally think is a well thought through identifier scheme.  I wonder how SWHID’s compare with OmniBOR in terms of some of the issues raised in the paper. No mention of using the identifiers for verification purpose, although there is a mention of “Inherent Identifiers” whose properties include the ability to verify One of the criteria is “grouping” – which is stated to be unsolved at this point Section 2.5 “Path 5: Unidentified Software Descriptor to Augment Paths 2, 3, and 4” describes a path which seems quite implementable using our current SPDX 3.0 model   Gary _._,_._,_ Links: You receive all messages sent to this group. View/Reply Online (#5493) | Reply To Sender | Reply To Group | Mute This Topic | New Topic Your Subscription | Contact Group Owner | Unsubscribe [arch...@mail-archive.com] _._,_._,_