Hi Gary, I'm currently going through the CISA document and noting down my observations. Although the commenting period is over, I was asked to give my feedback on the document by one of the CISA's members. If you or anyone else are interested in looking into this further and potentially give our feedback from SPDX perspective, I am willing to work with them.
Naming is so important, and as I understand, it is a major blocking factor for SBOMs/VEXs from being adopted (at least quickly. Otherwise, it may take several years is what I heard). So, it would be worthwhile to spend some time on this. Thanks & Best Regards, Venkat. <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free.www.avg.com <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> On Fri, Jan 19, 2024 at 1:03 AM Gary O'Neall <[email protected]> wrote: > One of the proposed solutions for package verification is to use OMNIBor > identifiers for verification purposes (see PR #602 > <https://github.com/spdx/spdx-3-model/pull/602> for documentation on this > approach). > > > > Since it relates to identifiers, I thought it might be useful to review > the recently release paper on identifiers from CISA > <https://www.cisa.gov/sites/default/files/2023-10/Software-Identification-Ecosystem-Option-Analysis-508c.pdf> > – there is a request for comment. > > > > Note that the goal of the paper seems focused on the correlation of > package artifacts with vulnerability management systems. There are other > use cases which don’t seem to be considered (or at least mentioned) in the > paper. > > > > A few things I noticed while scanning the paper related to the > verification code discussion: > > - It sadly doesn’t reference Software Heritage ID’s, which I > personally think is a well thought through identifier scheme. I wonder how > SWHID’s compare with OmniBOR in terms of some of the issues raised in the > paper. > - No mention of using the identifiers for verification purpose, > although there is a mention of “Inherent Identifiers” whose properties > include the ability to verify > - One of the criteria is “grouping” – which is stated to be unsolved > at this point > - Section 2.5 “Path 5: Unidentified Software Descriptor to Augment > Paths 2, 3, and 4” describes a path which seems quite implementable using > our current SPDX 3.0 model > > > > Gary > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5580): https://lists.spdx.org/g/Spdx-tech/message/5580 Mute This Topic: https://lists.spdx.org/mt/103815753/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
