OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [csaf] CSAF presentation & Where to find CSAF documents

Schmidt, Thomas writes:

> Hi @all,
> I wish you a happy and healthy New Year!
>
> Please find attached the presentation which I would like to give at our next call on Wednesday to be able to review it beforehand. You will find
> - a general introduction: p. 2-5
> - different maturity stages in regards to security advisories: p. 6-7
> - conformance targets at document level: p. 8 (see also https://github.com/oasis-tcs/csaf/issues/140)
> - a suggestion how issuers of advisories should provide them: p. 9-10 (see also https://github.com/oasis-tcs/csaf/issues/152)
> - why aggregators are needed: p. 11-15 (see also https://github.com/oasis-tcs/csaf/issues/152)
> - what I suggest to NOT solve in CSAF 2.0 but push to a later version: p. 16
>

Hi Thomas,

Having thought about your presentation a bit, I have a couple of
comments/questions:

I find the number of proposed requirements that a CSAF provider has to meet
a bit high. At least in the open source world, CSAF definitely struggles
with adoption so rating different vendors by their adherence to the
proposed criteria to be able to be presented in some central aggregator as
"trusted" seems a bit skewed towards vendors who can devote a lot of
resources to their CSAF infrastructure. I also doubt many vendors will be
happy to restructure their website to serve their CSAF content at a
required location (especially if you expect it to work for any domain and
subdomain of a vendor).

I generally like the idea of a central aggregator of CSAF documents, but in
my opinion it should be community maintained. If I as a vendor want to
participate in this aggregator, I should be able to provide a pointer to
the location of all my CSAF documents and that's it. It might be easiest to
start a csaf-manifest Git repo that may contain structured YAML files (or
w/e machine readable markup) per vendor.

I think instead of focusing on added requirements in adopting CSAF, the
community should make the standard more approachable to new vendors
and projects.

Also, slide 16 mentions "Integration of SBOM", what exactly does that mean?
How is an SBOM related to the content of advisories? Is the intention for
CSAF documents to include entire SBOMs of artifacts that they provide
updates for?

Thanks again for the presentation!

-- 
Martin PrpiÄ / Red Hat Product Security

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]