OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [csaf] CSAF member support for SBOM use of CSAF

I echo Duncanâs comments as well. We need to join efforts, competing standards and approaches will be poison for further adoption in the future. And we definitely do not want to stay in the current (desolate) situation in regards to automation of advisory and vulnerability information.



Best regards,



Tobias Limmer
Principal Key Expert
Siemens AG
Otto-Hahn-Ring 6
81739 Muenchen, Germany
Mobile: +49 172 6703933


From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> On Behalf Of Omar Santos (osantos)
Sent: Dienstag, 9. MÃrz 2021 18:53
To: duncan sfractal.com <duncan@sfractal.com>; csaf@lists.oasis-open.org; Friedman, Allan <AFriedman@ntia.gov>
Cc: Dee Schur <dee.schur@oasis-open.org>; Jane Harnad <jharnad@oasis-open.org>; Carol Geyer <carol.geyer@oasis-open.org>; Chet Ensign <chet.ensign@oasis-open.org>
Subject: Re: [csaf] CSAF member support for SBOM use of CSAF


I echo Duncanâs comments. We already have CSAF participants interested on collaborating (such as Stefan, Thomas, and myself). Duncan, you mentioned âpick something differentâ, what is the alternative? That may help the group also be aware of any other initiatives outside of SBOM VEX and CSAF.




Omar Santos

PSIRT, Security Research and Operations

Cisco Systems

Email: os@cisco.com

PGP: https://keybase.io/santosomar


From: <csaf@lists.oasis-open.org> on behalf of "duncan sfractal.com" <duncan@sfractal.com>
Date: Tuesday, March 9, 2021 at 12:08 PM
To: "csaf@lists.oasis-open.org" <csaf@lists.oasis-open.org>
Cc: Dee Schur <dee.schur@oasis-open.org>, Jane Harnad <jharnad@oasis-open.org>, Carol Geyer <carol.geyer@oasis-open.org>, Chet Ensign <chet.ensign@oasis-open.org>
Subject: [csaf] CSAF member support for SBOM use of CSAF


Hi all,

Iâm not sure if everyone is following the public comment channel of CSAF. I recommend you look at https://lists.oasis-open.org/archives/csaf-comment/202103/msg00000.html from Allan Friedman, an influential USG leader. His SBOM efforts (see https://www.ntia.gov/sbom and https://www.ntia.gov/SoftwareTransparency ) are gaining quite a lot of support both inside and outside of government (and not just US government).


The VEX group he refers to is looking at CSAF for itâs needs. However some members are raising objections because âno one from CSAF is hereâ. Personally I both understand their frustration (since members arenât informed enough to know whether CSAF meets the needs, and whether CSAF could evolve if it needed some tweak to meet the needs) but also think it is sometimes a red herring masking other issues (alternatives they are advocating, desire to slow process down, etc).


Allan is inviting more participation in his group, and is willing to meet with CSAF participants to bring them on board. This is a non-trivial offer. I strongly advise anyone with an interest in CSAF succeeding to take Allan up on his offer. His SBOM group is both large and influential so his group picking CSAF would be a feather is CSAF cap. Conversely, if they roll their own or pick something different, it may hinder CSAF adoption.


Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]