OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Comment on public review for Common Security Advisory Framework v2.0


I’m passing on comments made at an NTIA SBOM meeting yesterday. These comments are my own and are not intended to represent the views of others (they should submit themselves), but my views were informed by the discussion. The topic being discussed was using CSAF for VEX to report beyond-end-of-life and beyond-end-of-support for components in a product that was itself not beyond-end-of-life nor beyond-end-of-support. Our understanding was that this was doable using CSAF but several observations were made that might be improved in CSAF.

  1. The word “legacy” is used to indicate “end of life” in branches category in section 3.1.2.2. There was some concern on use of the word “legacy”. Since it was being used synonymously with “end of life”, I suggest using “end of life” instead.
  2. Some medical industry representatives made a distinction between “end of life” and “end of support”. They emphasized it was due to regulators making that distinction (I am not an expert so am just passing on based on my understanding of what was said). Given at least some use cases distinguish between “end of life” and “end of support”, I suggest adding another branch category called “end of support”

Neither comment is one that I would fall on my sword over. Just passing along for consideration in this or future versions.

 

-- 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at 

http://vsre.info/

 

 

 

 

From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> on behalf of Paul Knight <paul.knight@oasis-open.org>
Date: Friday, August 13, 2021 at 3:15 PM
To: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org>
Subject: [csaf] Your Public Review for Common Security Advisory Framework v2.0 has been announced

Members of the CSAF TC,

Congratulations!


Your 30-day public review for Common Security Advisory Framework v2.0 has been announced. The review ends on 12 September 2021. You can find the announcement at https://lists.oasis-open.org/archives/members/202108/msg00006.html.

Please consider forwarding this announcement on to other parties who may be interested in the work. In my experience, TCs that actively solicit outside review get more and better quality feedback on their specifications.

Also, please keep in mind the OASIS requirements for handling comments [1]. Non-TC member feedback can only be submitted to the TC's comment list csaf-comment@lists.oasis-open.org. The TC must have someone subscribed to this mail list to monitor comments. All submitted comments must be acknowledged by the TC. In addition, the TC needs to maintain a log of comments received and their resolutions. The comment resolution log will need to be available when you begin your next public review. A simple comment resolution log template is available in OpenDocument [2] and Office [3] format.

Let me know if you have any questions regarding the review or next steps.

=== Additional references:
[1] https://www-legacy.oasis-open.org/resources/tcadmin/handling-the-comments-received-during-a-public-review

[2] https://www-legacy.oasis-open.org/sites/www.oasis-open.org/files/Simple-comment-resolution-log-template_0.ods

[3] https://www-legacy.oasis-open.org/sites/www.oasis-open.org/files/Simple-comment-resolution-log-template_0.xls

--

Paul Knight

Document Process

OASIS Open

+1 781-883-1783

paul.knight@oasis-open.org

www.oasis-open.org

 

 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]