OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: CVRF/CSAF "awareness & adoption"

That’s a really really good point! The more we communicate adoption and real-world use cases the better. The VEX use case of CSAF will definitely be front center for most vendors.

 

From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> on behalf of duncan sfractal.com <duncan@sfractal.com>
Date: Wednesday, October 26, 2022 at 12:54 PM
To: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org>
Subject: [csaf] CVRF/CSAF "awareness & adoption"

I think some discussion of “awareness & adoption”  would be useful. Not holding anyone to commitments but companies sharing their current use and future plans wrt both CVRF and CSAF would be useful. In other meetings (eg CISA SBOM meetings), some people downplay CSAF adoption (“it will take years before VEX profile is used”, “no one uses CVRF”, “there are no tools”,  …) and it would help to have some data to counter misconceptions.

 

I know we get a few statements-of-use prior to passing the standard, but now that CSAF is adopted it might be useful to make more noise on planned use. Given we are now inside the 270-day clock on US Federal procurement requiring SBOMs, I suspect CSAF/VEX usage will take off. But that’s speculation on my part – actual companies making non-binding statements (keep the lawyers happy) on what they are already doing and what are their plans will carry a lot more weight than my speculation.

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> on behalf of Omar Santos (osantos) <osantos@cisco.com>
Date: Wednesday, October 26, 2022 at 12:26 PM
To: Stefan Hagen <stefan@hagen.link>, Martin Prpič <mprpic@redhat.com>
Cc: Feng Cao <feng.cao@oracle.com>, csaf@lists.oasis-open.org <csaf@lists.oasis-open.org>, Schmidt, Thomas <thomas.schmidt@bsi.bund.de>
Subject: Re: [csaf] what is the plan to phase out CVRF support?

We can definitely put it in the agenda. However, it is really up to the vendor/producer of CVRF documents to decide how long they are supporting CVRF based on their customer usage/demand, etc. I believe that Feng was just trying to see what other current CVRF producers are planning to do.

 

From: Stefan Hagen <stefan@hagen.link>
Date: Wednesday, October 26, 2022 at 11:42 AM
To: Martin Prpič <mprpic@redhat.com>, Omar Santos (osantos) <osantos@cisco.com>
Cc: Feng Cao <feng.cao@oracle.com>, csaf@lists.oasis-open.org <csaf@lists.oasis-open.org>, Schmidt, Thomas <thomas.schmidt@bsi.bund.de>
Subject: Re: [csaf] what is the plan to phase out CVRF support?

Dear members,

 

looking at the "kavi" OASIS workspace of the CSAF TC

I notice that this meeting (once scheduled for today) has been cancelled.

 

Would this topic then discussed on November 16?

 

Best,

Stefan

 

On Wed, Oct 26, 2022, at 16:19, Martin Prpič wrote:

We (Red Hat) plan on publishing CVRF files until Sep 1, 2023. After this

date all of the CVRF files will be available for download as a single

file archive, and we will continually publish CSAF only.

 

-- 

Martin Prpič / Red Hat Product Security

 

 

Omar Santos (osantos) writes:

 

> Absolutely! I will add it to the agenda. To give you a quick response from Cisco. Cisco will continue to support CVRF until the end of 2023.

> Regards,

> Omar Santos

> Cisco PSIRT

> PGP: 3AF27EDC

> ________________________________

> Sent: Friday, October 21, 2022 2:24:25 PM

> Subject: [csaf] what is the plan to phase out CVRF support?

> Hi all,

> I'd like to have your input on your organization's plan to phase out CVRF support. We have received such requests from our customers.

> Ideally, we have the consistent plan from all the organizations.

> It can be an item for next week's meeting?

> Thanks,

> --Feng

 

 

---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

 

 

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]