| Coming from a place of ignorance, why do we have Bundles? Let me explain by a slightly different wording:
A Bundle is a collection of arbitrary STIX Objects that do not have any relationship to each other, unless they do have a relationship with each other. However, if they do have a relationship with each other, we have SRO’s and Report objects to tie them together, which means you really should never bundle a collection of related STIX Objects together. Since there is a mechanism for collecting related STIX Objects together, one might be tempted to use a Bundle to collect a bunch of unrelated STIX Objects together. However, sometimes these objects are related, which means one cannot draw any conclusions that STIX Objects in a Bundle are not related.
In English: the only purpose of a Bundle is to confuse implementors and give the bad guys a chance to find holes in code that is more complicated than it needs to be.
Why do we have Bundles?
Alright sorry for the double e-mail, talked through this a bit on Slack with Mark, Bret, and Ivan. We wanted to address Allan’s comments with the fewest changes to the existing text possible given how many review cycles it’s been through. To that end, any objections to this? Ø A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and Objects are not considered related by virtue of being in the same Bundle. Short, sweet, and to the point. John I like removing the SHOULD normative statement and your last sentence. I would also be fine with Rich’s suggestion. Allan, do you think something like what Bret wrote would work for you? If so and if nobody else has objections we can take this off list and do some word-smithing. John What about this: "A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained in a Bundle are not related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related should use SROs and / or the Report object to do so." Bret
How about this then: Producers who wish to indicate that objects within the Bundle are related should use SROs or the Report object to do so. Hm, I took it out because it seemed to imply that the objects could only be related if they were in the same bundle. Being in the same bundle has nothing to do with whether objects are related and so IMO our language shouldn’t try to make those concepts overlap, even just as an example. Fine, but I think the “within the Bundle” clause (applying to both SROs and Report) is clearer: Producers who wish to indicate that objects are related should use SROs or the Report object within the Bundle to do so. With some slight changes that would work for me: A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects in contained with a Bundle SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related should are encouraged to use SROs within the Bundle or the Report object to do so. Note that the should is intentionally non-normative. Here is some proposed text which use ideas from all suggestions: A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so. Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.” I think Allan's points are good. Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related?On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org> wrote: All, One of the other topics we talked about on the working call today was the normative text around Bundle. In RC3, the text (Part 1, Section 5) stated: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.” The suggestion from Allan is to modify that text to say: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.” Allan can elaborate but his thinking was that: - In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles. - In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST The counterpoints that I heard to changing it were: - We need to be as clear as possible, because people have gotten it wrong before. - Other normative statements aren’t testable, but it can still be worthwhile to put them in. The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle. Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative MUST? Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good! John
|