On Fri, Nov 11, 2022 at 4:43 PM Sam James <s...@gentoo.org> wrote: > > Oh I see, I'd missed the actual link to CSAF, sorry. > > I'll take a look. It's not clear to me yet if this is going to be a good > fit for distributions though, as we're not a normal "vendor". > > Are you aware of any other Linux distros using this? >
Red Hat has it in "beta": https://access.redhat.com/security/data, and has had the prior OASIS format (CVRF) for a time, which they (Red Hat) will be deprecating in 2023-01. There is also VEX, which is (I think, didn't read the detailed spec) a subset of CSAF.
