See comments below. Please note, I'm not firmly in opposition of the idea. Just contributing my viewpoint on it.
On Wed, May 26, 2021 at 2:37 AM Eliot Lear <l...@lear.ch> wrote: > On 25.05.21 15:51, Patrick Dwyer wrote: > > Hi Eliot, > > > > A well-known URI is just one way of enabling delivery of an SBOM. > > YYyyyes... but did you mean CSAF above? > No, I meant SBOM. It was context for the following comment. > > > > Because of this, I think suppliers will need to include the CSAF > > location in the SBOM itself. > > > That would tightly bind the CSAF to the SBOM, and I don't think they are > tightly bound. That is, one could release a CSAF without an SBOM (as is > pretty much done today). > > True, although I wouldn't expect a CSAF reference in isolation in this case. > > I also think this is one of those things that crosses a logical > > boundary that is no longer about discovering and accessing an SBOM. > > That is true. But not a huge stretch. > > It's not a huge stretch. But this is also tied to a particular format for this type of information. Personally I think CSAF is *the* format to use. But that might not be the case in some particular industries and countries. Eliot > > >
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg