>> Expose your ideas to plenty of security experts and actively invite a >> constructive type of bashing.
IMO, There's a big difference between honest/open technical debate and bashing. Honest/open technical debate leads to consensus solutions (and running code) - bashing is divisive and intended to cause harm. IMHO, the podcast is an example of bashing, and not representative of an open/honest technical discussion, but we each must decide for ourselves. I've also made my opinion known to Dale Peterson as well, the host. https://www.linkedin.com/feed/update/urn:li:activity:6897264598605545472/?commentUrn=urn%3Ali%3Acomment%3A(activity%3A6897264598605545472%2C6897295042223177728) My hope is that members of the defects initiative will adopt a professional, respectful, collaborative and collegial technical debate to address the open issues that were identified during the DocFest. Every proposed solution for V 2.3 should stand "under the arch" and microscope. Thanks, Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: d...@reliableenergyanalytics.com Tel: +1 978-696-1788 -----Original Message----- From: Henk Birkholz <henk.birkh...@sit.fraunhofer.de> Sent: Wednesday, February 9, 2022 5:57 PM To: spdx-defe...@lists.spdx.org; spdx-tech@lists.spdx.org; 'Kate Stewart' <kstew...@linuxfoundation.org>; 'Gary O'Neall' <g...@sourceauditor.com>; Dick Brooks <d...@reliableenergyanalytics.com> Subject: Re: [spdx-defects] SPDX Defects (Vulnerabilities) Profile call Dear list members, TL;DR Expose your ideas to plenty of security experts and actively invite a constructive type of bashing. As the defects list is a relatively new list, please allow me to start by introducing a cautious observation to the mix. I have to highlight that I am voicing my personal *subjective perception* from my point of view, which I definitely do *not* consider to be hard *facts*: From my point of view, the amount of unwarranted bashing and what sometimes can even appear as - I am applying the next word with great care - "gaslighting" seems to be continuously increasing. Analogously, blog posts, tweets, podcasts, and magazine articles appear to become increasingly popular channels to advertise certain approaches and solutions as "superior". Unfortunately, what I subjectively highlight and name here as advertising and unwarranted bashing via these channels has the potential to drown out established approaches or solutions and worse - standards developed and reviewed by large amounts of various domain experts over years. Even more unfortunately, the increasingly popular channels used to float such statements can be out-of-band for whole peer groups of experts, which potentially renders them completely oblivious to these activities at times when they are actually needed the most. Sometimes, an expert takes note of a bad case of gaslighting (and I recommend to take the time to quickly digest the email linked below - the context becomes apparent via the references listed at the bottom of it): > https://mailarchive.ietf.org/arch/msg/cose/8ywbcUy-YQZUh0JF4W5Tto1dCvg/ Before that individually perceived background (and that cherry-picked example), my careful recommendation would be to pro-actively reach out to established bodies that include well-known groups of experts in regular intervals and invite bashing - of the constructive kind. Personally I think, if bashing takes on the form of deliberately invited and constructive criticism, that is very beneficial when trying to create solutions that are literally in support of "the nation's cybersecurity". I would actually be worried, if corresponding proposals are not "bashed" (by a critical mass of security experts). Viele Grüße, Henk On 09.02.22 22:13, Dick Brooks wrote: > Dale Peterson interview. > > FYI: There’s no shortage of SPDX bashing out there claiming SPDX doesn’t > support vulnerability reporting. > > https://unsolicitedresponse.libsyn.com/tom-alrich-on-all-things-sbom > <https://unsolicitedresponse.libsyn.com/tom-alrich-on-all-things-sbom> > > Listen around the 8 minute mark. > > These are the words of the NTIA Energy POC leader. Clearly biased. > > SPDX V 2.3 will shut down these boisterous claims from those that bash > SPDX. > > Thanks, > > Dick Brooks > > */Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>/* ™ > > http://www.reliableenergyanalytics.com > <http://www.reliableenergyanalytics.com/> > > Email: d...@reliableenergyanalytics.com > <mailto:d...@reliableenergyanalytics.com> > > Tel: +1 978-696-1788 > > *From:* spdx-defe...@lists.spdx.org <spdx-defe...@lists.spdx.org> *On > Behalf Of *Thomas Steenbergen > *Sent:* Tuesday, February 8, 2022 8:10 PM > *To:* Thomas Steenbergen <opensou...@steenbe.nl>; > spdx-defe...@lists.spdx.org; spdx-tech@lists.spdx.org > *Subject:* Re: [spdx-defects] SPDX Defects (Vulnerabilities) Profile call > > Hi everyone, > > Based on people submitting their availability to the doodle poll > <https://doodle.com/poll/9752zbs29fn6ch77?utm_source=poll&utm_medium=link> > the best time to meet for weekly SPDX Defects meeting is on Wednesday at: > > * 8 - 9 PM CET (Amsterdam / Paris) > * 1 - 2 PM CST (Chicago) > * 2 - 3 PM EST (New York) > * 1 AM - 12 PM PST (San Francisco) > * 4 AM - 5 AM JST (Seoul / Tokyo) > > I will shortly send out a re-occurring meeting invite to everyone on > thespdx-defects <https://lists.spdx.org/g/spdx-defects> mailing list - > our next meeting will be on _February 16^th _. > > > One of the first agenda topics will be to discuss making it possible to > link to security vulnerability information in SPDX 2.3 to offer a > solution until SPDX 3.0 is ready. > > Regards, > > Thomas > > ------------------------------------------------------------------------ > > *From:*Thomas Steenbergen on behalf of Thomas Steenbergen > <opensou...@steenbe.nl <mailto:opensou...@steenbe.nl>> > *Sent:* Tuesday, January 25, 2022 6:49 PM > *To:* spdx-defe...@lists.spdx.org <mailto:spdx-defe...@lists.spdx.org> > <spdx-defe...@lists.spdx.org <mailto:spdx-defe...@lists.spdx.org>>; > spdx-tech@lists.spdx.org <mailto:spdx-tech@lists.spdx.org> > <spdx-tech@lists.spdx.org <mailto:spdx-tech@lists.spdx.org>> > *Cc:* opensou...@steenbe.nl <mailto:opensou...@steenbe.nl> > <opensou...@steenbe.nl <mailto:opensou...@steenbe.nl>> > *Subject:* SPDX Defects (Vulnerabilities) Profile call > > Hi all, > > I would like to start a new weekly meeting series to continue the work > on the SPDX Defects profile - the new profile in SPDX 3.0 to exchange > defects information including security vulnerabilities. > > If you are interested, in participating in this profile please join > spdx-defects mailinglist <https://lists.spdx.org/g/spdx-defects> and > fill in below linked doodle so I can learn which day of the week and > time works best for everyone to schedule the weekly call. > > https://doodle.com/poll/9752zbs29fn6ch77?utm_source=poll&utm_medium=link > <https://doodle.com/poll/9752zbs29fn6ch77?utm_source=poll&utm_medium=link> > > Regards, > > Thomas > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4371): https://lists.spdx.org/g/Spdx-tech/message/4371 Mute This Topic: https://lists.spdx.org/mt/89031871/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
