Hi Dick,
Thanks for welcoming our feedback. Clearly an important topic. I may have
a different perspective on the topic coming more from an SPDX than an NTIA
perspective. Below are a few thoughts.
Gary
From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> On Behalf Of Dick
Brooks
Sent: Tuesday, March 7, 2023 1:09 PM
To: Spdx-tech@lists.spdx.org
Subject: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task
Force SW Assurance work stream
Just an FYI:
Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work
Stream, which is developing guidance for Federal Procurement Offers with
regard to OMB M-22-18 and EO 14028.
Today, I shared this information with the group, based on our discussions
regarding Supplier semantics. This is a very important topic that we need to
be consistent is referring to when discussing semantics of the software
supply chain.
I welcome your feedback on what I sent to the Task Force earlier, shown
here:
Today, the SPDX SBOM tech team had a very active discussion about the roles
in a software supply chain. There are "at least" three distinctive roles:
[G.O.] The 3 roles are NTIA defined roles. The way you phrase it here, it
sounds like SPDX defined these roles. I would rephrase 'There are "at
least" three distinctive roles' to 'The NTIA discusses at least 3
distinctive roles in the NTIA framing document'.
1. Supplier
Here is how the NTIA documents describe Supplier, which I
agree with:
https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_
report_0.pdf
REF Page 9:
Supplier Name
The name of an entity that creates, defines, and identifies components.
Supplier refers to the originator or manufacturer of the software component.
No consensus was reached within the SPDX Tech community on
the semantics of "Supplier"
[G.O.] I think there is consensus on the SPDX definition of an SPDX Supplier
- I believe there is not consensus on the NTIA definition of Supplier within
the specific SPDX meeting. I would remove this sentence or clarify that we
are talking about NTIA supplier, not SPDX supplier.
REA agrees with the NTIA definition of Supplier and asserts
that Suppliers produce SBOM's, which are provided to others, i.e. end users,
vendors and distributors
2. Vendor
No consensus was reached within the SPDX Tech community on the semantics of
"Vendor"
[G.O.] Again - this is an NTIA term. Vendor is not a term used in SPDX. We
only use supplier and originator. Same as above, suggest either removing
the sentence or clarifying that we are talking about NTIA "Vendor"
REA asserts that a vendor is the party that "transacts" in the purchase/sale
of a software product to an end consumer. A vendor supplies a customer with
a "Vendor Response File
<https://energycentral.com/c/pip/advice-software-vendors-prepare-omb-m-22-18
-requirements> ". A Systems Integrator is considered a Vendor (not a
supplier)
3. Distributor
No consensus was reached within the SPDX Tech community on the semantics of
"Distributor"
[G.O.] Same comments.
REA asserts that a Distributor is the party that makes a
software product available to others. GitHub is an example of a Distributor.
The Apple Store is a distributor of software products.
As with many concepts in the software supply chain there are many gray
areas. REA has gone on the record recommending that SPDX adopt the NITA
semantics for Supplier in the next release, v 3.0.
"Supplier refers to the originator or manufacturer of the software
component."
It's entirely feasible for a single legal entity to serve in all 3 roles.
This occurs frequently with Microsoft products.
I welcome your thoughts and insights on these 3 roles.
I welcome your thoughts and insights. IMO, we will need to reach a consensus
on the 3 roles identified above, and possibly more as we dig deeper.
[G.O.] After reading through the entire message, I would suggest reframing
the discussion. SPDX current defines 2 roles - a supplier and originator.
Both are clearly defined in the SPDX 2.X spec. The NTIA documentation
discusses 3 roles. There is a mapping between the NTIA Supplier and the
SPDX supplier, but there is some confusion on mapping Distributor and Vendor
to the SPDX terms. We didn't discuss mapping SPDX originator, but that may
also lead to confusion. I know Kate has put quite a bit of time into
discussing this with the NTIA community, so I would suggest getting her
feedback before sending this on to the other work group(s).
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council - A Public-Private Partnership
Never trust software, always verify and report!
<https://reliableenergyanalytics.com/products> T
http://www.reliableenergyanalytics.com
<http://www.reliableenergyanalytics.com/>
Email: d...@reliableenergyanalytics.com
<mailto:d...@reliableenergyanalytics.com>
Tel: +1 978-696-1788
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5015): https://lists.spdx.org/g/Spdx-tech/message/5015
Mute This Topic: https://lists.spdx.org/mt/97459171/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
