Hi Dick,
Thanks for welcoming our feedback. Clearly an important topic. I may have a different perspective on the topic coming more from an SPDX than an NTIA perspective. Below are a few thoughts. Gary From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> On Behalf Of Dick Brooks Sent: Tuesday, March 7, 2023 1:09 PM To: Spdx-tech@lists.spdx.org Subject: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream Just an FYI: Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work Stream, which is developing guidance for Federal Procurement Offers with regard to OMB M-22-18 and EO 14028. Today, I shared this information with the group, based on our discussions regarding Supplier semantics. This is a very important topic that we need to be consistent is referring to when discussing semantics of the software supply chain. I welcome your feedback on what I sent to the Task Force earlier, shown here: Today, the SPDX SBOM tech team had a very active discussion about the roles in a software supply chain. There are "at least" three distinctive roles: [G.O.] The 3 roles are NTIA defined roles. The way you phrase it here, it sounds like SPDX defined these roles. I would rephrase 'There are "at least" three distinctive roles' to 'The NTIA discusses at least 3 distinctive roles in the NTIA framing document'. 1. Supplier Here is how the NTIA documents describe Supplier, which I agree with: https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_ report_0.pdf REF Page 9: Supplier Name The name of an entity that creates, defines, and identifies components. Supplier refers to the originator or manufacturer of the software component. No consensus was reached within the SPDX Tech community on the semantics of "Supplier" [G.O.] I think there is consensus on the SPDX definition of an SPDX Supplier - I believe there is not consensus on the NTIA definition of Supplier within the specific SPDX meeting. I would remove this sentence or clarify that we are talking about NTIA supplier, not SPDX supplier. REA agrees with the NTIA definition of Supplier and asserts that Suppliers produce SBOM's, which are provided to others, i.e. end users, vendors and distributors 2. Vendor No consensus was reached within the SPDX Tech community on the semantics of "Vendor" [G.O.] Again - this is an NTIA term. Vendor is not a term used in SPDX. We only use supplier and originator. Same as above, suggest either removing the sentence or clarifying that we are talking about NTIA "Vendor" REA asserts that a vendor is the party that "transacts" in the purchase/sale of a software product to an end consumer. A vendor supplies a customer with a "Vendor Response File <https://energycentral.com/c/pip/advice-software-vendors-prepare-omb-m-22-18 -requirements> ". A Systems Integrator is considered a Vendor (not a supplier) 3. Distributor No consensus was reached within the SPDX Tech community on the semantics of "Distributor" [G.O.] Same comments. REA asserts that a Distributor is the party that makes a software product available to others. GitHub is an example of a Distributor. The Apple Store is a distributor of software products. As with many concepts in the software supply chain there are many gray areas. REA has gone on the record recommending that SPDX adopt the NITA semantics for Supplier in the next release, v 3.0. "Supplier refers to the originator or manufacturer of the software component." It's entirely feasible for a single legal entity to serve in all 3 roles. This occurs frequently with Microsoft products. I welcome your thoughts and insights on these 3 roles. I welcome your thoughts and insights. IMO, we will need to reach a consensus on the 3 roles identified above, and possibly more as we dig deeper. [G.O.] After reading through the entire message, I would suggest reframing the discussion. SPDX current defines 2 roles - a supplier and originator. Both are clearly defined in the SPDX 2.X spec. The NTIA documentation discusses 3 roles. There is a mapping between the NTIA Supplier and the SPDX supplier, but there is some confusion on mapping Distributor and Vendor to the SPDX terms. We didn't discuss mapping SPDX originator, but that may also lead to confusion. I know Kate has put quite a bit of time into discussing this with the NTIA community, so I would suggest getting her feedback before sending this on to the other work group(s). Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> T http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: d...@reliableenergyanalytics.com <mailto:d...@reliableenergyanalytics.com> Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5015): https://lists.spdx.org/g/Spdx-tech/message/5015 Mute This Topic: https://lists.spdx.org/mt/97459171/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-