Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Steward #855

Open
Pizza-Ria opened this issue Aug 14, 2024 · 1 comment
Open

Steward #855

Pizza-Ria opened this issue Aug 14, 2024 · 1 comment
Labels
Profile:AI Artificial Intelligence Profile and related matters Profile:Security Security Profile and related matters
Milestone

Comments

@Pizza-Ria
Copy link

Pizza-Ria commented Aug 14, 2024

This is a suggestion to add a field in the specification to indicate if there is a steward (see, EU-CRA - Article 24 and https://linuxfoundation.eu/cyber-resilience-act for context) for the project. Ultimately, collection of this field (especially for automted scanners) may depend on an ecosystem adoption of a steward.md file within a repo so this field can be easily identified. Further noting that this is different from the concept of a "license steward" used with the SPDX-IDs for licenses.

P.S. Since the concept of a package steward is tied to security concerns, it may fit best within the https://spdx.github.io/spdx-spec/v3.0/model/Security/Security/ section of the spec.

P.P.S. There is a parallel issue filed with CycloneDX at CycloneDX/specification#503.

Thank you!

@zvr
Copy link
Member

zvr commented Aug 14, 2024

Thanks for this, @Pizza-Ria .

If it's not an intrinsic property of a package, the correct way to implement this would be a new RelationshipType, so we could express a relationship:

Package-Foo   HAS_STEWART  Agent-X

(or conversely, Agent-X IS-STEWART-OF Package-Foo, but I think the former approach is better.

@goneall goneall added this to the 3.1 milestone Aug 14, 2024
@kestewart kestewart added Profile:AI Artificial Intelligence Profile and related matters Profile:Security Security Profile and related matters labels Aug 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Profile:AI Artificial Intelligence Profile and related matters Profile:Security Security Profile and related matters
Projects
None yet
Development

No branches or pull requests

4 participants