shanecoughlan
commented
1 year ago @vargenau passing to you as Chair. Also added @Jimmy-ahlberg for reference.
Closed MasahiroDAIKOKU closed 1 year ago
shanecoughlan
commented
1 year ago @vargenau passing to you as Chair. Also added @Jimmy-ahlberg for reference.
vargenau
commented
1 year ago Hi @MasahiroDAIKOKU
Thank you for your comments.
Yes, there are 3 majors formats for SBOMs: SPDX, CycloneDX, and SWID. These 3 formats are the ones recommended by NTIA document "The Minimum Elements For a Software Bill of Materials (SBOM)" that is in the References section of the OpenChain Telco SBOM specification.
The reasons for selecting SPDX include the following:
Does that answer your question?
MasahiroDAIKOKU
commented
1 year ago Hi @vargenau
Thank you very much for your kind response, it helps us to understand the reasons why the SPDX was selected as a Telco SBOM. As one of telecommunication carriers, we also strongly expect that the SPDX will be smoothly and quickly introduced into the software supply chain of the telecom industry as a SBOM data format without any disruption.
The following question will be raised as an issue of "Improvement Suggestion." If you would prefer to make a new separate issue, we would be happy to receive your comments. We propose to add the four points raised in your response to section 3.3.2 in order to make it easier for readers to understand the reason why the SPDX was selected as a Telco SBOM.
We would appreciate your comments.
MasahiroDAIKOKU
commented
1 year ago The following also be raised as another issue of "Improvement Suggestion." If you would prefer to open a new separate issue, we would be happy to receive your comments.
I propose that the title of section 3.4 will be changed as follow. 3.4 SPDX Elements to be included in the SBOM 3.4 SPDX Elements to be included in the Telco SBOM
vargenau
commented
1 year ago Hi Masa-san,
Thank you for your suggestion.
I have updated the document accordingly. https://github.com/OpenChain-Project/Telco-WG/pull/54
Best regards,
Marc-Etienne
From: Masa DAIKOKU @.> Sent: Wednesday, May 3, 2023 4:49 PM To: OpenChain-Project/Telco-WG @.> Cc: Marc-Etienne Vargenau (Nokia) @.>; Mention @.> Subject: Re: [OpenChain-Project/Telco-WG] [Question] (Issue #50)
The following also be raised as another issue of "Improvement Suggestion." If you would prefer to open a new separate issue, we would be happy to receive your comments.
I propose that the title of section 3.4 will be changed as follow. 3.4 SPDX Elements to be included in the SBOM 3.4 SPDX Elements to be included in the Telco SBOM
— Reply to this email directly, view it on GitHubhttps://github.com/OpenChain-Project/Telco-WG/issues/50#issuecomment-1533167587, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAC4KKQWCOFLEDYHTK37ZYDXEJV53ANCNFSM6AAAAAAXLXNJW4. You are receiving this because you were mentioned.Message ID: @.**@.>>
vargenau
commented
1 year ago Hi Masa-san,
I will include the rationale in section 3.3.2 as you suggest.
Best regards,
Marc-Etienne
From: Masa DAIKOKU @.> Sent: Wednesday, May 3, 2023 4:38 PM To: OpenChain-Project/Telco-WG @.> Cc: Marc-Etienne Vargenau (Nokia) @.>; Mention @.> Subject: Re: [OpenChain-Project/Telco-WG] [Question] (Issue #50)
Hi @vargenauhttps://github.com/vargenau
Thank you very much for your kind response, it helps us to understand the reasons why the SPDX was selected as a Telco SBOM. As one of telecommunication carriers, we also expect that the SPDX will be smoothly and quickly introduced into the software supply chain of the telecom industry as a SBOM data format.
The following question will be raised as an issue of "Improvement Suggestion." If you would prefer to make a new separate issue, we would be happy to receive your comments. We propose to add the four points raised in your response to section 3.3.2 in order to make it easier for readers to understand the reason why the SPDX was selected as a Telco SBOM.
We would appreciate your comments.
— Reply to this email directly, view it on GitHubhttps://github.com/OpenChain-Project/Telco-WG/issues/50#issuecomment-1533142667, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAC4KKTQSROBDIJ2OJ5AGSLXEJUU3ANCNFSM6AAAAAAXLXNJW4. You are receiving this because you were mentioned.Message ID: @.**@.>>
MasahiroDAIKOKU
commented
1 year ago Hi Marc-Etienne, @vargenau
Thank you very much for your reply.
Regarding the four points raised in your response previously, thank you for considering about adding them in section 3.3.2. Regarding the title of section 3.4, I confirm that the latest documentation has already been revised.
Best regards,
Masa
MasahiroDAIKOKU
commented
1 year ago The following also be raised as another issue of "Improvement Suggestion." If you would prefer to open a new separate issue, we would be happy to receive your comments.
Chapter 3, 'Requirements', has section numbers beginning with '3.3'. If there is no special reason, it might be better to start with section number '3.1'.
vargenau
commented
1 year ago The following also be raised as another issue of "Improvement Suggestion." If you would prefer to open a new separate issue, we would be happy to receive your comments.
Chapter 3, 'Requirements', has section numbers beginning with '3.3'. If there is no special reason, it might be better to start with section number '3.1'.
This was of course incorrect. I have fixed it. It is a pity that Markdown has no automatic header numbering.
Question
Chapter 2, "Data Format," introduces three data formats: SPDX, Cyclone DX, and SWID. Section 3.3 "Data Format" states that "A Telco SBOM shall adhere to the version 2.2 of the SPDX Data Format". I think it would be better to describe in this document why SPDX was chosen as the data format for the TELCO SBOM. The statement in section 3.3.2 is a statement of the reasons for how SBOM is useful in the telecommunications supply chain, and not a statement of the specific reasons for selecting SPDX. I think it would be more useful for the telecommunications supply chain to describe in detail why SPDX was selected as the SBOM data format for TELCOs. It would also make it easier to explain to software suppliers when they request SBOM in SPDX data format. We also expect that following this specification may increase the selection and adoption of SPDX in the telecommunications supply chain. We would appreciate your comments.