search

OpenEoX / openeox

This project aims to standardize the representation and management of EOL and EOS product information across the industry.
https://openeox.org/
MIT License
25 stars 4 forks source link

Clarify some terms #1

Open tschmidtb51 opened 1 year ago

tschmidtb51 commented 1 year ago

Hi @santosomar, thank you for getting us started on that important topic.

I feel there are a few things that need to clarified:

  1. Who assigns / How is the supplierID assgined?
  2. When you say supplier: Do you think of the source where you got that from or the developer(s) (project)? (E.g. I might get an open source software A from a service provider B that guarantees software updates / vulnerability fixes for 5 years. Who do I put into supplier? A or B?
  3. When you define a productId: Is that a globally valid productId or is it document-local? Who assigns that?
santosomar commented 1 year ago

Thank you so much for your input and contributions, @tschmidtb51 ! These are extremely relevant questions. We can track and address them in separate issues. I see that you already started doing some of that earlier.

  1. Who assigns / How is the supplierID assigned? SupplierID assignment: The supplierID can be assigned by a central authority or registry responsible for maintaining a unique identifier for each supplier in the industry. Alternatively, it can be generated using a specific algorithm or process that ensures uniqueness and avoids conflicts. However, this is something that we will need to discuss in the industry, once we take the next steps and work with other industry peers soon.

  2. Who is a supplier? Regarding the supplier: In the case you mentioned, the supplier can be considered as the service provider (B) who guarantees software updates and vulnerability fixes for the open-source software (A) for a specified duration. This is because the service provider (B) is the entity responsible for the support and maintenance of the software in this context. However, it's essential to document both the original developer (A) and the service provider (B) in the EOL and EOS information to ensure complete transparency.

  3. Defining the productId The productId should ideally be globally unique to ensure consistency and avoid confusion across different documents or systems. The assignment of productIds can be managed by a central authority, similar to the supplierID, or follow a standardized naming convention established by the industry. By ensuring a globally unique productId, it becomes easier to track and manage EOL and EOS information for products across various sources and platforms. Getting consensus of this central authority will be one of the most challenging parts of all this. However, we can start the conversation with other industry leaders, CISA, and other participants.

santosomar commented 1 year ago

I am creating separate issues for these.