Closed OR13 closed 1 year ago
@OR13, is this a draft?
@SteveLasker
This is ancient.... I requested the ability to create software artifacts examples, my intention was to just start a collection, so we have named examples to point to, when discussing specific artifact types.
@OR13, so, do you want to merge, or is this old and now outdated? Just looking for what action to take (LGTM or ?)
Steve, I wish to contribute the artifacts I plan to demonstrate during the SCITT Hackathon: https://github.com/rjb4standards/SCITT-MVP-USeCases SBOM, VDR and a Vendor Response File for OMB M-22-18. FYI, these are actual production artifacts from REA's SAG-PM V1.2 product distribution.
Thanks, @rjb4standards,
Could you open a PR or Issue to track separately from here?
Would these be examples of evidence submitted to a SCITT ledger? It would be great to get a narrative, or are you suggesting these could be the types of evidence documents we could submit as part of: https://github.com/ietf-scitt/scitt-web/blob/a604c8630217c43ec49dac461d2f75b66ae9d7d3/what-is-supply-chain.md
In my view, a notary would examine these artifacts and the associated digital signatures of these artifacts and then insert a "trust declaration" claim into a SCITT Registry to indicate the combination of the artifact and digital signature are trustworthy. I'll describe in more detail in an issue.
Steve, I've created an Issue to track this concept: https://github.com/ietf-scitt/use-cases/issues/26
Closing this PR, moving the content to the web repo, where I can merge.
can I have editor rights on this repo? I would live to be able to refine the software artifacts zoo :)