SteveLasker
commented
1 year ago @OR13, is this a draft?
Closed OR13 closed 1 year ago
SteveLasker
commented
1 year ago @OR13, is this a draft?
OR13
commented
1 year ago @SteveLasker
This is ancient.... I requested the ability to create software artifacts examples, my intention was to just start a collection, so we have named examples to point to, when discussing specific artifact types.
SteveLasker
commented
1 year ago @OR13, so, do you want to merge, or is this old and now outdated? Just looking for what action to take (LGTM or ?)
rjb4standards
commented
1 year ago Steve, I wish to contribute the artifacts I plan to demonstrate during the SCITT Hackathon: https://github.com/rjb4standards/SCITT-MVP-USeCases SBOM, VDR and a Vendor Response File for OMB M-22-18. FYI, these are actual production artifacts from REA's SAG-PM V1.2 product distribution.
SteveLasker
commented
1 year ago Thanks, @rjb4standards,
Could you open a PR or Issue to track separately from here?
Would these be examples of evidence submitted to a SCITT ledger? It would be great to get a narrative, or are you suggesting these could be the types of evidence documents we could submit as part of: https://github.com/ietf-scitt/scitt-web/blob/a604c8630217c43ec49dac461d2f75b66ae9d7d3/what-is-supply-chain.md
rjb4standards
commented
1 year ago In my view, a notary would examine these artifacts and the associated digital signatures of these artifacts and then insert a "trust declaration" claim into a SCITT Registry to indicate the combination of the artifact and digital signature are trustworthy. I'll describe in more detail in an issue.
rjb4standards
commented
1 year ago Steve, I've created an Issue to track this concept: https://github.com/ietf-scitt/use-cases/issues/26
OR13
commented
1 year ago Closing this PR, moving the content to the web repo, where I can merge.
can I have editor rights on this repo? I would live to be able to refine the software artifacts zoo :)