search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
148 stars 39 forks source link

Extend definition of product to encompass open source projects. #248

Closed kestewart closed 3 years ago

kestewart commented 3 years ago

Please make it explicit in the prose and definition, the expectation that open source projects who create releases can consider themselves as products for purposes of this specification.

sthagen commented 3 years ago

The TC will for sure consider, but some early feedback from my side:

CSAF aligned from the start with ISO 29147 (Information technology — Security techniques — Vulnerability disclosure) terms as stated in the OASIS standard.

Also the "The CERT® Guide to Coordinated Vulnerability Disclosure", Allen D. Householder, Garret Wassermann, Art Manion, and Chris King, August 2017, SPECIAL REPORT CMU/SEI-2017-SR-022 states:

Vendor – the individual or organization that created or maintains the product that is vulnerable

To me, a vendor has nothing to do with money. There may be a price, sure. But who cares, if it is zero in whatever currency or one million - liabilities are often completely unrelated to the price.

The focus (in my understanding) of the vendor role is creation and maintenance - we name this a vendor and everyone is welcome to look up synonyms (and antonyms).

The problem of our sharing communities is in my experience less to name the roles such that people can thoughtlessly identify with them, but more that of those role bearers to talk the walk and walk the talk.

tschmidtb51 commented 3 years ago

I think there are 2 options the TC should consider:

  1. Add open source project explicit in the definition of the category product_name in /definitions/branches_t/category:

    The value product_name indicates the name of the product or open source project.

  2. Add a definition to the terminology:

    Product: is any deliverable (e.g. software, hardware, specification,...) which can be referred to with a name. This includes also open source.

Thoughts?

sthagen commented 3 years ago

I would support simultaneously using both a modified option 1:

  1. Add open source project explicit in the definition of the category product_name in /definitions/branches_t/category:

    The value product_name indicates the name of the product or project.

and an option 2 like this:

  1. Add a definition to the terminology:

    Product: is any deliverable (e.g. software, hardware, specification,...) which can be referred to with a name. This applies regardless of the origin, the license model, or the mode of distribution of the deliverable.

To be clear: I would add both if people think it might help some readers.

santosomar commented 3 years ago

This issue was discussed during the CSAF TC Monthly meeting on May 26th, 2021. The changes suggested were approved.