search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
148 stars 39 forks source link

Terms legacy, end-of-life, and end-of-support #363

Open sthagen opened 3 years ago

sthagen commented 3 years ago

Following comment was received during public review phase from @sparrell at https://lists.oasis-open.org/archives/csaf/202109/msg00000.html

I’m passing on comments made at an NTIA SBOM meeting yesterday. These comments are my own and are not intended to represent the views of others (they should submit themselves), but my views were informed by the discussion. The topic being discussed was using CSAF for VEX to report beyond-end-of-life and beyond-end-of-support for components in a product that was itself not beyond-end-of-life nor beyond-end-of-support. Our understanding was that this was doable using CSAF but several observations were made that might be improved in CSAF.

  1. The word “legacy” is used to indicate “end of life” in branches category in section 3.1.2.2. There was some concern on use of the word “legacy”. Since it was being used synonymously with “end of life”, I suggest using “end of life” instead.
  2. Some medical industry representatives made a distinction between “end of life” and “end of support”. They emphasized it was due to regulators making that distinction (I am not an expert so am just passing on based on my understanding of what was said). Given at least some use cases distinguish between “end of life” and “end of support”, I suggest adding another branch category called “end of support”

Neither comment is one that I would fall on my sword over. Just passing along for consideration in this or future versions.

santosomar commented 3 years ago

Thank you for the feedback and input. During the TC monthly meeting on Sep 29, 2021, the OASIS Common Security Advisory Framework (CSAF) TC has reviewed your feedback and has voted not to making any changes at this time in CSAF 2.0. However, this is a great suggestion that will be considered in a future version of CSAF. This issue will remain open to be tracked on the development of the next CSAF version.

tschmidtb51 commented 2 years ago

@sparrell: We have a suggestion available through #457. The related ticket is #386. Please review.