search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
148 stars 39 forks source link

Clarify aggregator requirements #513

Closed tschmidtb51 closed 2 years ago

tschmidtb51 commented 2 years ago

Situation

Currently section 7.2.5 reads:

A distributing party satisfies the "CSAF aggregator" role if the party:

  • satisfies the requirements 21 to 23 in section 7.1.
  • uses the value aggregator for /aggregator/category.
  • lists a mirror for at least two disjoint issuing parties pointing to a domain under its own control.
  • links the public part of the OpenPGP key used to sign CSAF documents for each mirrored issuing party in the corresponding provider-metadata.json.
  • provides for each CSAF document that is mirrored a signature (requirement 19) and a hash (requirement 18). Both SHALL be listed in the ROLIE feed. If the issuing party provides those files for a CSAF document, they SHOULD be copied as well. If the issuing party does not provide those files, they SHALL be created by the CSAF aggregator. Such a signature does not imply any liability of CSAF aggregator for the content of the corresponding CSAF document. It just confirms that the CSAF document provided has not been modified after being downloaded from the issuing party. A CSAF aggregator MAY add additional signatures and hashes for a CSAF document.

There are additional comments in section 7.2 and 7.2.5 about the purpose of CSAF aggregators:

[...] The second group consists of the roles "CSAF lister" and "CSAF aggregator". They collect data from the aforementioned issuing parties of the first group and provide them in a single place to aid in automation. [...]

The purpose of this role is to provide a single point where CSAF documents can be retrieved. [...] None of them is required to mirror all CSAF documents of all issuing parties. CSAF aggregators can be provided for free or as a paid service. To aid in automation, CSAF aggregators MAY mirror CSAF documents from CSAF publishers. Regarding the terms of use they SHOULD consult with the issuing party.

As they should support automation, they have to fulfill the basic requirements (1-6) that apply for CSAF providers and even for "normal" CSAF publishers (1-4).

Proposal

Clarify that also aggregators have to satisfy the requirements 1-6 from section 7.1. It is already implemented that way in the reference implementation. As this is the only way how the role makes sense and was already given implicit, I deem the change non-material.

sthagen commented 2 years ago

I consider the prose clarification of the already encoded constraints (in tests) a nonmaterial change, thus I label the issue alike.