search

spdx / spdx-3-model

The model for the information captured in SPDX version 3 standard.
https://spdx.dev/use/specifications/
Other
68 stars 43 forks source link

Steward #855

Open Pizza-Ria opened 1 month ago

Pizza-Ria commented 1 month ago

This is a suggestion to add a field in the specification to indicate if there is a steward (see, EU-CRA - Article 24 and https://linuxfoundation.eu/cyber-resilience-act for context) for the project. Ultimately, collection of this field (especially for automted scanners) may depend on an ecosystem adoption of a steward.md file within a repo so this field can be easily identified. Further noting that this is different from the concept of a "license steward" used with the SPDX-IDs for licenses.

P.S. Since the concept of a package steward is tied to security concerns, it may fit best within the https://spdx.github.io/spdx-spec/v3.0/model/Security/Security/ section of the spec.

P.P.S. There is a parallel issue filed with CycloneDX at https://github.com/CycloneDX/specification/issues/503.

Thank you!

zvr commented 1 month ago

Thanks for this, @Pizza-Ria .

If it's not an intrinsic property of a package, the correct way to implement this would be a new RelationshipType, so we could express a relationship:

Package-Foo   HAS_STEWART  Agent-X

(or conversely, Agent-X IS-STEWART-OF Package-Foo, but I think the former approach is better.