New TC?

[duncan sfractal.com <duncan@sfractal.com>]

I canât make meeting because Iâll be chairing OpenC2 TC at same time. Attached is a potential new TC that would get us involved in SBOM. Iâm keying off âI don't think there's a standards body tasked with defining details about how a hash about a component should be constructedâ. Itâs a complex topic and a spec is needed. Iâd be willing to help (but not chair). This is a good example of how do we get new TCâs stood up of people who arenât currently OASIS zealots. I think it will take a couple of us zealots to just stand it up and then they will come.

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

From: 'Lars Francke' via cisa-sbom-tooling <cisa-sbom-tooling@googlegroups.com>
Date: Wednesday, November 29, 2023 at 5:33âAM
To: cisa-sbom-tooling@googlegroups.com <cisa-sbom-tooling@googlegroups.com>
Subject: Re: [cisa-sbom-tooling] Hashes (in Rust)

Hi Nisha,

 

thanks for the response.

 

> I donât think this mailing list is involved with implementation of hashing packages and would just use the hash value provided by the package manager or whatever metadata is available.

 

This is exactly what it is about.

Currently, Rust des not provide a way to get hashes at all.

So, this is our chance to tell them what we need.

 

I don't think there's a standards body tasked with defining details about how a hash about a component should be constructed which might make them meaningless (as in the case with Rust currently) even though they - in theory - could provide a strong data point for validating my dependencies.

 

The discussion is here: https://internals.rust-lang.org/t/pre-rfc-cargo-sbom/19842/

 

Cheers,

Lars

 

 

Lars Francke

CTO

 

mobil  +49 (172) 4554978

Book an appointment: https://calendly.com/lars-francke/

----------------------------------------------------------------------------

Stackable GmbH

Thomas-Mann-StraÃe 8

22880 Wedel

Germany

 

www.stackable.tech

we support and automate open source Streaming and Big Data infrastructure

 

Amtsgericht Pinneberg, Registernummer HRB 15351 PI

GeschÃftsfÃhrer: Lars Francke, SÃnke Liebau, Sebastian Amtage
USt.Id.-Nr. DE334447979

 

 

On Wed, Nov 29, 2023 at 1:58âAM Nisha Kumar <nishakumarx@gmail.com> wrote:

Hi Lars,

 

I donât think this mailing list is involved with implementation of hashing packages and would just use the hash value provided by the package manager or whatever metadata is available. 

 

However, I think some SPDX and CycloneDX experts watch this mailing list and may be available to join the discussions happening in the Rust community! Perhaps you can provide some information on where we can do that?

 

-Nisha

 

On Tue, Nov 28, 2023 at 5:37âAM 'Lars Francke' via cisa-sbom-tooling <cisa-sbom-tooling@googlegroups.com> wrote:

Hi,

 

I'm not entirely sure if this is the correct mailing list for this question.

 

Is there any form of agreement on how hashes should be generated for dependencies/components in SBOMs?

 

In the Rust ecosystem we are currently trying to define how the Rust compiler can help generate better SBOMs: <https://internals.rust-lang.org/t/pre-rfc-cargo-sbom/19842/>

The big question we have is how to do hashes properly.

 

I would welcome any insights either in this list or in the linked discussion.

I think this is a great chance to improve SBOMs for everyone in the Rust ecosystem at the source, it'd be great if we could get some help.

 

Cheers,

Lars

 

Lars Francke

CTO

 

mobil  +49 (172) 4554978

Book an appointment: https://calendly.com/lars-francke/

----------------------------------------------------------------------------

Stackable GmbH

Thomas-Mann-StraÃe 8

22880 Wedel

Germany

 

www.stackable.tech

we support and automate open source Streaming and Big Data infrastructure

 

Amtsgericht Pinneberg, Registernummer HRB 15351 PI

GeschÃftsfÃhrer: Lars Francke, SÃnke Liebau, Sebastian Amtage
USt.Id.-Nr. DE334447979

--
You received this message because you are subscribed to the Google Groups "cisa-sbom-tooling" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cisa-sbom-tooling+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cisa-sbom-tooling/CANBqRJn6fH7zLpeXkRGUOaRbA9fEBOzxWX5%2BFqVPdey%3DiGYx2Q%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "cisa-sbom-tooling" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cisa-sbom-tooling+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cisa-sbom-tooling/CAEJp64%3DzENn%3D0OH8HSVpoaxjxwUKvmxzrgLt_ni98-ZQMOP__w%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "cisa-sbom-tooling" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cisa-sbom-tooling+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cisa-sbom-tooling/CANBqRJmr%2Bp3SWtztVegj9SKPLX2eV7M-%2BLaeR3%2BoyyjPx0DMKA%40mail.gmail.com.