I canât make meeting because Iâll be chairing OpenC2 TC at same time. Attached is a potential new TC that would get us involved in SBOM. Iâm keying off âI don't think
there's a standards body tasked with defining details about how a hash about a component should be constructedâ. Itâs a complex topic and a spec is needed. Iâd be willing to help (but not chair). This is a good example
of how do we get new TCâs stood up of people who arenât currently OASIS zealots. I think it will take a couple of us zealots to just stand it up and then they will come.
--
Duncan Sparrell
sFractal Consulting
iPhone, iTypo, iApologize
I welcome VSRE emails. Learn more at http://vsre.info/
From:
'Lars Francke' via cisa-sbom-tooling <cisa-sbom-tooling@googlegroups.com>
Date: Wednesday, November 29, 2023 at 5:33âAM
To: cisa-sbom-tooling@googlegroups.com <cisa-sbom-tooling@googlegroups.com>
Subject: Re: [cisa-sbom-tooling] Hashes (in Rust)
> I donât think this mailing list is involved with implementation of hashing packages and would just use the hash value provided by the package manager or whatever metadata is available.
This is exactly what it is about.
Currently, Rust des not provide a way to get hashes at all.
So, this is our chance to tell them what we need.
I don't think there's a standards body tasked with defining details about how a hash about a component should be constructed which might make them meaningless (as in the case with Rust currently) even though
they - in theory - could provide a strong data point for validating my dependencies.
Lars Francke
CTO
mobil +49 (172) 4554978
Book an appointment:
https://calendly.com/lars-francke/
----------------------------------------------------------------------------
Stackable GmbH
Thomas-Mann-StraÃe 8
22880 Wedel
Germany
www.stackable.tech
we support and automate open source Streaming and Big Data infrastructure
Amtsgericht Pinneberg, Registernummer HRB 15351 PI
GeschÃftsfÃhrer: Lars Francke, SÃnke Liebau, Sebastian Amtage
USt.Id.-Nr. DE334447979
I donât think this mailing list is involved with implementation of hashing packages and would just use the hash value provided by the package manager or whatever metadata is available.
However, I think some SPDX and CycloneDX experts watch this mailing list and may be available to join the discussions happening in the Rust community! Perhaps you can provide some information on where we can
do that?
I'm not entirely sure if this is the correct mailing list for this question.
Is there any form of agreement on how hashes should be generated for dependencies/components in SBOMs?
The big question we have is how to do hashes properly.
I would welcome any insights either in this list or in the linked discussion.
I think this is a great chance to improve SBOMs for everyone in the Rust ecosystem at the source, it'd be great if we could get some help.
Lars Francke
CTO
mobil +49 (172) 4554978
Book an appointment:
https://calendly.com/lars-francke/
----------------------------------------------------------------------------
Stackable GmbH
Thomas-Mann-StraÃe 8
22880 Wedel
Germany
www.stackable.tech
we support and automate open source Streaming and Big Data infrastructure
Amtsgericht Pinneberg, Registernummer HRB 15351 PI
GeschÃftsfÃhrer: Lars Francke, SÃnke Liebau, Sebastian Amtage
USt.Id.-Nr. DE334447979
--
You received this message because you are subscribed to the Google Groups "cisa-sbom-tooling" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
cisa-sbom-tooling+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/cisa-sbom-tooling/CANBqRJn6fH7zLpeXkRGUOaRbA9fEBOzxWX5%2BFqVPdey%3DiGYx2Q%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "cisa-sbom-tooling" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
cisa-sbom-tooling+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/cisa-sbom-tooling/CAEJp64%3DzENn%3D0OH8HSVpoaxjxwUKvmxzrgLt_ni98-ZQMOP__w%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "cisa-sbom-tooling" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
cisa-sbom-tooling+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/cisa-sbom-tooling/CANBqRJmr%2Bp3SWtztVegj9SKPLX2eV7M-%2BLaeR3%2BoyyjPx0DMKA%40mail.gmail.com.
|