[OPSAWG] Éric Vyncke's Yes on draft-ietf-opsawg-sbom-access-15: (with COMMENT)
Éric Vyncke via Datatracker <noreply@ietf.org> Mon, 24 April 2023 08:53 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: opsawg@ietf.org
Delivered-To: opsawg@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 43515C151B11; Mon, 24 Apr 2023 01:53:41 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Éric Vyncke via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-opsawg-sbom-access@ietf.org, opsawg-chairs@ietf.org, opsawg@ietf.org, henk.birkholz@sit.fraunhofer.de, bill.wu@huawei.com, bill.wu@huawei.com
X-Test-IDTracker: no
X-IETF-IDTracker: 10.0.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Éric Vyncke <evyncke@cisco.com>
Message-ID: <168232642126.49973.3794267032564521950@ietfa.amsl.com>
Date: Mon, 24 Apr 2023 01:53:41 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/mZvGxbtTSqjg5W4wMyJY5jIxNzQ>
Subject: [OPSAWG] Éric Vyncke's Yes on draft-ietf-opsawg-sbom-access-15: (with COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Apr 2023 08:53:41 -0000
Éric Vyncke has entered the following ballot position for draft-ietf-opsawg-sbom-access-15: Yes When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsawg-sbom-access/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you for the work put into this document. Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education). Special thanks to Win Wu for the shepherd's detailed write-up including the WG consensus and the justification of the intended status. I hope that this review helps to improve the document, Regards, -éric # COMMENTS (non blocking) ## 'transparency' vs. 'sbom' This is probably due to historical reasons, but I find it strange to have the YANG module named 'transparency' while this term does not appear in the abstract. ## Abstract I am not a native English speaker, so I am probably outside of my expertise here, but: * `automation is necessary to locate what software is running` should 'to identify' or 'to list' be better ? * `to provide the locations of software bills of materials (SBOMS) and to vulnerability information.` is there a verb missing between 'to' and 'vulnerability' ? I must admit that I cannot parse this sentence. ## Section 1 `we seek` who is the 'we' ? s/the model is a discovery mechanism/the model can be used as a discovery mechanism/ ? I.e., how can a model be a mechanism ? In `report to administrators the state of a system.` "state" is rather vague, can the state be qualified ? I.e., "security state" ? In the introduction of the 3 methods, the 2nd one (URI) is the only one having a normative MUST. Is it on purpose that the two other methods do not have normative language ? ## Section 6 `the endpoint SHOULD NOT provide unrestricted access by default` this is indeed a key point as the SBOM can also be viewed as the list of open doors to the device. I am really unsure how to fix this problem at all... I would also wish to have a mean to keep the SBOM information available for years even after manufacturer bankruptcy ...
- [OPSAWG] Éric Vyncke's Yes on draft-ietf-opsawg-s… Éric Vyncke via Datatracker
- Re: [OPSAWG] Éric Vyncke's Yes on draft-ietf-opsa… Eliot Lear
- Re: [OPSAWG] Éric Vyncke's Yes on draft-ietf-opsa… Eric Vyncke (evyncke)
- Re: [OPSAWG] Éric Vyncke's Yes on draft-ietf-opsa… Eliot Lear