That’s a really really good point! The more we communicate adoption and real-world use cases the better. The VEX use case of CSAF will definitely be front center for most vendors. From:
csaf@lists.oasis-open.org <
csaf@lists.oasis-open.org> on behalf of duncan sfractal.com <
duncan@sfractal.com> Date: Wednesday, October 26, 2022 at 12:54 PM To:
csaf@lists.oasis-open.org <
csaf@lists.oasis-open.org> Subject: [csaf] CVRF/CSAF "awareness & adoption" I think some discussion of “awareness & adoption” would be useful. Not holding anyone to commitments but companies sharing their current use and future plans wrt both CVRF and CSAF would be useful. In other meetings (eg CISA SBOM meetings), some people downplay CSAF adoption (“it will take years before VEX profile is used”, “no one uses CVRF”, “there are no tools”, …) and it would help to have some data to counter misconceptions. I know we get a few statements-of-use prior to passing the standard, but now that CSAF is adopted it might be useful to make more noise on planned use. Given we are now inside the 270-day clock on US Federal procurement requiring SBOMs, I suspect CSAF/VEX usage will take off. But that’s speculation on my part – actual companies making non-binding statements (keep the lawyers happy) on what they are already doing and what are their plans will carry a lot more weight than my speculation. -- Duncan Sparrell sFractal Consulting iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at
http://vsre.info / From:
csaf@lists.oasis-open.org <
csaf@lists.oasis-open.org> on behalf of Omar Santos (osantos) <
osantos@cisco.com> Date: Wednesday, October 26, 2022 at 12:26 PM To: Stefan Hagen <
stefan@hagen.link>, Martin Prpic <
mprpic@redhat.com> Cc: Feng Cao <
feng.cao@oracle.com>,
csaf@lists.oasis-open.org <
csaf@lists.oasis-open.org>, Schmidt, Thomas <
thomas.schmidt@bsi.bund.de> Subject: Re: [csaf] what is the plan to phase out CVRF support? We can definitely put it in the agenda. However, it is really up to the vendor/producer of CVRF documents to decide how long they are supporting CVRF based on their customer usage/demand, etc. I believe that Feng was just trying to see what other current CVRF producers are planning to do. From: Stefan Hagen <
stefan@hagen.link> Date: Wednesday, October 26, 2022 at 11:42 AM To: Martin Prpic <
mprpic@redhat.com>, Omar Santos (osantos) <
osantos@cisco.com> Cc: Feng Cao <
feng.cao@oracle.com>,
csaf@lists.oasis-open.org <
csaf@lists.oasis-open.org>, Schmidt, Thomas <
thomas.schmidt@bsi.bund.de> Subject: Re: [csaf] what is the plan to phase out CVRF support? Dear members, looking at the "kavi" OASIS workspace of the CSAF TC I notice that this meeting (once scheduled for today) has been cancelled. Would this topic then discussed on November 16? Best, Stefan On Wed, Oct 26, 2022, at 16:19, Martin Prpic wrote: We (Red Hat) plan on publishing CVRF files until Sep 1, 2023. After this date all of the CVRF files will be available for download as a single file archive, and we will continually publish CSAF only. -- Martin Prpic / Red Hat Product Security Omar Santos (osantos) writes: > Absolutely! I will add it to the agenda. To give you a quick response from Cisco. Cisco will continue to support CVRF until the end of 2023. > > Regards, > > Omar Santos > Cisco PSIRT >
os@cisco.com > PGP: 3AF27EDC > > ________________________________ > From:
csaf@lists.oasis-open.org <
csaf@lists.oasis-open.org > on behalf of Feng Cao <
feng.cao@oracle.com > > Sent: Friday, October 21, 2022 2:24:25 PM > To:
csaf@lists.oasis-open.org <
csaf@lists.oasis-open.org > > Subject: [csaf] what is the plan to phase out CVRF support? > > > Hi all, > > I'd like to have your input on your organization's plan to phase out CVRF support. We have received such requests from our customers. > > Ideally, we have the consistent plan from all the organizations. > > It can be an item for next week's meeting? > > Thanks, > > --Feng --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php