Original Message:
Sent: 11/6/2024 10:40:00 AM
From: Duncan Sparrell
Subject: RE: Claim-based SBOM Definition
Wrt agreement to add this text to FAQ, I would recommend a PR against https://github.com/oasis-tcs/osim/blob/main/FAQ/sbom.md.
I would recommend adding this next text to the existing definition as opposed to replacing the previous text. We had previously agreed to the SBOM definition as copied from the NTIA and CISA work. I think the above text enhances the definition as there are some aspects of existing wording worth keeping so I think keeping the entire original text is useful since it is in a lot of USG docs.
------------------------------
Duncan Sparrell
Chief Cyber Curmudgeion
sFractal Consulting LLC
Oakton VA
703-828-8646
------------------------------
Original Message:
Sent: 11-05-2024 12:16
From: Isaac Hepworth
Subject: Claim-based SBOM Definition
Heh, I hesitated on that part too.
In my examples, "I know that X" is the claim attributed to me. Folks evaluating this claim should take into account
- how much they trust me
- how much they trust me to make claims about software composition in general
- how much they trust me to make claims about this piece of software specifically
- how much they trust me to make claims of this strength and level of detail
- how recent the claim is, perhaps
- and so on
"I claim that X" or "I assert that X" work too I think?
Isaac
Should "knows" be "asserts" or "claims"? iPhone, iTypo, iApologize -posted to the "OASIS Open Supplychain Information Modeling (OSIM) TC" community
Original Message:
Sent: 11/5/2024 12:11:00 PM
From: Duncan Sparrell
Subject: RE: Claim-based SBOM Definition
Should "knows" be "asserts" or "claims"?
iPhone, iTypo, iApologize