spdx-3-model icon indicating copy to clipboard operation
spdx-3-model copied to clipboard
verified publisher icon spdx

Steward

Open Pizza-Ria opened this issue 1 year ago • 2 comments

This is a suggestion to add a field in the specification to indicate if there is a steward (see, EU-CRA - Article 24 and https://linuxfoundation.eu/cyber-resilience-act for context) for the project. Ultimately, collection of this field (especially for automted scanners) may depend on an ecosystem adoption of a steward.md file within a repo so this field can be easily identified. Further noting that this is different from the concept of a "license steward" used with the SPDX-IDs for licenses.

P.S. Since the concept of a package steward is tied to security concerns, it may fit best within the https://spdx.github.io/spdx-spec/v3.0/model/Security/Security/ section of the spec.

P.P.S. There is a parallel issue filed with CycloneDX at https://github.com/CycloneDX/specification/issues/503.

Thank you!

Pizza-Ria avatar Aug 14 '24 14:08 Pizza-Ria

Thanks for this, @Pizza-Ria .

If it's not an intrinsic property of a package, the correct way to implement this would be a new RelationshipType, so we could express a relationship:

Package-Foo   HAS_STEWART  Agent-X

(or conversely, Agent-X IS-STEWART-OF Package-Foo, but I think the former approach is better.

zvr avatar Aug 14 '24 16:08 zvr

Hi @Pizza-Ria - does the PR #861 address the Steward concept well enough for you and the EU-CRA?

rnjudge avatar Jul 08 '25 18:07 rnjudge