-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Steward #855
Labels
Milestone
Comments
Thanks for this, @Pizza-Ria . If it's not an intrinsic property of a package, the correct way to implement this would be a new
(or conversely, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a suggestion to add a field in the specification to indicate if there is a steward (see, EU-CRA - Article 24 and https://linuxfoundation.eu/cyber-resilience-act for context) for the project. Ultimately, collection of this field (especially for automted scanners) may depend on an ecosystem adoption of a steward.md file within a repo so this field can be easily identified. Further noting that this is different from the concept of a "license steward" used with the SPDX-IDs for licenses.
P.S. Since the concept of a package steward is tied to security concerns, it may fit best within the https://spdx.github.io/spdx-spec/v3.0/model/Security/Security/ section of the spec.
P.P.S. There is a parallel issue filed with CycloneDX at CycloneDX/specification#503.
Thank you!
The text was updated successfully, but these errors were encountered: