Steward
Pizza-Ria opened this issue · 1 comments
This is a suggestion to add a field in the specification to indicate if there is a steward (see, EU-CRA - Article 24 and https://linuxfoundation.eu/cyber-resilience-act for context) for the project. Ultimately, collection of this field (especially for automted scanners) may depend on an ecosystem adoption of a steward.md file within a repo so this field can be easily identified. Further noting that this is different from the concept of a "license steward" used with the SPDX-IDs for licenses.
P.S. Since the concept of a package steward is tied to security concerns, it may fit best within the https://spdx.github.io/spdx-spec/v3.0/model/Security/Security/ section of the spec.
P.P.S. There is a parallel issue filed with CycloneDX at CycloneDX/specification#503.
Thank you!
Thanks for this, @Pizza-Ria .
If it's not an intrinsic property of a package, the correct way to implement this would be a new RelationshipType, so we could express a relationship:
Package-Foo HAS_STEWART Agent-X
(or conversely, Agent-X IS-STEWART-OF Package-Foo, but I think the former approach is better.