Received: from mx1.mailbun.net (unknown [170.39.20.100])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 8FBD0782CB0
	for <~alpine/devel@lists.alpinelinux.org>; Thu, 29 Apr 2021 12:27:50 +0000 (UTC)
Received: from 192.168.8.162 (unknown [107.125.25.50])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: ariadne@dereferenced.org)
	by mx1.mailbun.net (Postfix) with ESMTPSA id 2BFC4145A55;
	Thu, 29 Apr 2021 12:27:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org;
	s=mailbun; t=1619699268;
	bh=w2CRtA5jgl82tXHaKZeHW+raXWkjlYG6zMK9O79vGUY=;
	h=Date:From:To:cc:Subject:In-Reply-To:References;
	b=UUYzFSobjpzfOYwUTCapWNn8y9iN+cd/I4Yttr8LKLeUaYJPKLJSTcUEfEoMaupFS
	 aUWQtpQ6FkYRu6L+YKCi9CC7fJHpm83c8ZlR3+43x/mWdP6dSo4lJ0fna6mauG+w80
	 VWNsTsdchu3hx7QOEvK7aPbtRfgdzrzaOj1Ve07EyKuHkeUKtFzBYMEf1j/oIrHOYp
	 eovCep9sZ7vi+4LXJNf9MM5Fy71iF1n9jzsTjaN22bwiLWN0U9J7VS2AxxmyI/iOSj
	 5CY+qeFs3pXtP2OaVAtLbV+4TmeeqAnzmplN5AzkJdvJfAh5+GaIbTXoqY9eviHhK+
	 aOEWPZTnS4zEQ==
Date: Thu, 29 Apr 2021 06:27:48 -0600 (MDT)
From: Ariadne Conill <ariadne@dereferenced.org>
To: Konstantin Kulikov <k.kulikov2@gmail.com>
cc: ~alpine/devel@lists.alpinelinux.org
Subject: Re: A shared vulnerability format for open-source packages
In-Reply-To: <CAD+eXGQuPB7jOPZgOAkEoNiwZvWmi8CGVqrqgxXijW-rPo=RJw@mail.gmail.com>
Message-ID: <309a2660-f22-4a97-2ad5-305f41ba744@dereferenced.org>
References: <CAD+eXGQuPB7jOPZgOAkEoNiwZvWmi8CGVqrqgxXijW-rPo=RJw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed

Hello,

On Thu, 29 Apr 2021, Konstantin Kulikov wrote:

> Russ Cox of Go language team has drafted a proposal for a shared
> vulnerability format for open-source packages with goals to enhance
> interoperability between language teams, security researchers, and
> cross-language databases.
> See google doc [0] and his original tweet [1].

I have responded to him on Twitter.  We have been talking about a similar 
idea in ##distro-security on freenode.  It looks to me like both concepts 
are complimentary to each other (we are talking about federating security 
data between internal distro trackers, using JSON-LD and Linked Data 
Notifications), as Russ's proposal provides a reasonable vocabulary for 
the security data to use.

Maybe we can get everyone together in ##distro-security to talk about this 
and organize something?

Ariadne