Hi Lars,
On 24.04.23 15:51, Lars Eggert via Datatracker wrote:
Lars Eggert has entered the following ballot position for
draft-ietf-opsawg-sbom-access-15: No Objection
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer to
https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-opsawg-sbom-access/
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
# GEN AD review of draft-ietf-opsawg-sbom-access-15
CC @larseggert
Thanks to Russ Housley for the General Area Review Team (Gen-ART) review
(https://mailarchive.ietf.org/arch/msg/gen-art/c_Npcow_0xA8aojaPi07NMcoeaw).
## Comments
### Section 1, paragraph 3
```
Put simply, we seek to answer two classes of questions *at scale*:
```
What does "at scale" mean here? Ask the questions to a large number of systems?
Ask the questions and expect very large results? Something else?
Right now communication of SBOMs is almost entirely manual at a time
when customers may have thousands if not hundreds of thousands of IoT
devices. That's what we mean by scale. Do you have a suggested way to
reword?
## Nits
All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as you see fit. Some were flagged by
automated tools (via https://github.com/larseggert/ietf-reviewtool), so there
will likely be some false positives. There is no need to let me know what you
did with these suggestions.
### Uncited references
Uncited references: `[RFC8446]`, `[RFC6242]`, and `[RFC8341]`.
Thank you, corrected.
### Outdated references
Reference `[RFC7231]` to `RFC7231`, which was obsoleted by `RFC9110` (this may
be on purpose).
Both are cited. However, there was an inconsistency: one is cited as
informational and one as normative. In my opinion, they should both be
normative because we are relying on the Content-type headers, and we
mention Accept.
### Grammar/style
#### Section 1, paragraph 16
```
: * on devices themselves * on a web site (e.g., via URI) * through some for
^^^^^^^^
```
Nowadays, it's more common to write this as one word.
Ok.
#### Section 4, paragraph 13
```
this device. Publication dates can found inside the SBOMs."; } choice vuln-r
^^^^^
```
Make sure that the ambiguous verb form "found" is correct. (It can either be
the base form "found", or the past tense of a different verb.).
Corrected.
Thanks!
Eliot
_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg
