Steward

[Pizza-Ria]

This is a suggestion to add a field in the specification to indicate if there is a steward (see, EU-CRA - Article 24 and https://linuxfoundation.eu/cyber-resilience-act for context) for the project. Ultimately, collection of this field (especially for automted scanners) may depend on an ecosystem adoption of a steward.md file within a repo so this field can be easily identified. Further noting that this is different from the concept of a "license steward" used with the SPDX-IDs for licenses.

P.S. Since the concept of a package steward is tied to security concerns, it may fit best within the https://spdx.github.io/spdx-spec/v3.0/model/Security/Security/ section of the spec.

P.P.S. There is a parallel issue filed with CycloneDX at CycloneDX/specification#503.

Thank you!

[zvr]

Thanks for this, @Pizza-Ria .

If it's not an intrinsic property of a package, the correct way to implement this would be a new RelationshipType, so we could express a relationship:

Package-Foo   HAS_STEWART  Agent-X

(or conversely, Agent-X IS-STEWART-OF Package-Foo, but I think the former approach is better.