Skip to content

Conformance example1 prelim system reqs#155

Open
gregshue wants to merge 100 commits into
spdx:conformanceexamplesfrom
gregshue:conformance-example1-prelim-system-reqs
Open

Conformance example1 prelim system reqs#155
gregshue wants to merge 100 commits into
spdx:conformanceexamplesfrom
gregshue:conformance-example1-prelim-system-reqs

Conversation

@gregshue

Copy link
Copy Markdown
Contributor

No description provided.

gregshue added 30 commits June 11, 2026 12:11
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
…x I Part I (1)

Signed-off-by: Gregory Shue <greg.shue@outlook.com>
…x I Part I (2a)

Signed-off-by: Gregory Shue <greg.shue@outlook.com>
…x I Part I (2b)

Signed-off-by: Gregory Shue <greg.shue@outlook.com>
…x I Part I (2c)

Signed-off-by: Gregory Shue <greg.shue@outlook.com>
…x I Part I (2d)

Signed-off-by: Gregory Shue <greg.shue@outlook.com>
…x I Part I (2e)

Signed-off-by: Gregory Shue <greg.shue@outlook.com>
gregshue added 2 commits June 12, 2026 10:30
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
@gregshue

Copy link
Copy Markdown
Contributor Author

we need to clearer what we exposed to.

Addressed

@gregshue

Copy link
Copy Markdown
Contributor Author

Clean up/out occurrences of "product with digital elements".

Addressed

@gregshue gregshue requested a review from stevenc-stb June 12, 2026 20:43

@stevenc-stb stevenc-stb left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some small changes.

Comment thread conformance/example1/content/src/SOI/SAMPLE/sdoc/index.sdoc Outdated
Comment thread conformance/example1/content/src/SOI/SAMPLE/system_requirements/sdoc/index.sdoc Outdated
Comment thread conformance/example1/content/src/SOI/SAMPLE/system_requirements/sdoc/index.sdoc Outdated
Comment thread conformance/example1/content/src/SOI/SAMPLE/system_requirements/sdoc/index.sdoc Outdated
gregshue and others added 4 commits June 13, 2026 14:22
Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com>
Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
…s/sdoc/index.sdoc

Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com>
Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
…s/sdoc/index.sdoc

Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com>
Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
…s/sdoc/index.sdoc

Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com>
Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
@gregshue gregshue requested a review from stevenc-stb June 13, 2026 21:23

@stevenc-stb stevenc-stb left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@stevenc-stb stevenc-stb left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

found a other copy past error

more

Comment thread conformance/example1/content/src/SOI/SAMPLE/system_requirements/sdoc/index.sdoc Outdated
Comment thread conformance/example1/content/src/SOI/SAMPLE/system_requirements/sdoc/index.sdoc Outdated
gregshue and others added 2 commits June 14, 2026 11:50
Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com>
Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com>
Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
@gregshue gregshue requested a review from stevenc-stb June 14, 2026 19:17
Comment thread conformance/example1/content/src/SOI/SAMPLE/system_requirements/sdoc/index.sdoc Outdated
Comment thread conformance/example1/content/src/SOI/SAMPLE/system_requirements/sdoc/index.sdoc Outdated
gregshue and others added 2 commits June 15, 2026 09:05
…s/sdoc/index.sdoc

Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com>
Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
…s/sdoc/index.sdoc

Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com>
Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
@gregshue gregshue requested a review from stevenc-stb June 15, 2026 16:06
Signed-off-by: Gregory Shue <greg.shue@outlook.com>

@chuckwolber chuckwolber left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I have more review feedback, but I am not sure where to direct it right away. We may require multiple passes.

Comment on lines +19 to +22
SAMPLE is a Product Line of commodity consumer electronics devices intended for
markets requiring conformance with the EU Cyber Resilience Act. The range of
devices supported by this Product Line is expected to expand over time as
more product types become commoditized.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you talking about a reusable component intended for inclusion in an OEM product for sale direct to consumers? I think the use of the word commoditized is also a little confusing. I can think of a number of reusable components that are branded (not commoditized), but otherwise purport to fulfill an industry specification that may or may not be implemented by others.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am talking about the end products-with-digital-elements being commodity devices. This is informative content rather than normative, so it doesn't have to be proved or verified. Perhaps we need a title/section to make that distinct.

Your question prompted me to look for a definition of "commodity devices". From SUSE.com I found the following:

Commodity hardware, sometimes known as off-the-shelf hardware, is a computer device or IT component that is relatively inexpensive, widely available and basically interchangeable with other hardware of its type. Unlike purpose-built hardware designed for a specific IT function, commodity hardware can perform many different functions. Commodity hardware is usually low-end, broadly compatible and can function on a plug-and-play basis with other commodity hardware products. ...

Generally, commodity hardware can evolve from any technologically mature product. Thus, most hardware products that have been on the market for five years or more are available in commodity versions. ...

USB devices (e.g., Thumb drives) are always branded and each has a serial number. The lowest-cost versions that are functionally identical and provide only standard USB interfaces that pull in common drivers provided by the OS vendor are essentially commodity devices. The business profit model is competing on low price, lower cost, and high volume. I have used the term "commodity devices" to refer to this end of the spectrum.

Please note that some of the electrical components within the commodity devices will also be commodity electronics (e..g, resistors, USB connectors, NAND flash chips), where others will not be (e.g., SOC holding non-standard register interfaces to digital logic blocks).

Comment on lines +37 to +38
These products are NOT expected to be used in industrial or
safety-critical deployments.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Short response: "NOT expected" is a negative requirement, or "negative intent" if you prefer. Neither can be proven. It is probably also true that the product is not expected to be used in an infinite number of ways well beyond industrial and safety-critical deployments. Sticking to what IS intended keeps the burden of proof finite.

Longer response: While I am certain it would not be difficult to find plenty of examples of manufacturers who specifically intend for their component to be used in industrial or safety-critical deployments, I am not sure that kind of intent is the norm. In my experience an OEM chooses a component for its fitness regardless of what the manufacturer intended of it. At that point, the OEM takes responsibility for the outcome. At the highest levels of criticality, component heritage is defined as the operational track record. The component manufacturer is neither responsible for, nor likely aware of, the operational track record of their products they sell to OEMs (failures notwithstanding).

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is informative content rather than normative, so it doesn't have to be proved or verified. Perhaps we need a title/section to make that distinct.

The EU CRA Annex II item requires the User Documentation to describe "the intended use, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties;"

Yes, there are many hardware components that are specifically intended for safety-critical environments (e.g., automotive grade SOCs vs non-automotive grade). I have also run across similar distinctions for RTOS usages (e.g., Green Hills Software product INTEGRITY-178 tuMP Safety-Critical & Security-Critical RTOS vs. Green Hills Software product INTEGRITY RTOS).

Signed-off-by: Gregory Shue <greg.shue@outlook.com>
@gregshue gregshue requested a review from chuckwolber June 19, 2026 17:01

@stevenc-stb stevenc-stb left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It Look good to me a draft

@stevenc-stb stevenc-stb requested review from chuckwolber and kestewart and removed request for chuckwolber June 19, 2026 17:03
gregshue added 2 commits June 26, 2026 14:32
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants