Supply chain secure software factory reference architecture (Supply Chain Working Group) #679
Comments
|
Next steps for this issue is nomination of project leads as well as presenting this at a TAG meeting. Tagging relevant members who may be interested in discussions/project leading. |
|
Thanks Brandon, I’m in!
I see the next architecture stage as pivotal in the success of this work.
There is a lot of work out there already but I have yet to see a
consolidated end to end architecture. I’d be happy to throw out initial
thoughts on it
On Tue, 1 Jun 2021 at 21:46, Brandon Lum ***@***.***> wrote:
Next steps for this issue is nomination of project leads as well as
presenting this at a TAG meeting.
Tagging relevant members who may be interested in discussions/project
leading.
@jonmuk <https://github.com/jonmuk> @dlorenc <https://github.com/dlorenc>
@lhinds <https://github.com/lhinds> @bobcallaway
<https://github.com/bobcallaway>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#679 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AECYKWK6UQ7E2EGAAWJYCL3TQVBJDANCNFSM455LUOMA>
.
--
Best Regards
Jon
|
|
Does this consider #671 ? |
It should be considered! This came out of a separate set of discussions from the implementors (some of which are not part of the original paper group). I do agree that this is a natural continuation of the supply chain working group. |
|
Hi @lumjjb, as discussed adding myself here as i'd be interested in helping out on this too. |
|
Hi @lumjjb -- I've been working on tekton chains & sigstore recently and would be interested in helping out as well! |
|
@lumjjb I’m happy to assist as well. |
|
@lumjjb Me too! |
|
@lumjjb please keep me in the loop too. |
|
This is a grand ambitious goal but well worth it. As its been pointed out, the supply chain workgroup did contemplate for this work to be the follow on to the white paper. There is a considerable amount of work necessary in order to realize this and we'll need to come up with the right architecture and strategy to get the work done, in addition to all the help that we can get. |
|
Let's discuss this during Friday's supply chain wg meeting, since there's already ongoing discussions there around this. This will be posted in this slack channel https://cloud-native.slack.com/archives/C01KL0B4LKC |
|
I am working on few technologies in this area and happy to help as well. |
|
when do you meet and how to join the call? I tried joining the Supply Chain WG zoom meeting with no luck. |
|
@laurentsimon Sorry there was a hick-up with the calendar, the "correct" zoom link was in the slack channel. But we will share the meeting notes about this in a bit. @anvega is going to send out a doodle poll to find a better time for everyone to help define the scope of the reference architecture and the project management aspects (meeting cadences, SW mgmt, GH project board, etc.). |
|
The CNCF calendar has also been updated with the correct Zoom meeting. |
|
I will like to contribute to the Architecture Effort for Supply chain security |
|
Attended today's TAG-Security Supply Chain -WG, thank you, I do appreciate all the work I see being done so far, and I would also like to contribute. |
|
This issue needs to be updated with a timeline, corresponding milestone deliverables, and list ALL the contributors thus far. This needs updated before KubeCon+CloudNativeCon. |
|
Published reference architecture: https://github.com/cncf/tag-security/blob/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf |
Communications/Meetings for this issue
A group meets up to discuss this issue as part of the Supply Chain Working Group. To keep in the loop of conversations, please join the slack channel: https://cloud-native.slack.com/archives/C01KL0B4LKC
Description:
Create a working group around an effort to create a reference architecture (backed by an open source implementation) of a Secure Software Factory (SSF) as highlighted in the supply chain paper.
Context: This is a continued effort from the original supply chain working group's work with the Supply Chain Paper. There are various discussions ongoing related to this in #625, #501, #600, Zero-Trust Supply Chains - Google Docs
Impact:
This working group will provide a commonplace for implementors of different communities (SPIRE, in-toto, tekton, sigstore, etc.) to work towards a similar goal of SSF. There are multiple efforts ongoing related to this, and this will help consolidate certain work streams.
Scope:
The scope of this includes architecture discussions and implementation efforts across various communities. The artifact produced from this should be a document laying out the reference architecture of a SSF with an appendix with implementation pointers and examples.
The target audience for this working group are implementors of SSF and contributing members of the underlying SSF components.
Proposed Schedule
Q4 2020
Q1 2021
Q2 2021
Contributing
To contribute, please refer to the "Contributing" section of the reference architecture document
Contributors
The text was updated successfully, but these errors were encountered: