New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SSDF Epic] PS: Protect software #123
Comments
I will be focussing on PS 3.2. PS.3.2: Collect, safeguard, maintain, and share provenance data for all components of each software release via a software bill of materials [SBOM] There are already several issues opened related to this work, which I will assign myself. |
I will look into PS.3.1: Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release. |
Initial comments: PS.3.1: Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release.
=================================
|
Im focussing on PS1.1, currently identifying and dcoumenting, the 46 GH repos in the adoptium project, breaking them into functional areas, and once that is completed, documenting the current access control mechanisms, and evaluating whether that meets the security standards detailed below. Currently being worked on in issue #143 |
PS1.1 Documentation can be found on this https://docs.google.com/document/d/1NtG03VDr20DN8KX-wbdGr-lplMaXaSHfZQUMlDm7sCk/edit#heading=h.lwt7k16quujk |
Thanks for this. Comments directly in the doc. |
This issue tracks the PS SSDF items and will also contain more detail for them:
Work that addresses these items can reference this epic issue.
(provide (gpg ?) signed releases temurin-build#1275)
The text was updated successfully, but these errors were encountered: