-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SIG Software Supply Chain Proposal #140
SIG Software Supply Chain Proposal #140
Conversation
I would like to see some clarity on how the remit of this group differs from that of Interoperability? |
Maybe it also makes sense to rename the Security SIG instead, it has strong overlap in the Manifesto. It is no longer active AFAICT |
Thanks for the comments @tdcox and @oleg-nenashev.
The Interoperability SIG studies the seamless working of CI/CD technologies with focus being on terminology, (standardized) interfaces, and metadata. The SIG Software Supply Chain aims to look at CI/CD aspects of the supply chain by studying various activities that are run as part of the pipelines and orchestrated by CI/CD technologies to ensure security, integrity, and compliance of the products and the pipelines themselves. Some of the topics this SIG could potentially work on are SBOM and policy and these topics were discussed in SIG Interoperability in the past. However, the focus of SIG Interoperability was around interactions between CI/CD technologies and technologies provide SBOM capabilities and policy frameworks. This is one of the reasons for proposing SIG Software Supply Chain because these topics need to be looked into from how they can be employed to help with improving supply chain as they are used by CI/CD pipelines. The SIG Software Supply Chain will collaborate with other CDF SIGs when it identifies areas that are relevant for them instead of tackling them itself.
The SIG Software Supply Chain aims to take a holistic approach and look at various topics to contribute to overall effort of improving the situation with supply chain from CI/CD perspective. Security is one of the critical areas to look into however we aim to look into integrity and compliance aspects as well thus the SIG is proposed as SIG Software Supply Chain. About the SIG Security. As an additional note, one of the purposes with this SIG is to bring the topic into attention of CDF Community by calling it out explicitly with a broader take since the topic is pretty critical however there is no active group working on this topic under CDF at the moment. |
Thanks for the clarification. My hesitation is due to the fact that it doesn’t feel aligned to the process of Continuous Delivery to treat ‘interoperability with other parts of the software supply chain’ and ‘interoperability with other parts of the software supply chain in a secure and congruent manner’ as two separate concerns. |
I volunteer to be the TOC Sponsor for this SIG. |
Thanks for sponsoring the SIG @mjmckay. The proposal is updated. |
Hi @fdegir I am interested in contributing to this SIG Software Supply Chain. Let me know how it works. Thanks |
Thanks for your interest @mgreau. The SIG will need to be voted by the CDF TOC first which should happen soon and then we need to sort out the logistics (e.g. maillist, slack) if/when the SIG is approved by the TOC. We will share updates on this PR so please keep an eye on it. In the meantime, I can add you as a member if you like. Please let me know. |
Thanks for the clarification. Yes, please add me. |
Hi @fdegir I am also interested in the SIG, want to be one of contributor, will promote ideas and practice about Software Supply Chain Security in China. Looking forwards the good news from the toc sides. |
+1 non-binding |
Co-authored-by: Dan Garfield <dan@codefresh.io>
The proposal is up for vote by CDF TOC on cdf-toc maillist. Thanks @oleg-nenashev for starting the vote. https://lists.cd.foundation/g/cdf-toc/topic/88911382 /cc @cdfoundation/toc |
The SIG has been approved by CDF TOC so this commit updates the proposed.md to document this fact. https://docs.google.com/document/d/1uBHar55fTInWF9Li4t0lyG3tTC8BRLU0FfBfsgk_Jrs/edit# https://lists.cd.foundation/g/cdf-toc/topic/88911382
@fdegir QQ Would it make sense to squash the commits? |
Yes! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The request was voted on in the mailing list and then approved at the Feb 15 governance meeting. I will proceed with the merge https://lists.cd.foundation/g/cdf-toc/topic/88911382#775
No description provided.