Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIG Software Supply Chain Proposal #140

Merged

Conversation

fdegir
Copy link
Member

@fdegir fdegir commented Jan 31, 2022

No description provided.

@fdegir fdegir requested review from tracymiranda and a team as code owners January 31, 2022 06:12
@tdcox
Copy link

tdcox commented Jan 31, 2022

I would like to see some clarity on how the remit of this group differs from that of Interoperability?

@oleg-nenashev
Copy link
Member

oleg-nenashev commented Jan 31, 2022

Maybe it also makes sense to rename the Security SIG instead, it has strong overlap in the Manifesto. It is no longer active AFAICT

@fdegir
Copy link
Member Author

fdegir commented Jan 31, 2022

Thanks for the comments @tdcox and @oleg-nenashev.

I would like to see some clarity on how the remit of this group differs from that of Interoperability?

The Interoperability SIG studies the seamless working of CI/CD technologies with focus being on terminology, (standardized) interfaces, and metadata.

The SIG Software Supply Chain aims to look at CI/CD aspects of the supply chain by studying various activities that are run as part of the pipelines and orchestrated by CI/CD technologies to ensure security, integrity, and compliance of the products and the pipelines themselves.

Some of the topics this SIG could potentially work on are SBOM and policy and these topics were discussed in SIG Interoperability in the past. However, the focus of SIG Interoperability was around interactions between CI/CD technologies and technologies provide SBOM capabilities and policy frameworks. This is one of the reasons for proposing SIG Software Supply Chain because these topics need to be looked into from how they can be employed to help with improving supply chain as they are used by CI/CD pipelines. The SIG Software Supply Chain will collaborate with other CDF SIGs when it identifies areas that are relevant for them instead of tackling them itself.

Maybe it also makes sense to rename the Security SIG instead, it has strong overlap in the Manifesto. It is no longer active AFAICT

The SIG Software Supply Chain aims to take a holistic approach and look at various topics to contribute to overall effort of improving the situation with supply chain from CI/CD perspective. Security is one of the critical areas to look into however we aim to look into integrity and compliance aspects as well thus the SIG is proposed as SIG Software Supply Chain.

About the SIG Security.
Security of the supply chain was one of the sub areas the SIG Security together with SBOM so SIG Software Supply Chain will study the existing work of the SIG Security on these topics and look for possibilities to incorporate them. If community members desire to have workstreams focused on specific topics such as security of the supply chain, these efforts can be enabled by forming workstreams with the possibility of them turned into its own SIGs like how SIG Events was formed subject to CDF TOC review.

As an additional note, one of the purposes with this SIG is to bring the topic into attention of CDF Community by calling it out explicitly with a broader take since the topic is pretty critical however there is no active group working on this topic under CDF at the moment.

@tdcox
Copy link

tdcox commented Jan 31, 2022

Thanks for the clarification. My hesitation is due to the fact that it doesn’t feel aligned to the process of Continuous Delivery to treat ‘interoperability with other parts of the software supply chain’ and ‘interoperability with other parts of the software supply chain in a secure and congruent manner’ as two separate concerns.

@mjmckay
Copy link
Contributor

mjmckay commented Feb 1, 2022

I volunteer to be the TOC Sponsor for this SIG.

@fdegir
Copy link
Member Author

fdegir commented Feb 1, 2022

I volunteer to be the TOC Sponsor for this SIG.

Thanks for sponsoring the SIG @mjmckay. The proposal is updated.

@mgreau
Copy link

mgreau commented Feb 3, 2022

Hi @fdegir

I am interested in contributing to this SIG Software Supply Chain. Let me know how it works.

Thanks

@fdegir
Copy link
Member Author

fdegir commented Feb 3, 2022

Thanks for your interest @mgreau. The SIG will need to be voted by the CDF TOC first which should happen soon and then we need to sort out the logistics (e.g. maillist, slack) if/when the SIG is approved by the TOC.

We will share updates on this PR so please keep an eye on it. In the meantime, I can add you as a member if you like. Please let me know.

@mgreau
Copy link

mgreau commented Feb 3, 2022

Thanks for the clarification.

Yes, please add me.

@majinghe
Copy link

majinghe commented Feb 3, 2022

Hi @fdegir

I am also interested in the SIG, want to be one of contributor, will promote ideas and practice about Software Supply Chain Security in China. Looking forwards the good news from the toc sides.

@todaywasawesome
Copy link
Contributor

+1 non-binding

Co-authored-by: Dan Garfield <dan@codefresh.io>
@fdegir
Copy link
Member Author

fdegir commented Feb 8, 2022

The proposal is up for vote by CDF TOC on cdf-toc maillist. Thanks @oleg-nenashev for starting the vote.

https://lists.cd.foundation/g/cdf-toc/topic/88911382

/cc @cdfoundation/toc

sigs/@ Outdated Show resolved Hide resolved
@lmilbaum
Copy link

@fdegir QQ Would it make sense to squash the commits?

@fdegir
Copy link
Member Author

fdegir commented Feb 17, 2022

@fdegir QQ Would it make sense to squash the commits?

Yes!
I was waiting to see if there are any further comments but given that we didn't receive any additional comments in TOC meeting and here, I think we can think of squashing and submitting later today.

Copy link
Member

@oleg-nenashev oleg-nenashev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The request was voted on in the mailing list and then approved at the Feb 15 governance meeting. I will proceed with the merge https://lists.cd.foundation/g/cdf-toc/topic/88911382#775

@oleg-nenashev oleg-nenashev merged commit f41c0ea into cdfoundation:master Feb 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants