Apply for SLSA graduation #415
Conversation
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
|
|
||
| ### Security Baseline | ||
|
|
||
| The project meets all applicable Security Baseline requirements: |
There was a problem hiding this comment.
Do these requirements need to be applied to our demos and reference implementations?
There was a problem hiding this comment.
This something that I think we should clarify. I think in SLSA's case it's the spec and the SLSA GitHub generator.
There was a problem hiding this comment.
I'd say that the SLSA Jenkins generator is another tool that needs to be included, only if for the relatively wide use of Jenkins.
There was a problem hiding this comment.
This application merely refers to the SLSA specification work, the rest is currently in a different project: SLSA Tooling project. The separation dates from when the SLSA spec group was a SIG and it may actually make sense to regroup these into a single project moving forward but I'd rather not delay getting this application processed so let's keep them separated for now.
| * https://github.com/slsa-framework/governance | ||
|
|
||
| Have a defined and documented roadmap and annual goals for the project | ||
| * https://github.com/slsa-framework/slsa/projects?query=is%3Aopen |
There was a problem hiding this comment.
At first I was skeptical, but this is actually not a bad way to indicate the high-level workstreams a TI is undertaking, especially for a larger project like SLSA!
There was a problem hiding this comment.
I think one could argue that we are missing specific target dates. We are aiming for SLSA 1.1 to be out by the end of the year but this isn't captured here but otherwise I think it's a pretty good view of what's going on.
There was a problem hiding this comment.
Should it be captured here just to meet the metric? The case is strong for graduated status, but we do want to make sure the "I"s are dotted, and "T"s are crossed.
There was a problem hiding this comment.
One way we might track our roadmap is by using GitHub milestones, as we've done in the past. These specifically allow us to set due dates, and to associate specific issues and PR with a milestone to track progress.
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
|
@lehors I assume we'll revisit this after v1.1 is released? |
|
I'm planning to make the new upcoming Steering Committee responsible for following up on this. :-) |
|
We now have the new steering committee: @mlieberman85 Just pinging the new steering committee to be aware of this proposal |
|
So it looks like the big blocker is the Security Baseline and that there's general agreement that most of those things don't apply here because we're just talking about the spec, which isn't actual shipped software. Is that correct? Do we just put together some markdown that lists "N/A" for a lot of those things? |
This is an application to recognize the SLSA project (which covers the specification work) as a Graduated project.