Apply for sandbox stage for project: Gemara (FKA - SCI) #479
Conversation
|
Also in favor of this as an ORBIT TSC member. |
|
It's worth while to explain how this complements and differs from the existing work with in-toto attestation, e.g. SLSA with in-toto attestations, VSAs, etc. |
|
+1 from me, for https://ccc.finos.org |
In reading https://github.com/in-toto/in-toto?tab=readme-ov-file#in-toto--- to better understand the intent of the in-toto project, it appears that in-toto is primarily focused on the software supply chain:
And a similar quote from the SCI layer 4 section of the README:
So, broadly, if a Layer 4 evaluation is evaluating aspects of the software supply chain, like code, CI workflows, etc I think SCI Layer 4 could complement in-toto attestation by emitting/publishing the results of the evaluation using in-toto. However, if the Layer 4 evaluation is evaluating aspects of cloud infrastructure (for example, when used by FINOS CCC) I don't see strong alignment with in-toto, in which case, I'd argue that SCI is complementary to in-toto. |
|
This is fairly minor, but note that https://github.com/ossf/wg-supply-chain-integrity often uses the abbreviation SCI. |
The project is open to a rename. Comment with your great ideas! |
|
Yep, as @trumant mentioned, this is called out in the contribution pre-work issue: - [ ] Determine the long-term project name, as SCI may cause problems within OpenSSF due to the name conflict with its "Supply Chain Integrity Working Group"We had one name proposal get axed already, so more are welcome. |
Given the precedent I think the burden is on this group to come up with a name that doesn't conflict with the existing one. Sorry. |
|
Moved my name suggestions to revanite-io/sci#50 in order to let the project have its own discussion before coming back to the TAC with an update. |
trumant
force-pushed
the
sci-ti-sandbox
branch
2 times, most recently
from
056e03c to
f542656
Compare
|
Love this idea, but we do need to settle the admin stuff and make sure there is no duplication of work. |
trumant
changed the title
There was a problem hiding this comment.
I think it would be better to use the new name throughout and have a note that it is currently named SCI rather than the other way around as it currently is so that in the future it is easy to find. This includes the filename.
Otherwise this looks good to me!
|
I agree with @lehors and would prefer the name change to be done before this gets merged. Otherwise in support of this application. |
|
|
||
| The project must be aligned with the OpenSSF mission and either be a novel approach for existing areas, address an unfulfilled need, or be initial code needed for OpenSSF WG work. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project. | ||
|
|
||
| * [SCI (Simplified Compliance Infrastructure)](https://github.com/revanite-io/sci) (current name / future name **Gemara**) is a collection of schema describing data interchange formats for security and compliance activities and a Golang module for producing and consuming data conforming to these formats. The project's mission is to serve as a unifying, integration format between tools and applications that operate in the security and compliance space. SCI is currently used to model the catalog of compliance controls in the OSPS Baseline and in the FINOS Common Cloud Controls and is expected to be adopted by additional tools like darn/darnit, oscal-compass, etc. |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
|
|
||
| * [SCI (Simplified Compliance Infrastructure)](https://github.com/revanite-io/sci) (current name / future name **Gemara**) is a collection of schema describing data interchange formats for security and compliance activities and a Golang module for producing and consuming data conforming to these formats. The project's mission is to serve as a unifying, integration format between tools and applications that operate in the security and compliance space. SCI is currently used to model the catalog of compliance controls in the OSPS Baseline and in the FINOS Common Cloud Controls and is expected to be adopted by additional tools like darn/darnit, oscal-compass, etc. | ||
|
|
||
| **_NOTE: due to a naming collision with the existing OpenSSF Supply Chain Integrity WG, if this project is granted Sandbox phase status, it will be renamed to Gemara._** |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
| * SCI is currently licensed under the Apache 2.0 License and requires DCO signoff from all contributors | ||
| * We will initiate this process shortly. |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
The ORBIT WG would like to create a new technical initiative: currently named SCI Signed-off-by: Travis Truman <trumant@gmail.com>
marcelamelara
added
the
Major / New TI
Signed-off-by: Travis Truman <trumant@gmail.com>
|
Launch |
1 similar comment
|
Launch |
There was a problem hiding this comment.
Thanks for submitting the application for Gemara! I'd like to get a better sense of where the project maintainers see this project going longer-term, but I'm excited to explore further how the Gemara model will interoperate with frameworks like SLSA, in-toto, Scorecards etc.
|
|
||
| The project must be aligned with the OpenSSF mission and either be a novel approach for existing areas, address an unfulfilled need, or be initial code needed for OpenSSF WG work. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project. | ||
|
|
||
| * Gemara (current name) is a collection of schema describing data interchange formats for security and compliance activities and a Golang module for producing and consuming data conforming to these formats. The project's mission is to serve as a unifying, integration format between tools and applications that operate in the security and compliance space. SCI is currently used to model the catalog of compliance controls in the OSPS Baseline and in the FINOS Common Cloud Controls and is expected to be adopted by additional tools like darn/darnit, oscal-tempest, etc. |
There was a problem hiding this comment.
Looking through the SCI/Gemara repo, it looks like not all layers have schemas implemented, and not all layers seem to follow explicit standards. Is the addition of these planned as upcoming work?
There was a problem hiding this comment.
Yes, absolutely. Currently the logical model has created value around consolidating language, and there has been end-user demand for Controls and Evaluations schemas (Layers 2 & 4). The maintainer team is waiting for resolution of this contribution application to determine the roadmap in alignment with the ORBIT Working Group.
|
Thanks everyone who has responded with suggestions and votes on this issue 🙇♂️ In addition to what @steiza shared on today's TAC call, Gemara is giving us the language we need to increase clarity in the ORBIT WG, which will be extremely helpful when presenting the Baseline+ORBIT keynote at OSSNA. |
Co-authored-by: Arnaud J Le Hors <lehors@us.ibm.com> Signed-off-by: Travis Truman <trumant@gmail.com>
Co-authored-by: Arnaud J Le Hors <lehors@us.ibm.com> Signed-off-by: Travis Truman <trumant@gmail.com>
There was a problem hiding this comment.
LGTM, My only concern is I'm not a fan of the name given it shares the same name as an important component of the core religious texts of Judiasm. I just don't want to inadvertently offend anyone. In addition it could make SEO a bit harder as well (GUAC has this challenge a bit)
The ORBIT WG would like to create a new technical initiative: currently named SCI
Closes revanite-io/sci#24