Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Supply chains security Expectations vs Reality #987

Closed
lumjjb opened this issue Oct 7, 2022 · 15 comments
Closed

Supply chains security Expectations vs Reality #987

lumjjb opened this issue Oct 7, 2022 · 15 comments
Assignees
@jkjell

Comments

@lumjjb
Copy link
Contributor

lumjjb commented Oct 7, 2022
edited
Loading

Description: We ask for supply chain best practices, SLSA, SBOMs, all that information.. so as to ask the question - does my software have a secure supply chain? But is that question just a pipe dream? Or can we break it down to tangible questions that we can tackle.

Impact: Being able to provide direction on what policies we want to create will help inform the data we need to produce and inform the models of attestation in the supply chain ecosystems.

Scope: Probably a month's work collecting ideas and writing them down.

Working Doc: https://docs.google.com/document/d/1_7ZDL1TtFEA4dfR3oaaVRLoWNcqthNN5h-G84y4ITkA/edit

Additional info:

  • Reference to supporting material
  • Links to related site
  • Feel free to delete this section if you don't have more info
@lumjjb lumjjb added suggestion New suggestion for the CNCF sig-security group that don't fall into an existing category triage-required Requires triage supplychain and removed triage-required Requires triage labels Oct 7, 2022
@JustinCappos
Copy link
Collaborator

Happy to contribute here.

@Caze121
Copy link
Contributor

Caze121 commented Oct 11, 2022

Happy to contribute here as well. We are currently doing this for our organisation as with capability milestones and deliverables along the secure supply chain best practices path.

@PushkarJ
Copy link
Contributor

+1

1 similar comment
@mlieberman85
Copy link
Collaborator

+1

@spiffcs
Copy link

spiffcs commented Dec 1, 2022
edited
Loading

Happy to contribute when we find a leader or organizer for this:

Some examples of policies that came up during the meeting to gate/inform/gather data on:

  • How the artifact is built
  • Who built it
  • Who Approved it to get to x step
  • What is the quality <-- (Larger question and sub tree on what metric -- vulnerabilities, secure code, license compliance, etc)
  • Generated by which tools <-- Build provenance is also a large tree in and of itself

@nadgowdas
Copy link

+1

@jkjell
Copy link
Collaborator

jkjell commented Jan 9, 2023

I'd be glad to try and organize efforts around this. I've worked with quite a few folks in the thread in the Supply Chain Security working group.

@aks-alokraj
Copy link
Contributor

I would like to contribute here.

lumjjb added a commit that referenced this issue Feb 8, 2023
@lumjjb
Add @jkjell to permissions for leading ssc policy (#987)
9041bdc 
Signed-off-by: Brandon Lum <[email protected]>
@jkjell
Copy link
Collaborator

jkjell commented Feb 8, 2023

Project Schedule

TODO Milestone Estimated time Actual date
Audience, Goals, & broad scope 1 week
Brainstorming & Refining Scope - Table Of Contents 2 weeks
Tasking Assignment 1 week
Content Rough-in 2-3 weeks
Collaborative Review 2 weeks
Executive Summary and content wrap up 2 weeks
Narrative Voice 1-2 weeks
Final Group Review 1 week
Community Review / Public comment adjudication 2-3 weeks
CNCF publishing engagement ~2-3 weeks
Addition to the repo 1 week
Blog post and publishing coordination 2-3 weeks

lumjjb added a commit that referenced this issue Feb 12, 2023
@lumjjb @PushkarJ
Add @jkjell to permissions for leading ssc policy (#987) (#1033)
5359ce2 
Signed-off-by: Brandon Lum <[email protected]>
Co-authored-by: Pushkar Joglekar <[email protected]>
@jkjell
Copy link
Collaborator

jkjell commented Feb 13, 2023

Hello all,

On Thursday, February 16th, we're going to kick off the work for this issue during the CNCF TAG Security - Supply Chain WG meeting (11 am Eastern). The first step will be deciding on the Audience, Goals, & Broad scope. Then we will focus in on establishing the outline before distributing and working through the content sections.

If you have any questions, feel free to comment on the issue, or reach out in the CNCF Slack #tag-security-supply-chain-wg channel.

I hope you can join us!

https://github.com/cncf/tag-security/issues/987

Also sent to TAG Security email list.

@faisalrazzak
Copy link

+1

@yuji-watanabe-jp
Copy link

I would like to contribute to this topic.

paolomainardi pushed a commit to paolomainardi/tag-security that referenced this issue Feb 22, 2023
@lumjjb @PushkarJ @paolomainardi
Add @jkjell to permissions for leading ssc policy (cncf#987) (cncf#1033)
aedaa2e 
Signed-off-by: Brandon Lum <[email protected]>
Co-authored-by: Pushkar Joglekar <[email protected]>
Signed-off-by: Paolo Mainardi <[email protected]>
paolomainardi pushed a commit to paolomainardi/tag-security that referenced this issue Feb 22, 2023
@lumjjb @PushkarJ @paolomainardi
Add @jkjell to permissions for leading ssc policy (cncf#987) (cncf#1033)
429f165 
Signed-off-by: Brandon Lum <[email protected]>
Co-authored-by: Pushkar Joglekar <[email protected]>
@achetal01
Copy link
Contributor

Will like to join this initiative, interesting work

@jkjell jkjell self-assigned this Feb 25, 2023
@nishakm nishakm mentioned this issue Mar 13, 2023
Closed
@lumjjb lumjjb changed the title [Suggestion] What is a Secure Supply Chain policy? Supply chains security Expectations vs Reality Apr 4, 2023
lirantal pushed a commit to lirantal/sig-security that referenced this issue May 21, 2023
@lumjjb @PushkarJ @lirantal
Add @jkjell to permissions for leading ssc policy (cncf#987) (cncf#1033)
fd24d6f 
Signed-off-by: Brandon Lum <[email protected]>
Co-authored-by: Pushkar Joglekar <[email protected]>
@stale
Copy link

stale bot commented Jun 18, 2023

This issue has been automatically marked as inactive because it has not had recent activity.

@stale stale bot added the inactive No activity on issue/PR label Jun 18, 2023
@anvega
Copy link
Contributor

anvega commented Jun 21, 2023

This is tracked by the Supply Chain WG as regular business during their bi-weekly call. For status, see the WG meeting notes.

@anvega anvega closed this as completed Jun 21, 2023
@lumjjb lumjjb moved this to 🆕 New in Supply Chain Working Group Aug 3, 2023
@jkjell jkjell moved this from 🆕 New to 🏗 In progress in Supply Chain Working Group Aug 3, 2023
@jkjell jkjell removed the inactive No activity on issue/PR label Aug 3, 2023
@mnm678 mnm678 removed the suggestion New suggestion for the CNCF sig-security group that don't fall into an existing category label Oct 26, 2023
@mnm678 mnm678 moved this from 🏗 In progress to 👀 In review in Supply Chain Working Group Oct 26, 2023
Michael-Susu12138 pushed a commit to Michael-Susu12138/tag-security that referenced this issue Dec 12, 2023
@lumjjb @PushkarJ
Add @jkjell to permissions for leading ssc policy (cncf#987) (cncf#1033)
a9aceb1 
Signed-off-by: Brandon Lum <[email protected]>
Co-authored-by: Pushkar Joglekar <[email protected]>
@mnm678 mnm678 removed the supplychain label Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkjell jkjell

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests