diff --git a/10._SIG_Charter_-_Positioning.md b/10._SIG_Charter_-_Positioning.md new file mode 100644 index 0000000..9d44507 --- /dev/null +++ b/10._SIG_Charter_-_Positioning.md @@ -0,0 +1,103 @@ +# Positioning SIG Charter + +## Mission + +* Educate the open source community, global industry, and standards/regulatory bodies on SLSA +* Evangelize SLSA to increase adoption +* Evaluate SLSA to other frameworks, standards, or regulations +* Encourage participation to obtain diverse perspectives, further improving SLSA + +## Vision + +Obtain industry wide adoption and recognition, for public/private sectors, of SLSA as the “lingua franca” for producing software and ensuring a secure software supply chain. + +## Values + +Please see [Code of Conduct](8._Code_of_Conduct.md)for more information. + +## Strategy + +### Evaluate + +When evaluating SLSA compared to other standards/frameworks/regulations, we will aim to answer one or more of the following questions: + +* Should SLSA increase/decrease scope? +* How does SLSA work with other frameworks? +* Is there overlap in SLSA with other frameworks? +* Are there deficiencies or out of scope items in SLSA with relation to other frameworks? +* Are there use cases/personas to address that were not considered in SLSA? + +Community Members may leverage one or more of the following mediums to perform evaluations: + +* Google Doc/Spreadsheet +* GitHub Issue +* Whiteboarding Application (i.e. Mural, etc.) + +After evaluations are performed, this SIG will take a position on its impacts for SLSA and organizations. + +### Educate/Evangelize + +Purpose of education is to highlight the benefits that can be gained by using SLSA. Additionally, positioning SIG members may highlight the current/future work, and where the community is needing help. When educating the open source community, global industry, and standards/regulatory bodies on SLSA, we will aim to perform one or more of the following: + +* Educate organizations on how SLSA compares to other frameworks, regulations, or standards +* Educate organizations of how to apply SLSA to their use cases +* Educate organizations on out-of-scope items for SLSA +* Educate standards/regulatory bodies on how SLSA fits or fills in deficiencies in standards/regulations, by referencing the comparative evaluations performed. +* Educate other open source communities on how to leverage SLSA to improve code quality/security via self-elected workstream or via an existing initiative (i.e. OpenSSF WG * Critical Software) + +Community Members may leverage one or more of the following mediums: + +* SLSA Blog (see Contribution Guidelines for more info) +* SLSA Slack Channels (see Contributor Covenant Code of Conduct) +* SLSA/OpenSSF/Community Meetings +* OpenSSF/Linux Foundation Slack/Social Media accounts (See Respective Contributions Guidelines) +* Personal Social Media accounts (i.e. LinkedIn, Twitter, etc.) +* Conferences (i.e. Presentations, Lightning talks, Hallway talks, etc.) + +### Encourage + +By performing the previously stated missions, we should encourage participation from the broader community/industry to obtain diverse perspectives, which will in turn improve SLSA. By encouraging participation with diverse perspectives, it may help us with: + +* Identifying new use cases +* Identifying new personas +* Identifying opportunities for SLSA expansion +* Identifying opportunities for shifting SLSA strategy/scope +* Enabling additional OpenSSF participation +* Improving security of our open source communities/industry + +## Operating Goals + +The following are our short term/long term goals: + +Short Term + +* Evaluate SLSA in relation to NIST SSDF, NIST SP800-161r1, SBOM, EO14028, CNCF +* Educate community on findings +* Evangelize how SLSA fits/overlaps/fills in gaps of these frameworks +* Encourage additional participation for current & future evaluations + +Longer Term + +* Evaluate SLSA with more of NIST portfolio (i.e. NIST 800-53r5), CISA Common Criteria, CIS Benchmark for Supply Chain Security, CD Foundation, and emerging ex-US standards and regulations. +* Provide SLSA Specification feedback to improve use cases, personas, applicability, and trustworthiness. + +## Leadership / Accountability + +SIG leaders will drive weekly sessions to execute towards our goals, by performing the items below. + +Bi-weekly positioning SIG meeting with all members. The goal of this meeting is to discuss: + +* Roadmap/Vision +* Status Updates +* Enabling a forum for new ideas + +Bi-weekly Working session with subset of members (any and all are available to join). The goal of this meeting is to discuss: + +* Tactical approaches for completing work +* Actively work on ideas/goals +* Brainstorming on a particular goal/mission. + +For additional accountability, positioning SIG Leaders will present our current efforts in the following forums: + +* Bi-weekly SLSA meeting +* Bi-weekly Supply Chain Integrity Working Group meeting diff --git a/11._SIG_Charter_-_Tooling.md b/11._SIG_Charter_-_Tooling.md new file mode 100644 index 0000000..1d39f60 --- /dev/null +++ b/11._SIG_Charter_-_Tooling.md @@ -0,0 +1,7 @@ +# Tooling SIG Charter + +Not yet written. In the meantime, see [SLSA SIGs Proposal](https://docs.google.com/document/d/1L1gEJMBIvE0IbpFi23FOUByDYlItSYPPJmKdhvJQYsg/edit#heading=h.1hce59kd4nn0) for more information. + +* Mission: tools, services, and documentation make SLSA readily adoptable. +* Immediate work: builders and generators, policy model +* Longer range: distribution, discovery and policy integration diff --git a/5._Governance.md b/5._Governance.md index bc40e9e..ca76de9 100644 --- a/5._Governance.md +++ b/5._Governance.md @@ -47,6 +47,8 @@ The Steering Committee may add additional Steering Committee Members as it deems After discussion with the nominees for a vacant seat, the Steering Committee will select the new Steering Committee Members from the group of nominees taking into account such things as the nominees’ willingness to take on the role, skills, and level of participation as well as the need to maintain a balanced perspective on the Steering Committee (e.g., no more than two people from the same group of related companies should be on the Steering Committee). A Steering Committee Member nominee may not deliberate or vote on their own appointment. +**1.6. Special Interest Group Members.** The SLSA project has entered a phase where there is known work to be accomplish which requires focused collaboration. The community meeting has grown to a large number of participants with mixed agendas: learning, knowledge sharing, contributing, and so on. We established focus groups, or SIGs, as a formal mechanism to promote focused collaboration amongst a subset of the broader SLSA community. Each SIG will have leads and may determine their own meeting cadence and charters as approved by the Steering Committee Members. For more information, please see [Specification](9._SIG_Charter_-_Specification.md), [Positioning](10._SIG_Charter_-_Positioning.md), or [Tooling](11._SIG_Charter_-_Tooling.md) Charters. + ## 2. Decision Making. **2.1. Consensus-Based Decision Making.** The Project makes decisions through a consensus process ("Approval" or "Approved"). While the agreement of all applicable Participants is preferred, it is not required for consensus. Rather, the Maintainers or Steering Committee (as applicable) will determine consensus based on their good faith consideration of a number of factors, including the dominant view of the applicable Project Participants and nature of support and objections. The Maintainers or Steering Committee (as applicable) will document evidence of consensus in accordance with these requirements. diff --git a/8._Code_of_Conduct.md b/8._Code_of_Conduct.md index 9aee20b..a51c096 100644 --- a/8._Code_of_Conduct.md +++ b/8._Code_of_Conduct.md @@ -79,3 +79,11 @@ Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcem For answers to common questions about this code of conduct, see the FAQ at https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations. + +## Reporting Violations + +To report instance(s) of unacceptable behavior, please contact: + +* [Joshua Lock](https://github.com/joshuagl) - VMware +* [Melba Lopez](https://github.com/melba-lopez) - IBM +* Or any [Steering Committee Member](README.md#steering-committee) \ No newline at end of file diff --git a/9._SIG_Charter_-_Specification.md b/9._SIG_Charter_-_Specification.md new file mode 100644 index 0000000..09df4b4 --- /dev/null +++ b/9._SIG_Charter_-_Specification.md @@ -0,0 +1,7 @@ +# Specification SIG Charter + +Not yet written. In the meantime, see [SLSA SIGs Proposal](https://docs.google.com/document/d/1L1gEJMBIvE0IbpFi23FOUByDYlItSYPPJmKdhvJQYsg/edit#heading=h.1hce59kd4nn0) for more information. + +* Specification: SLSA is stable, practical, and useful for reducing risk—with a healthy surrounding community. +* Immediate work: getting to 1.0 +* Longer range: extending SLSA (including to vulnerability management) diff --git a/Readme.md b/Readme.md index b888ef0..65d354e 100644 --- a/Readme.md +++ b/Readme.md @@ -22,3 +22,27 @@ To contact the steering committee: - On GitHub: `@slsa-framework/slsa-steering-committee` - Via email: slsa-steering-committee@googlegroups.com + +## Special Interest Groups +If you would like to participate in a SIG, come join a meeting or reach out directly via slack/email (see information below)! + +[Specification](9._SIG_Charter_-_Specification.md) +- [Mark Lodato](https://github.com/MarkLodato) - Google +- [Joshua Lock](https://github.com/joshuagl) - VMware +- Via slack: [#slsa-specification](https://openssf.slack.com/archives/C03NUSAPKC6) +- Via email: slsa-steering-committee@googlegroups.com +- [SLSA Specification Meeting Information](https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj) + +[Tooling](11._SIG_Charter_-_Tooling.md) +- [Mike Lieberman](https://github.com/mlieberman85) - Kusari/CNCF +- [Eric Tice](https://github.com/erictice) - Wipro +- Via slack: [#slsa-tooling](https://openssf.slack.com/archives/C03PDLFET5W) +- Via email: slsa-tooling@googlegroups.com +- [SLSA Tooling Meeting Information](https://docs.google.com/document/d/15Xp8-0Ff_BPg_LMKr1RIKtwAavXGdrgb1BoX4Cl2bE4/edit#heading=h.yfiy9b23vayj) + +[Positioning](10._SIG_Charter_-_Positioning.md) +- [Melba Lopez](https://github.com/melba-lopez) - IBM +- [Bruno Domingues](https://github.com/brunodom) - Intel +- Via slack: [#slsa-positioning](https://openssf.slack.com/archives/C03NSDSQJ92) +- Via email: slsa-positioning@googlegroups.com +- [SLSA Positioning Meeting Information](https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj)