Transfer image-attestation demo to slsa-framework org

[chkimes]

The workstream for HW Attested Build Environments has been building a POC in a repo under my user account: https://github.com/chkimes/image-attestation. We would like to move this under the SLSA framework GitHub org to more accurately reflect the shared ownership of the POC implementation.

cc @paveliak @marcelamelara

[marcelamelara]

CC @slsa-framework/slsa-steering-committee @slsa-framework/specification-maintainers

[lehors]

I think that's great and I'm supportive of this move. However I'm afraid this raises some question of IP transfer that may require proper clearance involving the OpenSSF staff.
Maybe one way around it would be to create a new repo within the SLSA github org and make a first PR with the content of this repo to get it up to par, but I think this would mean that you become responsible for the IP contribution and its origins. I'm not a lawyer though so don't take this to the bank. :-)

[marcelamelara]

Pinging @Naomi-Wash for the question about IP transfer here.

[chkimes]

Is there still an IP concern even if the repo has an MIT license?

[lehors]

Unfortunately the license is necessary but not quite sufficient. You can see what kind of things OpenSSF looks at when importing projects in the just posted bomctl report.

[Naomi-Wash]

Hello everyone - we're following up with the LF IP manager and hope to have some guidance for you this week. (cc @riaankleinhans)

[marcelamelara]

@Naomi-Wash @riaankleinhans Has there been an update from the LF IP manager on this transfer?

[Naomi-Wash]

@marcelamelara we didn't see any concerns, but legal is double-checking just in case. Sorry for the delay. Hoping to have this wrapped up by EOW.

[marcelamelara]

Great, thank you @Naomi-Wash !

[Naomi-Wash]

Hello everyone, please forgive the delay on this. I heard back from legal and this is their advice.

@chkimes please check this project into a SLSA repository. It looks like any other contribution and should go through the same process. You can do a PR for this entire repo into the SLSA org.

Sorry again for the delay!

[marcelamelara]

Hi @Naomi-Wash, thanks so much for the update!

[chkimes]

Could someone create an image-attestation repo that I can contribute this to? I don't have permissions to create repos under slsa-framework.

[mlieberman85]

@chkimes there's two simple options here:

1. Transfer ownership of your image-attestation repo to slsa-framework.
2. We can fork your repo.

[chkimes]

https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository#about-repository-transfers

To transfer a repository that you own to an organization, you must have permission to create a repository in the target organization.

I can't transfer without permissions to create repos. The forking route can work, or I can create a PR to an empty repo that someone else creates in the org.

[marcelamelara]

@chkimes It looks like I have permission to create a new repo, I'll go do that now.

[marcelamelara]

@chkimes Can you please open a PR at https://github.com/slsa-framework/attested-build-environments-demo

[chkimes]

@marcelamelara can you push a commit with git commit --allow-empty -m "Initial commit"? I can't fork anything if there's nothing to fork from.

[marcelamelara]

@chkimes done!