community Proposal for establishing the SIG Security

Based on the discussion from https://github.com/open-telemetry/opentelemetry-collector-releases/pull/207, I would like to propose the creation of the SIG Security. The SIG would be responsible for establishing the patterns to be adopted by other SIGs and repositories, as well as serve as a go-to place for security inquiries.

Initially, the SIG would have @cpanato and me, and we are open to having anyone else who'd want to join us.

This would NOT be a security response team (although we can kick off a discussion around that if needed).

Jan 11 '23 19:01 jpkrohling

@reyang volunteered to be a sponsor for this proposal.

Jan 11 '23 19:01 jpkrohling

@reyang volunteered to be a sponsor for this proposal.

Yup 👍

Jan 12 '23 01:01 reyang

thanks for the trust and +1

Jan 12 '23 12:01 cpanato

+1 on this initiative!

It would be great if the security of our Github actions/workflows/automations/secrets and repo settings could be covered there as well. Only if they are solid, signed binaries like the ones produced by https://github.com/open-telemetry/opentelemetry-collector-releases/pull/207 can actually be considered trustworthy.

Jan 25 '23 15:01 arminru

definitely we can work on those things as well

Jan 30 '23 14:01 cpanato

@jpkrohling consider borrow from https://github.com/open-telemetry/opentelemetry-specification/issues/3112 PR description.

Jan 31 '23 18:01 reyang

I had too many things on my plate and couldn't follow up. I'll likely be able to give more attention to this and make a formal proposal for this SIG following @reyang's suggestion.

Apr 05 '23 11:04 jpkrohling

I'm willing to help out @jpkrohling

Apr 20 '23 16:04 cartersocha

I created a draft issue @cpanato @jpkrohling

https://github.com/open-telemetry/community/issues/1454

Apr 21 '23 20:04 cartersocha

SIG is there for a while now, closing.

Jul 11 '24 10:07 jpkrohling