tag-security
tag-security copied to clipboard
cncf
[Suggestion] Supply Chain Security feedback
Description: from twitter: https://twitter.com/clintgibler/status/1398046293340037121?s=19
- The paper lists assurance/risk for each task. Would that be useful to add to the checklist?
- [ ] Map assurance levels to the checklist we provided
-------original-----
- The paper includes a number useful references with more info. Would it be possible to make the guidance even more actionable / easy to follow? e.g.
- Template repos, scripts, ...
Impact: The paper is great, I'm just trying to think about it from a busy dev or sec engr perspective:
OK I'm super busy and don't have time to look up much stuff, can you just give me the relevant code snippets/packages/settings/etc and I can get 80% there in a few days?
Scope: "not yet determined" CC: @jonmuk
Additional info:
- Reference to supporting material
- Links to related site
- Feel free to delete this section if you don't have more info
Thanks @TheFoxAtWork! I've got a few things currently on my plate, but hopefully over the next few months, or at latest a quarter or two, I should have more detailed feedback, or at least things I would find super helpful.
Thank you everyone for the awesome work! 🙏 🎉
This is useful feedback.
There are a number of planned companion resources to the paper. Of those companion resources, the first already published is the secure supply chain assessment document .
The end goal of the workgroup behind the paper is to produce a framework of reusable common tools and templates. We're given plenty of consideration to discoverability and accessibility. One binary for all the assets and likely a github.io page to interactively navigate the different resources.
Reference architecture issue: https://github.com/cncf/tag-security/issues/679
Updating description to focus on assurance alignment in the checklist
This issue has been automatically marked as inactive because it has not had recent activity.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
@anvega are there other items to be done to close this out or bring up at a weekly meeting to determine appetite for completion?
This issue has been automatically marked as inactive because it has not had recent activity.
@TheFoxAtWork I would like to contribute to this issue and come up with actionable guidelines, relevant links for busy devs to make the checklist more robust. Please let me know how to proceed as this will be my first PR for this group.
@anandg112 We have been working #679 which a first draft of is now getting finalized. See WG notes: https://docs.google.com/document/d/1MTM782nluFl4_ybG-fXHmRT2k4bPN18ifdzpUltQQCw/edit#heading=h.1tv8gumsrtbf
We will be looking for feedback soon on the draft. As far as next steps, we are still discussing those in the Thursday WG meetings which if you're interested we would love additional contribution to.
This issue has been automatically marked as inactive because it has not had recent activity.
Several things here either slipped or fell out of scope. Worth revisiting if and when the best practices paper gets a second edition. Closing the issue for now.