slsa Transfer image-attestation demo to slsa-framework org

The workstream for HW Attested Build Environments has been building a POC in a repo under my user account: https://github.com/chkimes/image-attestation. We would like to move this under the SLSA framework GitHub org to more accurately reflect the shared ownership of the POC implementation.

cc @paveliak @marcelamelara

Aug 13 '24 19:08 chkimes

CC @slsa-framework/slsa-steering-committee @slsa-framework/specification-maintainers

Aug 13 '24 21:08 marcelamelara

I think that's great and I'm supportive of this move. However I'm afraid this raises some question of IP transfer that may require proper clearance involving the OpenSSF staff. Maybe one way around it would be to create a new repo within the SLSA github org and make a first PR with the content of this repo to get it up to par, but I think this would mean that you become responsible for the IP contribution and its origins. I'm not a lawyer though so don't take this to the bank. :-)

Aug 14 '24 12:08 lehors

Pinging @Naomi-Wash for the question about IP transfer here.

Aug 16 '24 17:08 marcelamelara

Is there still an IP concern even if the repo has an MIT license?

Aug 16 '24 20:08 chkimes

Unfortunately the license is necessary but not quite sufficient. You can see what kind of things OpenSSF looks at when importing projects in the just posted bomctl report.

Aug 17 '24 08:08 lehors

Hello everyone - we're following up with the LF IP manager and hope to have some guidance for you this week. (cc @riaankleinhans)

Aug 19 '24 20:08 Naomi-Wash

@Naomi-Wash @riaankleinhans Has there been an update from the LF IP manager on this transfer?

Sep 20 '24 16:09 marcelamelara

@marcelamelara we didn't see any concerns, but legal is double-checking just in case. Sorry for the delay. Hoping to have this wrapped up by EOW.

Sep 23 '24 22:09 Naomi-Wash

Great, thank you @Naomi-Wash !

Sep 23 '24 22:09 marcelamelara

Hello everyone, please forgive the delay on this. I heard back from legal and this is their advice.

@chkimes please check this project into a SLSA repository. It looks like any other contribution and should go through the same process. You can do a PR for this entire repo into the SLSA org.

Sorry again for the delay!

Sep 30 '24 21:09 Naomi-Wash

Hi @Naomi-Wash, thanks so much for the update!

Sep 30 '24 22:09 marcelamelara

Could someone create an image-attestation repo that I can contribute this to? I don't have permissions to create repos under slsa-framework.

Oct 18 '24 01:10 chkimes

@chkimes there's two simple options here:

Transfer ownership of your image-attestation repo to slsa-framework.
We can fork your repo.

Oct 18 '24 04:10 mlieberman85

https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository#about-repository-transfers

To transfer a repository that you own to an organization, you must have permission to create a repository in the target organization.

I can't transfer without permissions to create repos. The forking route can work, or I can create a PR to an empty repo that someone else creates in the org.

Oct 22 '24 21:10 chkimes

@chkimes It looks like I have permission to create a new repo, I'll go do that now.

Oct 22 '24 22:10 marcelamelara

@chkimes Can you please open a PR at https://github.com/slsa-framework/attested-build-environments-demo

Oct 22 '24 22:10 marcelamelara

@marcelamelara can you push a commit with git commit --allow-empty -m "Initial commit"? I can't fork anything if there's nothing to fork from.

Nov 05 '24 00:11 chkimes

@chkimes done!

Nov 05 '24 23:11 marcelamelara