alpha-omega
alpha-omega copied to clipboard
ossf
Our mission is to catalyze sustainable improvements to critical open source software projects and ecosystems.
to be implemented - needs base.py requirements and use cases _Originally posted by @Cyber-JiuJiteria in https://github.com/ossf/alpha-omega/pull/31#discussion_r1039893486_
to be implemented - needed BasePolicy requirements for implementation of use case(s) _Originally posted by @Cyber-JiuJiteria in https://github.com/ossf/alpha-omega/pull/31#discussion_r1039870765_
Another instance where designing generically will help with backwards capability and future tooling _Originally posted by @Cyber-JiuJiteria in https://github.com/ossf/alpha-omega/pull/31#discussion_r1039819589_
For Omega, we're targeting the top 10,000 projects, using tooling (Omega Analysis Toolchain, etc.) and triage. We need to provide some evidence that work was completed, both for internal tracking...
We should dive deep into GUAC to see what kind of alignment makes sense. Some options: * We can emit assertions into GUAC (Neo4J). * We can run policies via...
We should have a catchy name for the assertion work. Any ideas? * Assurance Assertions -- Pretty bad * Project Verde -- I was thinking GUAC, SLSA, "Salsa Verde"? *...
Source code limits this to docker by design, yet, the variable `--toolchain-container` implies a generic container. There could be a point where docker containers are not an option for consumers,...
There should be a more generic method to execute all assertions and map it to their relative key,value pair via a .yaml or .json file. This could prevent updating or...
We should use `set -e` as a best practice for good scripts. Unless, of course, we decide that the tool runner shouldn't be a giant shell script.
We're currently testing on Linux, and there are a couple places where I'm sure I've made assumptions about things like path separators. We should test everything on Windows and make...