slsa
slsa copied to clipboard
slsa-framework
SLSA Blog
I suggest that we create a SLSA Blog. The posts would be presented as opinions of the author, not necessarily of the SLSA project. Benefits:
- To give a steady update on activity to interested parties. Often work goes on behind the scenes or in detailed discussions, so it is difficult to see that progress is being made. A blog post can help communicate that progress at a higher level.
- To allow contributors to describe ideas and current thinking without requiring full community agreement or fully fleshing everything out. We can relate things that are currently in the minds of contributors but that we haven't had time to fully implement.
- Example: Current thinking on how policy would work. This is a topic I have discussed with many people, but I haven't had time to really write it down formally or get full agreement from the community. But I could describe how I think it might work, which at least gives readers some notion of where SLSA might be headed.
- To allow us to post "informational" documentation that we don't necessarily want to maintain or make official. Other project use "informational" proposals for this process (PEP, TAP) - see https://github.com/slsa-framework/slsa/issues/296#issuecomment-1040339334. But in my opinion, that is an abuse of the notion of a "proposal." A blog post is a better medium for such content.
Thoughts?
Great idea, demonstrating the liveliness of the project to folks not attending the community meetings and providing a space to share ideas both seem like good uses of a blog.
What should the process be for approving posts? Just have one other committee member verify that it's not spam?
I'm happy to set it up on Medium.
Ok, I'm going to try to set up a Medium 'Publication' for SLSA. Then we can have slsa.dev/blog redirect there somehow.
Someone let me know if they have a better idea.
[edit] Turns out you need a Medium subscription to make a Publication. No idea how we'd handle the billing for that in the SLSA org...
I've found a point of contact at the Linux Foundation that should be able to help figure out the payment options. Will follow up with results.
What should the process be for approving posts? Just have one other committee member verify that it's not spam?
I think keeping it simple and easy is best. One other committee member and lazy consensus (after say 2 working days?) sgtm. If this doesn't work, we can always revisit of course.
👋🏻 qq, is Medium a strong want here? I ask because another project I work with has historically had several challenges managing its blog on Medium. It's great for the social/share component, and the UI for writers is great, but we find for a variety of reasons its hard to keep it updated (access control/permissions management, collaborating on drafts, people who don't have medium accounts & want to contribute, etc etc). If it's all the same to ya'll, hosting a blog via GH tends to be more successful long term.
I'd prefer GitHub too, it feels like that would be easier for review?
I'm on-board with lazy consensus, but worry that two days might be too short? Perhaps it's enough for folks to indicate their intent/desire to review within two days?
I also prefer GitHub, but it is a bit more work to set up and I'm not the one doing it. Medium does have nice commenting, which GitHub wouldn't have by default. I'm OK either way.
To set it up on GitHub, I believe this involves:
- Adding a link to docs/_data/nav.yml (we'll need this either way)
- Configuring docs/_config.yml have the put posts under /blog/ or whatever.
- Creating a post layout.
- Creating a page that lists all of the posts.
If we instead want the blog on a subdomain, I think we'd need to create a new git repo and set up Jekyll there, including the theme, and link to it from the main SLSA website.
I believe @jorydotcom is volunteering to set it up for us.
Also I think I'd prefer not having comments since it's just another thing to moderate. If people really want to comment they can use Twitter or file GH issues? I don't feel that strongly about this though.
@MarkLodato @TomHennen happy to do the setup whichever route ya'll go. And great question whether you want the blog to sit with your existing site or spun up on a subdomain. Probably keeping it with the existing repo would be faster, so we don't have to track down whoever has access to the DNS and mess with that. Also one less repo to maintain.
It's been a few days and there have been no objections to a github-driven blog, that lives with the SLSA site - I think it's safe to get started on this this week! Will plan to have something for you to review Monday.
Thank you!
On Tue, Mar 22, 2022 at 9:56 AM Tom Hennen @.***> wrote:
Great, thanks Jory!
— Reply to this email directly, view it on GitHub https://github.com/slsa-framework/slsa/issues/309#issuecomment-1075390848, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABXWJ66C5A54G6KCO4NOX3VBH3TDANCNFSM5P5VGNRA . You are receiving this because you commented.Message ID: @.***>
@jorydotcom @kimsterv When this issue was discussed on a WG call a while ago I suggested that before a post gets published a heads-up be given to the WG so that people have a chance to have a look. I was surprised by the announcement of the new post made on the call last week. Where does one get to see what's coming up? Thanks.
Hey, I saw the post through PR #354 . Are you subscribed to github notifications for the repo? I can also encourage folks to post a link in slack for upcoming blog posts too.
@lehors - every blog post is reviewed by members of the @slsa-framework/slsa-steering-committee. We want to keep this process lightweight, so the way it happens is an interest community member uploads the blog post in the form of PR and we add the steering committee as reviewer to review it in next couple of days before it gets merged. As @kimsterv said, we can do an additional notification on the supply chain wg slack channel from now on as well. You can get more actively involved by joining the SLSA steering committee as well, so please attend the slsa biweekly meeting to discuss more.
@jorydotcom @kimsterv When this issue was discussed on a WG call a while ago I suggested that before a post gets published a heads-up be given to the WG so that people have a chance to have a look. I was surprised by the announcement of the new post made on the call last week. Where does one get to see what's coming up? Thanks.
This seems quite heavyweight to me. I agree if the blog is going to be on the official OpenSSF announcements blog there should be oversight, but I worry about projects not having some autonomy to communicate with their community.
Hey, I saw the post through PR #354 . Are you subscribed to github notifications for the repo? I can also encourage folks to post a link in slack for upcoming blog posts too.
Sounds good. Thanks!
@lehors - every blog post is reviewed by members of the @slsa-framework/slsa-steering-committee. We want to keep this process lightweight, so the way it happens is an interest community member uploads the blog post in the form of PR and we add the steering committee as reviewer to review it in next couple of days before it gets merged. As @kimsterv said, we can do an additional notification on the supply chain wg slack channel from now on as well. You can get more actively involved by joining the SLSA steering committee as well, so please attend the slsa biweekly meeting to discuss more.
Thanks @inferno-chromium . This is actually the first time I see an active reference to a "steering committee". The discussions around the OpenSSF governance have been leaning towards forgoing such entities until the organization is so big that this kind of additional structure is deemed necessary. I'm interested to know whether something is being overlooked. Is there a description somewhere of what this steering committee is in charge of? Thank you. cc @AevaOnline
@jorydotcom @kimsterv When this issue was discussed on a WG call a while ago I suggested that before a post gets published a heads-up be given to the WG so that people have a chance to have a look. I was surprised by the announcement of the new post made on the call last week. Where does one get to see what's coming up? Thanks.
This seems quite heavyweight to me. I agree if the blog is going to be on the official OpenSSF announcements blog there should be oversight, but I worry about projects not having some autonomy to communicate with their community.
I must admit not to understand. Are you saying that notifying the SLSA WG of an upcoming blog post on the WG's website is heavyweight? What am I missing? @kimsterv 's response satisfies my request for that matter. Thanks.
Thanks @inferno-chromium . This is actually the first time I see an active reference to a "steering committee". The discussions around the OpenSSF governance have been leaning towards forgoing such entities until the organization is so big that this kind of additional structure is deemed necessary. I'm interested to know whether something is being overlooked. Is there a description somewhere of what this steering committee is in charge of?
The SLSA project has been led by a seven member steering committee since shortly after inception, it's documented here in the README: https://github.com/slsa-framework/slsa#steering-committee
I'd like to reconsider the format of the blog and perhaps remove it in favor of per-author blogs. I had envisioned a place for people to write about their opinions of SLSA with clear messaging that this does not represent community consensus. Consensus is expensive and time consuming, as can be seen from the two blog post PR's so far (#354 and #376). In both of these cases, the review was much more heavyweight than I would have expected.
Of course each author can just write to their own random location, but then it's difficult for people to track. Maybe a lightweight feed that just links to other blog posts, with clear messaging that it's not an endorsement? Or alternatively track it via a twitter hashtag or similar? (I don't use social media so I don't know what other communities do.)
FWIW I like the original goal as you stated, and think it's not worth giving up on yet. It can be made more clear in the blog itself, the contribution documentation and process for reviews.
I agree. I didn't think my blog review was particularly heavyweight, and I also think it's growing pains as the group comes to a consensus around SLSA itself. I think a lot of the feedback has been useful on also informing new issues.
My only worry is if there's several layers of that review. If every blog post needs some multilevel review like maintains -> steering committee -> broader working group, etc. it will never get done.
OK, let's try to make it work then. As a first step, how about we prefix each blog post with something like:
This is a guest post. All opinions are solely the author's and do not necessarily represent consensus or official position of the SLSA community or any parent organization.