Supply chain secure software factory reference architecture (Supply Chain Working Group)

[lumjjb]

Communications/Meetings for this issue

A group meets up to discuss this issue as part of the Supply Chain Working Group. To keep in the loop of conversations, please join the slack channel: https://cloud-native.slack.com/archives/C01KL0B4LKC

Description:

Create a working group around an effort to create a reference architecture (backed by an open source implementation) of a Secure Software Factory (SSF) as highlighted in the supply chain paper.

Context: This is a continued effort from the original supply chain working group's work with the Supply Chain Paper. There are various discussions ongoing related to this in #625, #501, #600, Zero-Trust Supply Chains - Google Docs

Impact:

This working group will provide a commonplace for implementors of different communities (SPIRE, in-toto, tekton, sigstore, etc.) to work towards a similar goal of SSF. There are multiple efforts ongoing related to this, and this will help consolidate certain work streams.

Scope:

The scope of this includes architecture discussions and implementation efforts across various communities. The artifact produced from this should be a document laying out the reference architecture of a SSF with an appendix with implementation pointers and examples.

The target audience for this working group are implementors of SSF and contributing members of the underlying SSF components.

• STAG Leader Sponsor: @anvega @lumjjb
• Project leader(s): @anvega @mlieberman85

Proposed Schedule

Q4 2020

• [7 Oct] Ready for public comment for sections before prototyping
• [7 Oct] Cleanup document and open for RFC
• [11 Oct] Kubecon - Socialize RFC
• [21 Oct] Introduce new participants from Kubecon and overview of work and direction / levelset
• [28 Oct] Start discussion/writing on draft prototype design section
• [11 Nov] Complete draft for prototype design section, start main group discussion
• [25 Nov] Close main group discussion around prototype design (Thanksgiving, no meeting)
• [2 Dec- 20 Dec] Start planning and staffing for Supply Chain Ref Arch prototype sections agreed, staffing, getting additional folks/maintainers in
  • Consider other project limitations / work to reach ref arch baseline
• [20 Dec - 1 Jan 2022] Holidays

Q1 2021

• PROTOTYPING!!!

Q2 2021

• SHIP IT!!!

Contributing

To contribute, please refer to the "Contributing" section of the reference architecture document

Contributors

• Aditya Sirish
• Aeva Black
• Alex Floyd Marshall
• Andres Vega
• Andrew Block
• Aradhna Chetal
• Axel Simon
• Brandon Lum
• Brandon Mitchell
• Dan Pop
• David A Wheeler
• Ed Warnicke
• Emily Fox
• Ethan Lowman
• Garry Ing
• Glaucimar Aguiar
• Jacques Chester
• Jason Hall
• John Kjell
• Maor Kuriel
• Marina Moore
• Matt Moore
• Michael Lieberman
• Mike Lieberman
• Priya Wadhwa
• Rémy Greinhofer
• Shripad Nadgowda
• Trishank Karthik Kuppusamy

[lumjjb]

Next steps for this issue is nomination of project leads as well as presenting this at a TAG meeting.

Tagging relevant members who may be interested in discussions/project leading.

@jonmuk @dlorenc @lhinds @bobcallaway

[jonmuk]

Thanks Brandon, I’m in! I see the next architecture stage as pivotal in the success of this work. There is a lot of work out there already but I have yet to see a consolidated end to end architecture. I’d be happy to throw out initial thoughts on it

On Tue, 1 Jun 2021 at 21:46, Brandon Lum ***@***.***> wrote: Next steps for this issue is nomination of project leads as well as presenting this at a TAG meeting. Tagging relevant members who may be interested in discussions/project leading. @jonmuk <https://github.com/jonmuk> @dlorenc <https://github.com/dlorenc> @lhinds <https://github.com/lhinds> @bobcallaway <https://github.com/bobcallaway> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#679 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AECYKWK6UQ7E2EGAAWJYCL3TQVBJDANCNFSM455LUOMA> .

-- Best Regards Jon

[TheFoxAtWork]

Does this consider #671 ?
Is the intent to have this be the scope/discussion of the Friday meetings given the notes from this Friday past?

[lumjjb]

Does this consider #671 ?
Is the intent to have this be the scope/discussion of the Friday meetings given the notes from this Friday past?

It should be considered! This came out of a separate set of discussions from the implementors (some of which are not part of the original paper group). I do agree that this is a natural continuation of the supply chain working group.

[axelsimon]

Hi @lumjjb, as discussed adding myself here as i'd be interested in helping out on this too.

[priyawadhwa]

Hi @lumjjb -- I've been working on tekton chains & sigstore recently and would be interested in helping out as well!

[bobcallaway]

@lumjjb I’m happy to assist as well.

[benlaurie]

@lumjjb Me too!

[laurentsimon]

@lumjjb please keep me in the loop too.

[anvega]

This is a grand ambitious goal but well worth it.

As its been pointed out, the supply chain workgroup did contemplate for this work to be the follow on to the white paper.

There is a considerable amount of work necessary in order to realize this and we'll need to come up with the right architecture and strategy to get the work done, in addition to all the help that we can get.

[lumjjb]

Let's discuss this during Friday's supply chain wg meeting, since there's already ongoing discussions there around this. This will be posted in this slack channel https://cloud-native.slack.com/archives/C01KL0B4LKC

[nadgowdas]

I am working on few technologies in this area and happy to help as well.

[laurentsimon]

when do you meet and how to join the call? I tried joining the Supply Chain WG zoom meeting with no luck.

[lumjjb]

@laurentsimon Sorry there was a hick-up with the calendar, the "correct" zoom link was in the slack channel. But we will share the meeting notes about this in a bit.

edit: https://docs.google.com/document/d/1MTM782nluFl4_ybG-fXHmRT2k4bPN18ifdzpUltQQCw/edit#heading=h.ssyq3r9mi3y8

@anvega is going to send out a doodle poll to find a better time for everyone to help define the scope of the reference architecture and the project management aspects (meeting cadences, SW mgmt, GH project board, etc.).

[TheFoxAtWork]

The CNCF calendar has also been updated with the correct Zoom meeting.

[achetal01]

I will like to contribute to the Architecture Effort for Supply chain security

[th3w4y]

@TheFoxAtWork

Attended today's TAG-Security Supply Chain -WG, thank you, I do appreciate all the work I see being done so far, and I would also like to contribute.

[TheFoxAtWork]

@lumjjb @anvega @danpopSD can you all provide an update to the issue with schedule, progress links etc?

[TheFoxAtWork]

This issue needs to be updated with a timeline, corresponding milestone deliverables, and list ALL the contributors thus far. This needs updated before KubeCon+CloudNativeCon.

[anvega]

Published reference architecture: https://github.com/cncf/tag-security/blob/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf