Apply for SLSA graduation #415
Conversation
Signed-off-by: Arnaud J Le Hors <[email protected]>
Signed-off-by: Arnaud J Le Hors <[email protected]>
| * https://github.com/slsa-framework/slsa/blob/main/CONTRIBUTING.md#slsa-versions-management | ||
|
|
||
| Projects should harden their build systems in accordance with the SLSA Framework | ||
| * Not Applicable but we do use features such as branch protection, Dependabot, and Mend Renovate bot. |
There was a problem hiding this comment.
Should we be looking how to apply SLSA in the builds of our reference implementations (e.g. slsa-github-generator)?
There was a problem hiding this comment.
Yes but these are in a different project: SLSA Tooling project so we can deal with those separately.
There was a problem hiding this comment.
Yes, per our discussion on Slack yesterday, I agree that we ought to handle those separately.
|
|
||
| ### Security Baseline | ||
|
|
||
| The project meets all applicable Security Baseline requirements: |
There was a problem hiding this comment.
Do these requirements need to be applied to our demos and reference implementations?
There was a problem hiding this comment.
This something that I think we should clarify. I think in SLSA's case it's the spec and the SLSA GitHub generator.
There was a problem hiding this comment.
I'd say that the SLSA Jenkins generator is another tool that needs to be included, only if for the relatively wide use of Jenkins.
There was a problem hiding this comment.
This application merely refers to the SLSA specification work, the rest is currently in a different project: SLSA Tooling project. The separation dates from when the SLSA spec group was a SIG and it may actually make sense to regroup these into a single project moving forward but I'd rather not delay getting this application processed so let's keep them separated for now.
| * https://github.com/slsa-framework/governance | ||
|
|
||
| Have a defined and documented roadmap and annual goals for the project | ||
| * https://github.com/slsa-framework/slsa/projects?query=is%3Aopen |
There was a problem hiding this comment.
At first I was skeptical, but this is actually not a bad way to indicate the high-level workstreams a TI is undertaking, especially for a larger project like SLSA!
There was a problem hiding this comment.
I think one could argue that we are missing specific target dates. We are aiming for SLSA 1.1 to be out by the end of the year but this isn't captured here but otherwise I think it's a pretty good view of what's going on.
There was a problem hiding this comment.
Should it be captured here just to meet the metric? The case is strong for graduated status, but we do want to make sure the "I"s are dotted, and "T"s are crossed.
There was a problem hiding this comment.
One way we might track our roadmap is by using GitHub milestones, as we've done in the past. These specifically allow us to set due dates, and to associate specific issues and PR with a milestone to track progress.
Signed-off-by: Arnaud J Le Hors <[email protected]>
Signed-off-by: Arnaud J Le Hors <[email protected]>
Signed-off-by: Arnaud J Le Hors <[email protected]>
This is an application to recognize the SLSA project (which covers the specification work) as a Graduated project.