CDF Software Supply Chain SIG Meetings

###### tags: `SIG Software Supply Chain` # CDF Software Supply Chain SIG Meetings [![HacmKD documents](https://hackmd.io/badge.svg)](https://hackmd.io/HuufSDMaTPyb3qxkyBKg3A?edit) ## Quick links * [Logistics](#Logistics) * [Agenda and Notes](#Agenda-and-Notes) * [2023-03-09 Meeting](#March-9-2023) * [2023-02-23 Meeting](#February-23-2023) * [2023-02-09 Meeting](#February-9-2023) * [2023-01-12 Meeting](#January-12-2023) * [2022-12-22 Meeting](#December-22-2022) - ***Cancelled*** * [2022-12-08 Meeting](#December-8-2022) * [2022-11-24 Meeting](#November-10-2022) - ***Cancelled*** * [2022-11-10 Meeting](#November-10-2022) - ***Cancelled*** * [2022-10-27 Meeting](#October-27-2022) - ***Cancelled*** * [2022-10-13 Meeting](#October-13-2022) - ***Cancelled*** * [2022-09-22 Meeting](#September-22-2022) * [2022-09-08 Meeting](#September-8-2022) * [2022-08-25 Meeting](#August-25-2022) * [2022-08-11 Meeting](#August-11-2022) * [2022-07-28 Meeting](#July-28-2022) - ***Cancelled*** * [2022-07-14 Meeting](#July-14-2022) - ***Cancelled*** * [2022-06-23 Meeting](#June-23-2022) * [2022-06-09 Meeting](#June-9-2022) * [2022-05-26 Meeting](#May-26-2022) * [2022-05-12 Meeting](#May-12-2022) * [2022-04-28 Meeting](#April-28-2022) * [2022-04-14 Meeting](#April-14-2022) * [2022-03-24 Meeting](#March-24-2022) * [2022-03-10 Meeting](#March-10-2022) ## Logistics * **Meeting notes on HackMD**: https://hackmd.io/MX4W9EE0RBeO3xfJ9wDi_Q * **When**: Second and fourth Thursdays at 16:00UTC (*See your timezone [here](https://time.is/1600_in_UTC)*) * **Zoom Bridge**: https://zoom.us/j/94947282554?pwd=UndPWjFkQTJSUGo4WTRZWjlDaEQvUT09 * **Zoom International dial-in numbers**: https://zoom.us/zoomconference * **Meeting Recordings**: [CDF Youtube Channel SIG Software Supply Chain Playlist](https://youtube.com/playlist?list=PL2KXbZ9-EY9TT2rKSBv6-BUdKqsJg9rAL) * **Presentation Schedule**: https://hackmd.io/l1BfXp1kQKGKSaKLbl6xJw * **CDF Public Calendar**: [here](https://calendar.google.com/calendar/embed?src=linuxfoundation.org_mhf0kmgedn67ihni8r129avp24%40group.calendar.google.com&ctz=UTC) ## Agenda and Notes Meeting agenda and notes are kept on [HackMD.io](https://hackmd.io/MX4W9EE0RBeO3xfJ9wDi_Q) where everyone can add new topics to the agenda for upcoming meetings or take notes during the meetings. Please click edit button to edit the document. ### Next - Upcoming topics we would like to discuss -- please place your name next to an item if you would like to lead the discussion: - [OSS Review Toolkit](https://github.com/oss-review-toolkit/ort) - SBOM storage / indexing - Linking SBOMs from applications to docker containers they're in - Osama Magdy's final GSoC talk - apko and melange -- Batuhan Apaydin ("developer-guy") and Furkan Turkal - sigstore tooling -- Batuhan Apaydin ("developer-guy") ### Standing Agenda (copy-and-paste to create a new session) #### Participants * your-name, your-affiliation #### Agenda and Notes - Supply Chain Maturity - Best Practices Presentation - Problem statement and questions - Supply Chain Security - Best Practices Presentation - Problem statement and questions - Supply Chain Events - Events interoperability across supply chain implementations - OSPO -- managing OSS in a way that brings value to our companies ### March 9, 2023 #### Participants * David Bendory, Google/Tekton * Fatih Degirmenci, CDF * Brett Smith, SAS Institute #### Agenda and Notes - SIG Roadmap - [Pull request](https://github.com/cdfoundation/sig-software-supply-chain/pull/34) is ~~up for review~~ merged - Supply Chain Maturity Metrics - Topic is brought up to the Best Practices SIG - The next step is to go through and align the terminology used on the Supply Chain Security Metrics doc and then include it on the Best Practices Website - PDF will also be created so people can download it - Supply Chain Maturity - Best Practices Presentation - Problem statement and questions - Supply Chain Security - Best Practices Presentation - Problem statement and questions - Supply Chain Events - Events interoperability across supply chain implementations - OSPO -- managing OSS in a way that brings value to our companies #### Action Items - [x] Brett: Review Supply Chain Maturity Doc with eye towards events - [x] Fatih: Take the first stab for the SIG Roadmap based on SIG Interop roadmap - current, near term, future - [ ] Fatih: Document the summary of ongoing efforts under Outreach Committee, TOC, Ambassador Program to grow and sustain the community ### February 23, 2023 #### Participants * David Bendory, Google * Fatih Degirmenci, CDF * Brett Smith, SAS Institute * Emil Backmark, Ericsson, CDEvents #### Agenda and Notes - [Fatih] Supply Chain Events - Should the SIG start discussing the Supply Chain events as a contribution to CDEvents? - [Emil] Of interest: can we track creation of SBOM as an event, or referenced from an existing event? - [Fatih] I wonder if we would even treat discovery of CVEs as events? - Conversations here would feed into the Events SIG - [Fatih] Should we develop a SIG Roadmap? - Yes - Supply Chain Maturity - Best Practices Presentation - Problem statement and questions - Supply Chain Security - Best Practices Presentation - Problem statement and questions - Grow Community - Workshops - the initial discussion is happening on [the doc](https://docs.google.com/document/d/1UNRCIcNR96utZernFC5pyx8LDFYGNDtlzj-r-5Y3AoI/edit#) #### Action Items - [x] Fatih: shut down dormant Security SIG and migrate work products - [The topic is brought up to the TOC](https://docs.google.com/document/d/1uBHar55fTInWF9Li4t0lyG3tTC8BRLU0FfBfsgk_Jrs/edit#heading=h.efj7mpikrslq) and [the PR](https://github.com/cdfoundation/toc/pull/172) is up for review. - [ ] Brett: Review Supply Chain Maturity Doc with eye towards events - [ ] Fatih: Take the first stab for the SIG Roadmap based on SIG Interop roadmap - current, near term, future - [ ] Fatih: Document the summary of ongoing efforts under Outreach Committee, TOC, Ambassador Program to grow and sustain the community ### February 9, 2023 #### Participants * Liora Milbaum, RadHat * David Bendory, Google * Fatih Degirmenci, CDF * George Kunz, Ericsson * Brett Smith, SAS Institute #### Agenda and Notes - What is the direction for this SIG? -- Liora Milbaum - It seems that the SIG is focused on Supply Chain Security. Is that our direction or is that "just" a recent focus? - History: this SIG started partly in response to [this blog post](https://www.linuxfoundation.org/blog/blog/10m-to-improve-the-security-of-software-supply-chains) -- to bring focus on CICD more broadly - Fatih: we don't currently have a roadmap; perhaps the Supply Chain Maturity conversations should be brought back in to drive the roadmap - David: Maturity Metrics workstream product is one roadmap item - Brett: do we want to bring back the "best practices" conversations we were having ([frsca](https://buildsec.github.io/frsca/))? - Security SIG is dormant -- AI for Fatih to shut down Security SIG and move items to here - Liora: is this a good forum for collaboration on CICD challenges? - (concensus is yes - David: Sounds like we have a "standing agenda" for this SIG: - Supply Chain Security - Supply Chain Maturity - In both areas, we have standing items around "best practices" presentations + problem statements and discussion around meeting CICD challenges - George: what about OSPO conversations around the value of OSS and managing that in our respective companies? - Third pillar for standing agenda: OSPO and managing OSS usage + contributions in a way that brings value to our companies - [Supply Chain Maturity Metrics](https://docs.google.com/document/d/1CDSbQezqauwL2BaFob7o2ztLk6dTQGZqZCMZ_szNhW8/edit?resourcekey=0-ooiOpNu2gyR-KOlMNOCcDA) -- looking for a volunteer to adapt this doc for inclusion in [CDF Best Practices](https://bestpractices.cd.foundation/learn/assess/) -- David Bendory - Brett: this doc would help us with compliance as we try to reach FedRAMP compliance. Perhaps this belongs in a GitHub repo in the SIG? - GitHub will make it public + enable easy smaller-scale collaboration - Liora: I'm curious how you handle the question of where to keep public keys? - David: this is a "root of trust" problem -- how do you decide whether or not to trust a public key? How do you determine the leaf nodes that you trust and verify no further? - Brett: Agree with David -- if you decide you trust GitHub (which is itself a big "if"), then you have to ask what security controls you need on the repository yourself. - Liora: if I can pull the key from JFrog where I pull the artifact, why do I need to keep the key in GitHub and pull it from a separate location? Also, someone needs to maintain the key in GitHub, which relies on a manual human step. This feels like I'm losing my chain of custody -- I don't have logs and an audit trail. - Brett: provenance should be machine-generated and not falsifiable. #### Action Items - [x] David Bendory: migrate [Maturity Metrics](https://docs.google.com/document/d/1CDSbQezqauwL2BaFob7o2ztLk6dTQGZqZCMZ_szNhW8/edit?resourcekey=0-ooiOpNu2gyR-KOlMNOCcD) to SIG GitHub repo - DONE: result is [here](https://github.com/cdfoundation/sig-software-supply-chain/blob/main/docs/supply-chain-maturity.md) - [ ] Fatih: shut down dormant Security SIG and migrate work products + roadmap to here - [x] David Bendory: I'll set up our standing agenda + post to Slack ### January 12, 2023 #### Participants * Liora Milbaum, Red Hat * Fatih Degirmenci, CDF * Georg Kunz, Ericsson * Parth Patel, Kusari #### Agenda and Notes * Open Discussion * What are our next steps? * SIG Roadmap to identify what we would like to work on based on the ideas shared by the SIG participants * Supply Chain Security and CDEvents ### December 22, 2022 Canceled for YE break ### December 8, 2022 #### Participants * Fatih Degirmenci, CDF, SIG co-chair * David Bendory, Google * Justin Abrahms, eBay * Chuang Wang, Google * Liora Milbaum, Red Hat, SIG co-chair * Ankit Mohapatra * Al Huizenga, Google #### Agenda and Notes * SIG Updates, Fatih Degirmenci * Fatih plans to step down from co-chair of SIG * Nominations for co-chair can be made in GitHub on [Issue #26](https://github.com/cdfoundation/sig-software-supply-chain/issues/26) * Upcoming Meetings, All * 2022-12-22: Canceled * 2023-01-12: Planned first meeting in new year * End-to-end Pipeline-level Provenance in Tekton, Chuang Wang (Google Tekton SWE) * Demo meets [SLSA L3](https://slsa.dev/spec/v0.1/levels)! * [demo source in GitHub](https://github.com/chuangw6/demos/blob/main/cdf) * uses [multi-task pipeline](https://github.com/chuangw6/demos/blob/v0.1/cdf/pipelines/ci-pipeline.yaml) in Tekton to clone repo + build image * [PipelineRun](https://github.com/chuangw6/demos/blob/v0.1/cdf/pipelines/ci-pipelinerun.yaml) references pipeline in GitHub to comply with SLSA's "[build as code](https://slsa.dev/spec/v0.1/requirements#build-as-code)" requirement * Related: See David Bendory's [Binary Authorization Demo](#Agenda-and-Notes5) from the Aug 11 SIG meeting * SBOM Scorecard, Justin Abrahms * https://github.com/eBay/sbom-scorecard * \<addme\> #### Action Items * None #### Meeting Recording * \<addme\> ### November 24, 2022 Cancelled due to lack of topics. ### November 10, 2022 Cancelled due to lack of topics. ### October 27, 2022 Cancelled due to KubeCon / CloudNativeCon. ### October 13, 2022 Cancelled. ### September 22, 2022 #### Participants * Brett Smith, SAS Institute * Terry Cox * David Espejo * Georg Kunz * Grant Buskey * Jill * Parth Patel * Fatih Degirmenci * Justin Abrahms, eBay/CDF * Kara de la Marck * Osama Magdy * David Bendory #### Agenda and Notes * CI/CD Pipeline at SAS, Brett Smith * Supply Chain Maturity Model Workstream, All * [Announcement Blog Post](https://cd.foundation/blog/2022/09/22/software-supply-chain-sig-launches-maturity-model-workstream/) * Meetings: Every other Tuesday at 16:00 UTC (details [here](https://github.com/cdfoundation/sig-software-supply-chain/tree/main/workstreams/scmm#meetings)), starting October 4 #### Action Items * None #### Meeting Recording * \<addme\> ### September 8, 2022 #### Participants * Osama Magdy, Jenkins X * Kara de la Marck, CDF * Parth Patel, Kusari * Rajat Gupta, Jenkins X * Fatih Degirmenci, CDF * Georg Kunz, Ericsson * David Espejo, VMWare * Brad Beck * Andrea Frittoli, IBM * Ankit Mohapatra, Berkshire grey * Justin Abrahms, eBay, CDF TOC/Board/SIG-Interoperability #### Agenda and Notes * Action Item Review, All * [FRSCA](https://github.com/buildsec/frsca), Parth Patel, Kusari * Supply Chain Maturity Model Workstream, David Bendory, Google * [Workstream Readme](https://github.com/cdfoundation/sig-software-supply-chain/tree/main/workstreams/scmm) * [Doodle Poll to find meeting time](https://doodle.com/meeting/participate/id/dG5MZ45a) #### Action Items * None #### Meeting Recording * \<addme\> ### August 25, 2022 #### Participants * Ankit, Berkshire grey * Osama Magdy, Jenkins X * Rajat Gupta, Jenkins X * Justin Abrahms, eBay, CDF TOC/Board/SIG-Interoperability * Brett Smith, SAS * Emil Bäckmark, Ericsson, CDEvents * Fatih Degirmenci, CDF * Kara de la Marck, CDF * Rajat Gupta * Tharwat Abou-Helal * David Bendory, Google * David Espejo, * Hergy Tchuinkou, * Parth Patel, Kusari * Georg Kunz, Ericsson #### Agenda and Notes * Action Item Review, All * Supply Chain Security Journey for Jenkins X - Now and Beyond, Osama Magdy, Jenkins X * Supply Chain Maturity Model, David Bendory, Google * Context: [slack msg](https://cdeliveryfdn.slack.com/archives/C0333C92VTR/p1660740646761439) * https://github.com/ossf/scorecard * **C**ode **H**ealth **P**roject **S**core ("CHiPS" and SLSA) (hat/tip -- thanks to Billy Lynch for the clever name!) * Parth -- runtime attestations ("is my application only reaching out to known destinations") * Justin -- this sounds like policies that provide metrics around maturity #### Action Items * ~~Interested in Supply Chain Maturity Model / "CHiPS"? Please contact David Bendory on Slack to get involved.~~ * ~~From Zoom: Brett, Justin, Ankit, and Parth stated their interest to take part in the effort on Zoom chat~~ #### Meeting Recording * https://www.youtube.com/watch?v=Txe1wBt0pcM ### August 11, 2022 #### Participants * Fatih Degirmenci, CDF * Tracy Ragan, DeployHub, Ortelius and OpenSSF Board Member, CDF TOC * Justin Abrahms, eBay, CDF TOC/Board/SIG-Interoperability * Terry Cox, Bootstrap * Kara de la Marck, CDF * David Bendory, Google * Chuang Wang, Google * Yongxuan Zhang, Google * Prakash Jagatheesan, Google * Ronan, Google * Tim Miller, Kusari * Alex Misdorp * Michael Lieberman, Kusari * Parth Patel, Kusari * Andrea Frittoli, IBM, CDF TOC/Board/SIG-Events * Brett Smith, SAS * Charles Tudor, SAS * Eric Wimmer, SAS * Su Johnson, SAS * Scott Todd, SAS * Jill Madritch, SAS * Ankit D Mohapatra, berkshire grey * Rajat Gupta, Jenkins X * Osama Magdy, Jenkins X * Terry Cox * David Espejo * Georg Kunz * Juliane #### Agenda and Notes * Binary Authorization, David Bendory, Google * [Binary Authorization on Borg Whitepaper](http://cloud.google.com/security/binary-authorization-for-borg/) * [Binary Authorization on Google Cloud](http://cloud.google.com/binary-authorization/) * [Scripted Demo of Binary Authorization on GCP](https://github.com/bendory/tekton-on-gcp) * More about [Container Security at Google](http://cloud.google.com/containers/security) * CDF Reference Architecture, All * Aligning our efforts to contribute to the CDF Reference Architecture from Software Supply Chain perspective * The deck used to kick off the discussion around the CDF is available [here](https://docs.google.com/presentation/d/1SSSHPLSXEUgg0vu644zrZPvCW9sUYSBwzSCDO_fZtF8/edit) * The work started within SIG Best Practices which meets 2nd and 4th Mondays of every month at 16:00 UTC. Meeting logistics available [here](https://github.com/cdfoundation/sig-best-practices#meetings). * The initial work can be seen by CDF Best Practices website preview [here](https://deploy-preview-23--prod-bp-cdf.netlify.app/architecture/). * The contributions can be made to https://github.com/cdfoundation/best-practices-site/tree/refarch1 #### Action Items * AI: David Bendory to figure out if he can share the data points (e.g. proto or yaml) for the sbom/provenance they capture. * Response: https://slsa.dev/provenance exactly matches Google internal format in some places, while in others it is similar information but the schema is different. #### Meeting Recording * https://www.youtube.com/watch?v=WQm0bJy3N6Y ### July 28, 2022 Cancelled due to vacation period. ### June 14, 2022 Cancelled due to vacation period. ### June 23, 2022 #### Participants * Fatih Degirmenci, CDF * Brett Smith, SAS * Ankit, BG, Jenkins X * Terry Cox, Bootstrap * Andrew Larsen, SAS * Sudhindra Rao, JFrog * Stephen Chin, JFrog #### Agenda and Notes * [Pyrsia](https://pyrsia.io/) Presentation, Sudhindra Rao [Presentation](https://docs.google.com/presentation/d/18HnAVTWMIj8HAXepjXPQloDPNRZd4Dqy/edit?usp=sharing&ouid=101931522664284912957&rtpof=true&sd=true) #### Action Items * None #### Meeting Recording * https://www.youtube.com/watch?v=5SNKO8Fysbc ### June 9, 2022 Cancelled due to [cdCon 2022](https://events.linuxfoundation.org/cdcon/). ### May 26, 2022 #### Participants * Stephen Levine, VMWare * Ciro da Silva Costa, VMWare * Terry Cox * David Espejo, VMWare * Joshua Winters * Kara de la Marck * Rasheed Abdul-Aziz * Sam Coward * Scott Rosenberg * Waciuma * Fatih Degirmenci * Ankit Mohapatra, Dexai Robotics, Jenkins X #### Agenda and Notes * Action Item Review, All * Open PRs discussion on SIG PoC, All * PR on SIG PoC is open for feedback: https://github.com/cdfoundation/sig-software-supply-chain/pull/12 * PR on Pipeline Stages is open for feedback: https://github.com/cdfoundation/sig-interoperability/pull/97 * [Cartographer](https://cartographer.sh/) Presentation, Stephen Levine and Ciro da Silva Costa #### Action Items * None #### Meeting Recording * https://www.youtube.com/watch?v=6DkKBGauYh0 ### May 12, 2022 #### Participants * Georg Kunz, Ericsson * Erhan Vikyol, Storebrand * Daniel Krivelevich, Cider Security * Omer Gil, Cider Security * Terry Cox * Ann Marie Fred, Red Hat * Asaf Greenholts * David Espejo * Kara de la Marck, CDF * Moïse * Fatih Degirmenci, Ericsson Software Technology * Ankit Mohapatra, Dexai Robotics, Jenkins X #### Agenda and Notes * Action Item Review, All * Top 10 CI/CD Security Risks and CI/CD Goat, Daniel Krivelevich, Omer Gil, Cider Security * [Top 10 CI/CD Security Risks (PDF)](https://www.cidersecurity.io/wp-content/uploads/2022/03/Top-10-CICD-Security-Risks-.pdf) * [Top 10 CI/CD Security Risks (GitHub)](https://github.com/cider-security-research/top-10-cicd-security-risks) * [CI/CD Goat (GitHub)](https://github.com/cider-security-research/cicd-goat) * Continue discussion on [SIG PoC](https://hackmd.io/U6q685gFTdWRrkWZechvGw?view), All * Isn't it still valuable to establish pipelines to demonstrate the activities to perform and stages/steps to create? * CI/CD Terminology for Supply Chain Stages/Steps, All * Contributing to SIG Interoperability Pipeline [Stages](https://github.com/cdfoundation/sig-interoperability/blob/master/docs/vocabulary.md#pipeline-stages)/[Steps](https://github.com/cdfoundation/sig-interoperability/blob/master/docs/vocabulary.md#pipeline-step-types) terminology * The initial PR: https://github.com/cdfoundation/sig-interoperability/pull/97 * This will be useful as an input to [SIG PoC](https://hackmd.io/U6q685gFTdWRrkWZechvGw?view) #### Action Items * None #### Meeting Recording * https://www.youtube.com/watch?v=qFag1LrDBcg ### April 28, 2022 #### Participants * Fatih Degirmenci, Ericsson Software Technology * Kara de la Marck, CDF * Thomas Schuetz, Dynatrace * Josh Gavant, Red Hat ([@joshgav](https://github.com/joshgav)) * Terry Cox * David Espejo, VMware * Maxime Gréau, Elastic * Emil Bäckmark, Ericsson * Georg Kunz, Ericsson #### Agenda and Notes * Action Item Review, All * [CNCF TAG App Delivery](https://github.com/cncf/tag-app-delivery) and [podtato-head](https://github.com/podtato-head/podtato-head), Thomas Schuetz (Dynatrace) and Josh Gavant (Red Hat) * The work that is done by TAG App Delivery and Pod-tato has potential to be used as part of [CDF SIG Software Supply Chain Proof of Concept](https://hackmd.io/U6q685gFTdWRrkWZechvGw?view) to look at runtime aspects of Software Supply Chain. * Issue about documenting how to propose new scenarios/patterns and development frameworks: https://github.com/cncf/tag-app-delivery/issues/167 * Similar ideas * OpenTel: <https://docs.google.com/document/d/1nCV32KvYzowspjWk9ym6MoLOc-1D_RF-EcX7Dnf_VcE/> * SIG Events POC: <https://github.com/cdfoundation/sig-events/tree/main/poc> * CI/CD Terminology for Supply Chain Stages/Steps, All * Contributing to SIG Interoperability Pipeline [Stages](https://github.com/cdfoundation/sig-interoperability/blob/master/docs/vocabulary.md#pipeline-stages)/[Steps](https://github.com/cdfoundation/sig-interoperability/blob/master/docs/vocabulary.md#pipeline-step-types) terminology * The initial PR: https://github.com/cdfoundation/sig-interoperability/pull/97 * This will be useful as an input to [SIG PoC](https://hackmd.io/U6q685gFTdWRrkWZechvGw?view) #### Action Items * None #### Meeting Recording * https://www.youtube.com/watch?v=9mi8C106J28 ### April 14, 2022 #### Participants * Jason Hall (Red Hat) * Maxime Gréau (Elastic) * Ankit (Dexai Robotics) * Kara de la Marck (CDF) * Fatih Degirmenci (Ericsson Software Technology) * Terry Cox * Priya Wadhwa (Chainguard) * Liora Milbaum (Red Hat) #### Agenda and Notes * Action Item Review, All * Meeting Time Change, All * Meeting time changed to [15:00 UTC](https://time.is/1500_in_UTC) * Meeting invite sent to the SIG's maillist - https://lists.cd.foundation/g/sig-software-supply-chain * Setting the scope for the SIG PoC, All * PoC Document: https://hackmd.io/U6q685gFTdWRrkWZechvGw?view * [TektonCD Chains](https://github.com/tektoncd/chains) Presentation/Demo,Priya Wadhwa, Chainguard #### Action Items * None #### Meeting Recording * https://www.youtube.com/watch?v=U4-sRRAOTRA ### March 24, 2022 #### Participants * David Espejo [VMware] * Georg Kunz, Ericsson * Mike Lieberman [Citi, CNCF Supply Chain Security WG] * Billy Lynch [Google, Tekton] * Ankit Mohapatra [Dexai Robotics, Jenkins X] * Kara de la Marck, CDF * Erhan Vikyol, Storebrand * Liora Milbaum, Red Hat * Fatih Degirmenci, Ericsson Software Technology * Terry Cox * Andrea Frittoli, IBM * Ann Marie Fred, Red Hat * Enric Forn * Maor Kuriel * Moïse Kameni * Parth Patel * Praneetha Manthravadi * Timothy Miller #### Agenda and Notes * Action Item Review * Meeting Time Change * Meeting time will change to 15:00 UTC starting from next meeting on April 14th * Meeting invite will be sent to the SIG's maillist - https://lists.cd.foundation/g/sig-software-supply-chain * Upcoming Presentations * The schedule is available [here](https://hackmd.io/l1BfXp1kQKGKSaKLbl6xJw?view) * [TektonCD Chains](https://github.com/tektoncd/chains), Priya Wadhwa, Chainguard, 2022-04-14, 15:00 UTC * CNCF TAG App Delivery and [Pod-tato Head](https://github.com/podtato-head/podtato-head), Thomas Schuetz, Dynatrace, 2022-04-28, 15:00 UTC * [Cartographer](https://cartographer.sh/), James Rawlings, 2022-05-12, 15:00 UTC * Secure Software Factory Reference Architecture and SSF Presentation/Demo/Discussion, Michael Lieberman * Secure Software Factory Reference Architecture: https://docs.google.com/document/d/15M_Mzfqy634E_sqoslmOXsZJl4TedpbXpBjOfz-hnXk/edit * SSF Reference Implementation: https://github.com/buildsec/ssf #### Action Items * None #### Meeting Recording * https://www.youtube.com/watch?v=9SXcXk2cO3c ### March 10, 2022 #### Participants * Fatih Degirmenci, Ericsson Software Technology * Maxime Gréau, Elastic * Ann Marie Fred, Red Hat * Erhan Vikyol, Storebrand * Tracy Miranda, Chainguard * Kara de la Marck, CDF * Ankit D Mohapatra, Dexai Robotics * Melissa McKay, JFrog * Andrea Frittoli, IBM * Georg Kunz, Ericsson * Terry Cox * Liora Milbaum, Red Hat #### Agenda and Notes * Welcome and Introductions * What is SIG Software Supply Chain and Why? * Approach of the SIG * SIG Logistics * SIG Roadmap * Initial Topics for the SIG Roadmap * Knowledge Transfer * Next Meeting on March 24, 2022 * March 24th falls between when NA and EMEA makes the summer time change * If we meet at [16:00 UTC](https://time.is/compare/1600_24_Mar_2022_in_UTC/CET/PT), the meeting time will remain same for EMEA but will be 1h later for NA * If we meet at [15:00 UTC](https://time.is/compare/1500_24_Mar_2022_in_UTC/CET/PT), the meeting time will remain same for NA but will be 1h earlier for EMEA * Or we skip the meeting to keep things simple - our next meeting would be on April 14, 2022 * Open Discussion * References * [Meeting Presentation](https://docs.google.com/presentation/d/1-nt-1Pe4WwiKoDT-ooWAxKPDunSoqeES9Qb3WTEkE9M/edit) * [CDF SIG Software Supply Chain Charter](https://github.com/cdfoundation/sig-software-supply-chain#overview) * [CNCF TAG Security, Software Supply Chain Best Practices Whitepaper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) * Secure Software Factory * [Website](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) * [GitHub](https://github.com/buildsec/ssf) * [RFC](https://docs.google.com/document/d/15M_Mzfqy634E_sqoslmOXsZJl4TedpbXpBjOfz-hnXk/edit) * [TektonCD Chains](https://github.com/tektoncd/chains) * [CNCF TAG App Delivery Pod Tato Head](https://github.com/podtato-head/podtato-head) * CDF SIG Interoperability Terminology Work and Quality Gates Discussion * [PR on Pipeline Stage Terminology](https://github.com/cdfoundation/sig-interoperability/pull/76) * [PR on Pipeline Step Types](https://github.com/cdfoundation/sig-interoperability/pull/81) * [Quality Gates Discussion](https://github.com/cdfoundation/sig-interoperability/discussions/83) #### Action Items * None #### Meeting Recording * https://www.youtube.com/watch?v=3i6pcPr09Uk