CDFoundation
      • Sharing URL Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Customize slides
      • Note Permission
      • Read
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • Write
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • Engagement control Commenting, Suggest edit, Emoji Reply
      • Invitee
    • Publish Note

      Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

      Your note will be visible on your profile and discoverable by anyone.
      Your note is now live.
      This note is visible on your profile and discoverable online.
      Everyone on the web can find and read all notes of this public team.
      See published notes
      Unpublish note
      Please check the box to agree to the Community Guidelines.
      View profile
    • Commenting
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
      • Everyone
    • Suggest edit
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
    • Emoji Reply
    • Enable
    • Versions and GitHub Sync
    • Note settings
    • Engagement control
    • Transfer ownership
    • Delete this note
    • Insert from template
    • Import from
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
    • Export to
      • Dropbox
      • Google Drive
      • Gist
    • Download
      • Markdown
      • HTML
      • Raw HTML
Menu Note settings Sharing URL Help
Menu
Options
Versions and GitHub Sync Engagement control Transfer ownership Delete this note
Import from
Dropbox Google Drive Gist Clipboard
Export to
Dropbox Google Drive Gist
Download
Markdown HTML Raw HTML
Back
Sharing URL Link copied
/edit
View mode
  • Edit mode
  • View mode
  • Book mode
  • Slide mode
Edit mode View mode Book mode Slide mode
Customize slides
Note Permission
Read
Owners
  • Owners
  • Signed-in users
  • Everyone
Owners Signed-in users Everyone
Write
Owners
  • Owners
  • Signed-in users
  • Everyone
Owners Signed-in users Everyone
Engagement control Commenting, Suggest edit, Emoji Reply
Invitee
Publish Note

Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

Your note will be visible on your profile and discoverable by anyone.
Your note is now live.
This note is visible on your profile and discoverable online.
Everyone on the web can find and read all notes of this public team.
See published notes
Unpublish note
Please check the box to agree to the Community Guidelines.
View profile
Engagement control
Commenting
Permission
Disabled Forbidden Owners Signed-in users Everyone
Enable
Permission
  • Forbidden
  • Owners
  • Signed-in users
  • Everyone
Suggest edit
Permission
Disabled Forbidden Owners Signed-in users Everyone
Enable
Permission
  • Forbidden
  • Owners
  • Signed-in users
Emoji Reply
Enable
Import from Dropbox Google Drive Gist Clipboard
   owned this note    owned this note      
Published Linked with GitHub
1
Subscribed
  • Any changes
    Be notified of any changes
  • Mention me
    Be notified of mention me
  • Unsubscribe
Subscribe
###### tags: `SIG Software Supply Chain` # CDF Software Supply Chain SIG Meetings [![HacmKD documents](https://hackmd.io/badge.svg)](https://hackmd.io/HuufSDMaTPyb3qxkyBKg3A?edit) ## Quick links * [Logistics](#Logistics) * [Agenda and Notes](#Agenda-and-Notes) * [2023-03-09 Meeting](#March-9-2023) * [2023-02-23 Meeting](#February-23-2023) * [2023-02-09 Meeting](#February-9-2023) * [2023-01-12 Meeting](#January-12-2023) * [2022-12-22 Meeting](#December-22-2022) - ***Cancelled*** * [2022-12-08 Meeting](#December-8-2022) * [2022-11-24 Meeting](#November-10-2022) - ***Cancelled*** * [2022-11-10 Meeting](#November-10-2022) - ***Cancelled*** * [2022-10-27 Meeting](#October-27-2022) - ***Cancelled*** * [2022-10-13 Meeting](#October-13-2022) - ***Cancelled*** * [2022-09-22 Meeting](#September-22-2022) * [2022-09-08 Meeting](#September-8-2022) * [2022-08-25 Meeting](#August-25-2022) * [2022-08-11 Meeting](#August-11-2022) * [2022-07-28 Meeting](#July-28-2022) - ***Cancelled*** * [2022-07-14 Meeting](#July-14-2022) - ***Cancelled*** * [2022-06-23 Meeting](#June-23-2022) * [2022-06-09 Meeting](#June-9-2022) * [2022-05-26 Meeting](#May-26-2022) * [2022-05-12 Meeting](#May-12-2022) * [2022-04-28 Meeting](#April-28-2022) * [2022-04-14 Meeting](#April-14-2022) * [2022-03-24 Meeting](#March-24-2022) * [2022-03-10 Meeting](#March-10-2022) ## Logistics * **Meeting notes on HackMD**: https://hackmd.io/MX4W9EE0RBeO3xfJ9wDi_Q * **When**: Second and fourth Thursdays at 16:00UTC (*See your timezone [here](https://time.is/1600_in_UTC)*) * **Zoom Bridge**: https://zoom.us/j/94947282554?pwd=UndPWjFkQTJSUGo4WTRZWjlDaEQvUT09 * **Zoom International dial-in numbers**: https://zoom.us/zoomconference * **Meeting Recordings**: [CDF Youtube Channel SIG Software Supply Chain Playlist](https://youtube.com/playlist?list=PL2KXbZ9-EY9TT2rKSBv6-BUdKqsJg9rAL) * **Presentation Schedule**: https://hackmd.io/l1BfXp1kQKGKSaKLbl6xJw * **CDF Public Calendar**: [here](https://calendar.google.com/calendar/embed?src=linuxfoundation.org_mhf0kmgedn67ihni8r129avp24%40group.calendar.google.com&ctz=UTC) ## Agenda and Notes Meeting agenda and notes are kept on [HackMD.io](https://hackmd.io/MX4W9EE0RBeO3xfJ9wDi_Q) where everyone can add new topics to the agenda for upcoming meetings or take notes during the meetings. Please click edit button to edit the document. ### Next - Upcoming topics we would like to discuss -- please place your name next to an item if you would like to lead the discussion: - [OSS Review Toolkit](https://github.com/oss-review-toolkit/ort) - SBOM storage / indexing - Linking SBOMs from applications to docker containers they're in - Osama Magdy's final GSoC talk - apko and melange -- Batuhan Apaydin ("developer-guy") and Furkan Turkal - sigstore tooling -- Batuhan Apaydin ("developer-guy") ### Standing Agenda (copy-and-paste to create a new session) #### Participants * your-name, your-affiliation #### Agenda and Notes - Supply Chain Maturity - Best Practices Presentation - Problem statement and questions - Supply Chain Security - Best Practices Presentation - Problem statement and questions - Supply Chain Events - Events interoperability across supply chain implementations - OSPO -- managing OSS in a way that brings value to our companies ### March 9, 2023 #### Participants * David Bendory, Google/Tekton * Fatih Degirmenci, CDF * Brett Smith, SAS Institute #### Agenda and Notes - SIG Roadmap - [Pull request](https://github.com/cdfoundation/sig-software-supply-chain/pull/34) is ~~up for review~~ merged - Supply Chain Maturity Metrics - Topic is brought up to the Best Practices SIG - The next step is to go through and align the terminology used on the Supply Chain Security Metrics doc and then include it on the Best Practices Website - PDF will also be created so people can download it - Supply Chain Maturity - Best Practices Presentation - Problem statement and questions - Supply Chain Security - Best Practices Presentation - Problem statement and questions - Supply Chain Events - Events interoperability across supply chain implementations - OSPO -- managing OSS in a way that brings value to our companies #### Action Items - [x] Brett: Review Supply Chain Maturity Doc with eye towards events - [x] Fatih: Take the first stab for the SIG Roadmap based on SIG Interop roadmap - current, near term, future - [ ] Fatih: Document the summary of ongoing efforts under Outreach Committee, TOC, Ambassador Program to grow and sustain the community ### February 23, 2023 #### Participants * David Bendory, Google * Fatih Degirmenci, CDF * Brett Smith, SAS Institute * Emil Backmark, Ericsson, CDEvents #### Agenda and Notes - [Fatih] Supply Chain Events - Should the SIG start discussing the Supply Chain events as a contribution to CDEvents? - [Emil] Of interest: can we track creation of SBOM as an event, or referenced from an existing event? - [Fatih] I wonder if we would even treat discovery of CVEs as events? - Conversations here would feed into the Events SIG - [Fatih] Should we develop a SIG Roadmap? - Yes - Supply Chain Maturity - Best Practices Presentation - Problem statement and questions - Supply Chain Security - Best Practices Presentation - Problem statement and questions - Grow Community - Workshops - the initial discussion is happening on [the doc](https://docs.google.com/document/d/1UNRCIcNR96utZernFC5pyx8LDFYGNDtlzj-r-5Y3AoI/edit#) #### Action Items - [x] Fatih: shut down dormant Security SIG and migrate work products - [The topic is brought up to the TOC](https://docs.google.com/document/d/1uBHar55fTInWF9Li4t0lyG3tTC8BRLU0FfBfsgk_Jrs/edit#heading=h.efj7mpikrslq) and [the PR](https://github.com/cdfoundation/toc/pull/172) is up for review. - [ ] Brett: Review Supply Chain Maturity Doc with eye towards events - [ ] Fatih: Take the first stab for the SIG Roadmap based on SIG Interop roadmap - current, near term, future - [ ] Fatih: Document the summary of ongoing efforts under Outreach Committee, TOC, Ambassador Program to grow and sustain the community ### February 9, 2023 #### Participants * Liora Milbaum, RadHat * David Bendory, Google * Fatih Degirmenci, CDF * George Kunz, Ericsson * Brett Smith, SAS Institute #### Agenda and Notes - What is the direction for this SIG? -- Liora Milbaum - It seems that the SIG is focused on Supply Chain Security. Is that our direction or is that "just" a recent focus? - History: this SIG started partly in response to [this blog post](https://www.linuxfoundation.org/blog/blog/10m-to-improve-the-security-of-software-supply-chains) -- to bring focus on CICD more broadly - Fatih: we don't currently have a roadmap; perhaps the Supply Chain Maturity conversations should be brought back in to drive the roadmap - David: Maturity Metrics workstream product is one roadmap item - Brett: do we want to bring back the "best practices" conversations we were having ([frsca](https://buildsec.github.io/frsca/))? - Security SIG is dormant -- AI for Fatih to shut down Security SIG and move items to here - Liora: is this a good forum for collaboration on CICD challenges? - (concensus is yes - David: Sounds like we have a "standing agenda" for this SIG: - Supply Chain Security - Supply Chain Maturity - In both areas, we have standing items around "best practices" presentations + problem statements and discussion around meeting CICD challenges - George: what about OSPO conversations around the value of OSS and managing that in our respective companies? - Third pillar for standing agenda: OSPO and managing OSS usage + contributions in a way that brings value to our companies - [Supply Chain Maturity Metrics](https://docs.google.com/document/d/1CDSbQezqauwL2BaFob7o2ztLk6dTQGZqZCMZ_szNhW8/edit?resourcekey=0-ooiOpNu2gyR-KOlMNOCcDA) -- looking for a volunteer to adapt this doc for inclusion in [CDF Best Practices](https://bestpractices.cd.foundation/learn/assess/) -- David Bendory - Brett: this doc would help us with compliance as we try to reach FedRAMP compliance. Perhaps this belongs in a GitHub repo in the SIG? - GitHub will make it public + enable easy smaller-scale collaboration - Liora: I'm curious how you handle the question of where to keep public keys? - David: this is a "root of trust" problem -- how do you decide whether or not to trust a public key? How do you determine the leaf nodes that you trust and verify no further? - Brett: Agree with David -- if you decide you trust GitHub (which is itself a big "if"), then you have to ask what security controls you need on the repository yourself. - Liora: if I can pull the key from JFrog where I pull the artifact, why do I need to keep the key in GitHub and pull it from a separate location? Also, someone needs to maintain the key in GitHub, which relies on a manual human step. This feels like I'm losing my chain of custody -- I don't have logs and an audit trail. - Brett: provenance should be machine-generated and not falsifiable. #### Action Items - [x] David Bendory: migrate [Maturity Metrics](https://docs.google.com/document/d/1CDSbQezqauwL2BaFob7o2ztLk6dTQGZqZCMZ_szNhW8/edit?resourcekey=0-ooiOpNu2gyR-KOlMNOCcD) to SIG GitHub repo - DONE: result is [here](https://github.com/cdfoundation/sig-software-supply-chain/blob/main/docs/supply-chain-maturity.md) - [ ] Fatih: shut down dormant Security SIG and migrate work products + roadmap to here - [x] David Bendory: I'll set up our standing agenda + post to Slack ### January 12, 2023 #### Participants * Liora Milbaum, Red Hat * Fatih Degirmenci, CDF * Georg Kunz, Ericsson * Parth Patel, Kusari #### Agenda and Notes * Open Discussion * What are our next steps? * SIG Roadmap to identify what we would like to work on based on the ideas shared by the SIG participants * Supply Chain Security and CDEvents ### December 22, 2022 Canceled for YE break ### December 8, 2022 #### Participants * Fatih Degirmenci, CDF, SIG co-chair * David Bendory, Google * Justin Abrahms, eBay * Chuang Wang, Google * Liora Milbaum, Red Hat, SIG co-chair * Ankit Mohapatra * Al Huizenga, Google #### Agenda and Notes * SIG Updates, Fatih Degirmenci * Fatih plans to step down from co-chair of SIG * Nominations for co-chair can be made in GitHub on [Issue #26](https://github.com/cdfoundation/sig-software-supply-chain/issues/26) * Upcoming Meetings, All * 2022-12-22: Canceled * 2023-01-12: Planned first meeting in new year * End-to-end Pipeline-level Provenance in Tekton, Chuang Wang (Google Tekton SWE) * Demo meets [SLSA L3](https://slsa.dev/spec/v0.1/levels)! * [demo source in GitHub](https://github.com/chuangw6/demos/blob/main/cdf) * uses [multi-task pipeline](https://github.com/chuangw6/demos/blob/v0.1/cdf/pipelines/ci-pipeline.yaml) in Tekton to clone repo + build image * [PipelineRun](https://github.com/chuangw6/demos/blob/v0.1/cdf/pipelines/ci-pipelinerun.yaml) references pipeline in GitHub to comply with SLSA's "[build as code](https://slsa.dev/spec/v0.1/requirements#build-as-code)" requirement * Related: See David Bendory's [Binary Authorization Demo](#Agenda-and-Notes5) from the Aug 11 SIG meeting * SBOM Scorecard, Justin Abrahms * https://github.com/eBay/sbom-scorecard * \<addme\> #### Action Items * None #### Meeting Recording * \<addme\> ### November 24, 2022 Cancelled due to lack of topics. ### November 10, 2022 Cancelled due to lack of topics. ### October 27, 2022 Cancelled due to KubeCon / CloudNativeCon. ### October 13, 2022 Cancelled. ### September 22, 2022 #### Participants * Brett Smith, SAS Institute * Terry Cox * David Espejo * Georg Kunz * Grant Buskey * Jill * Parth Patel * Fatih Degirmenci * Justin Abrahms, eBay/CDF * Kara de la Marck * Osama Magdy * David Bendory #### Agenda and Notes * CI/CD Pipeline at SAS, Brett Smith * Supply Chain Maturity Model Workstream, All * [Announcement Blog Post](https://cd.foundation/blog/2022/09/22/software-supply-chain-sig-launches-maturity-model-workstream/) * Meetings: Every other Tuesday at 16:00 UTC (details [here](https://github.com/cdfoundation/sig-software-supply-chain/tree/main/workstreams/scmm#meetings)), starting October 4 #### Action Items * None #### Meeting Recording * \<addme\> ### September 8, 2022 #### Participants * Osama Magdy, Jenkins X * Kara de la Marck, CDF * Parth Patel, Kusari * Rajat Gupta, Jenkins X * Fatih Degirmenci, CDF * Georg Kunz, Ericsson * David Espejo, VMWare * Brad Beck * Andrea Frittoli, IBM * Ankit Mohapatra, Berkshire grey * Justin Abrahms, eBay, CDF TOC/Board/SIG-Interoperability #### Agenda and Notes * Action Item Review, All * [FRSCA](https://github.com/buildsec/frsca), Parth Patel, Kusari * Supply Chain Maturity Model Workstream, David Bendory, Google * [Workstream Readme](https://github.com/cdfoundation/sig-software-supply-chain/tree/main/workstreams/scmm) * [Doodle Poll to find meeting time](https://doodle.com/meeting/participate/id/dG5MZ45a) #### Action Items * None #### Meeting Recording * \<addme\> ### August 25, 2022 #### Participants * Ankit, Berkshire grey * Osama Magdy, Jenkins X * Rajat Gupta, Jenkins X * Justin Abrahms, eBay, CDF TOC/Board/SIG-Interoperability * Brett Smith, SAS * Emil Bäckmark, Ericsson, CDEvents * Fatih Degirmenci, CDF * Kara de la Marck, CDF * Rajat Gupta * Tharwat Abou-Helal * David Bendory, Google * David Espejo, * Hergy Tchuinkou, * Parth Patel, Kusari * Georg Kunz, Ericsson #### Agenda and Notes * Action Item Review, All * Supply Chain Security Journey for Jenkins X - Now and Beyond, Osama Magdy, Jenkins X * Supply Chain Maturity Model, David Bendory, Google * Context: [slack msg](https://cdeliveryfdn.slack.com/archives/C0333C92VTR/p1660740646761439) * https://github.com/ossf/scorecard * **C**ode **H**ealth **P**roject **S**core ("CHiPS" and SLSA) (hat/tip -- thanks to Billy Lynch for the clever name!) * Parth -- runtime attestations ("is my application only reaching out to known destinations") * Justin -- this sounds like policies that provide metrics around maturity #### Action Items * ~~Interested in Supply Chain Maturity Model / "CHiPS"? Please contact David Bendory on Slack to get involved.~~ * ~~From Zoom: Brett, Justin, Ankit, and Parth stated their interest to take part in the effort on Zoom chat~~ #### Meeting Recording * https://www.youtube.com/watch?v=Txe1wBt0pcM ### August 11, 2022 #### Participants * Fatih Degirmenci, CDF * Tracy Ragan, DeployHub, Ortelius and OpenSSF Board Member, CDF TOC * Justin Abrahms, eBay, CDF TOC/Board/SIG-Interoperability * Terry Cox, Bootstrap * Kara de la Marck, CDF * David Bendory, Google * Chuang Wang, Google * Yongxuan Zhang, Google * Prakash Jagatheesan, Google * Ronan, Google * Tim Miller, Kusari * Alex Misdorp * Michael Lieberman, Kusari * Parth Patel, Kusari * Andrea Frittoli, IBM, CDF TOC/Board/SIG-Events * Brett Smith, SAS * Charles Tudor, SAS * Eric Wimmer, SAS * Su Johnson, SAS * Scott Todd, SAS * Jill Madritch, SAS * Ankit D Mohapatra, berkshire grey * Rajat Gupta, Jenkins X * Osama Magdy, Jenkins X * Terry Cox * David Espejo * Georg Kunz * Juliane #### Agenda and Notes * Binary Authorization, David Bendory, Google * [Binary Authorization on Borg Whitepaper](http://cloud.google.com/security/binary-authorization-for-borg/) * [Binary Authorization on Google Cloud](http://cloud.google.com/binary-authorization/) * [Scripted Demo of Binary Authorization on GCP](https://github.com/bendory/tekton-on-gcp) * More about [Container Security at Google](http://cloud.google.com/containers/security) * CDF Reference Architecture, All * Aligning our efforts to contribute to the CDF Reference Architecture from Software Supply Chain perspective * The deck used to kick off the discussion around the CDF is available [here](https://docs.google.com/presentation/d/1SSSHPLSXEUgg0vu644zrZPvCW9sUYSBwzSCDO_fZtF8/edit) * The work started within SIG Best Practices which meets 2nd and 4th Mondays of every month at 16:00 UTC. Meeting logistics available [here](https://github.com/cdfoundation/sig-best-practices#meetings). * The initial work can be seen by CDF Best Practices website preview [here](https://deploy-preview-23--prod-bp-cdf.netlify.app/architecture/). * The contributions can be made to https://github.com/cdfoundation/best-practices-site/tree/refarch1 #### Action Items * AI: David Bendory to figure out if he can share the data points (e.g. proto or yaml) for the sbom/provenance they capture. * Response: https://slsa.dev/provenance exactly matches Google internal format in some places, while in others it is similar information but the schema is different. #### Meeting Recording * https://www.youtube.com/watch?v=WQm0bJy3N6Y ### July 28, 2022 Cancelled due to vacation period. ### June 14, 2022 Cancelled due to vacation period. ### June 23, 2022 #### Participants * Fatih Degirmenci, CDF * Brett Smith, SAS * Ankit, BG, Jenkins X * Terry Cox, Bootstrap * Andrew Larsen, SAS * Sudhindra Rao, JFrog * Stephen Chin, JFrog #### Agenda and Notes * [Pyrsia](https://pyrsia.io/) Presentation, Sudhindra Rao [Presentation](https://docs.google.com/presentation/d/18HnAVTWMIj8HAXepjXPQloDPNRZd4Dqy/edit?usp=sharing&ouid=101931522664284912957&rtpof=true&sd=true) #### Action Items * None #### Meeting Recording * https://www.youtube.com/watch?v=5SNKO8Fysbc ### June 9, 2022 Cancelled due to [cdCon 2022](https://events.linuxfoundation.org/cdcon/). ### May 26, 2022 #### Participants * Stephen Levine, VMWare * Ciro da Silva Costa, VMWare * Terry Cox * David Espejo, VMWare * Joshua Winters * Kara de la Marck * Rasheed Abdul-Aziz * Sam Coward * Scott Rosenberg * Waciuma * Fatih Degirmenci * Ankit Mohapatra, Dexai Robotics, Jenkins X #### Agenda and Notes * Action Item Review, All * Open PRs discussion on SIG PoC, All * PR on SIG PoC is open for feedback: https://github.com/cdfoundation/sig-software-supply-chain/pull/12 * PR on Pipeline Stages is open for feedback: https://github.com/cdfoundation/sig-interoperability/pull/97 * [Cartographer](https://cartographer.sh/) Presentation, Stephen Levine and Ciro da Silva Costa #### Action Items * None #### Meeting Recording * https://www.youtube.com/watch?v=6DkKBGauYh0 ### May 12, 2022 #### Participants * Georg Kunz, Ericsson * Erhan Vikyol, Storebrand * Daniel Krivelevich, Cider Security * Omer Gil, Cider Security * Terry Cox * Ann Marie Fred, Red Hat * Asaf Greenholts * David Espejo * Kara de la Marck, CDF * Moïse * Fatih Degirmenci, Ericsson Software Technology * Ankit Mohapatra, Dexai Robotics, Jenkins X #### Agenda and Notes * Action Item Review, All * Top 10 CI/CD Security Risks and CI/CD Goat, Daniel Krivelevich, Omer Gil, Cider Security * [Top 10 CI/CD Security Risks (PDF)](https://www.cidersecurity.io/wp-content/uploads/2022/03/Top-10-CICD-Security-Risks-.pdf) * [Top 10 CI/CD Security Risks (GitHub)](https://github.com/cider-security-research/top-10-cicd-security-risks) * [CI/CD Goat (GitHub)](https://github.com/cider-security-research/cicd-goat) * Continue discussion on [SIG PoC](https://hackmd.io/U6q685gFTdWRrkWZechvGw?view), All * Isn't it still valuable to establish pipelines to demonstrate the activities to perform and stages/steps to create? * CI/CD Terminology for Supply Chain Stages/Steps, All * Contributing to SIG Interoperability Pipeline [Stages](https://github.com/cdfoundation/sig-interoperability/blob/master/docs/vocabulary.md#pipeline-stages)/[Steps](https://github.com/cdfoundation/sig-interoperability/blob/master/docs/vocabulary.md#pipeline-step-types) terminology * The initial PR: https://github.com/cdfoundation/sig-interoperability/pull/97 * This will be useful as an input to [SIG PoC](https://hackmd.io/U6q685gFTdWRrkWZechvGw?view) #### Action Items * None #### Meeting Recording * https://www.youtube.com/watch?v=qFag1LrDBcg ### April 28, 2022 #### Participants * Fatih Degirmenci, Ericsson Software Technology * Kara de la Marck, CDF * Thomas Schuetz, Dynatrace * Josh Gavant, Red Hat ([@joshgav](https://github.com/joshgav)) * Terry Cox * David Espejo, VMware * Maxime Gréau, Elastic * Emil Bäckmark, Ericsson * Georg Kunz, Ericsson #### Agenda and Notes * Action Item Review, All * [CNCF TAG App Delivery](https://github.com/cncf/tag-app-delivery) and [podtato-head](https://github.com/podtato-head/podtato-head), Thomas Schuetz (Dynatrace) and Josh Gavant (Red Hat) * The work that is done by TAG App Delivery and Pod-tato has potential to be used as part of [CDF SIG Software Supply Chain Proof of Concept](https://hackmd.io/U6q685gFTdWRrkWZechvGw?view) to look at runtime aspects of Software Supply Chain. * Issue about documenting how to propose new scenarios/patterns and development frameworks: https://github.com/cncf/tag-app-delivery/issues/167 * Similar ideas * OpenTel: <https://docs.google.com/document/d/1nCV32KvYzowspjWk9ym6MoLOc-1D_RF-EcX7Dnf_VcE/> * SIG Events POC: <https://github.com/cdfoundation/sig-events/tree/main/poc> * CI/CD Terminology for Supply Chain Stages/Steps, All * Contributing to SIG Interoperability Pipeline [Stages](https://github.com/cdfoundation/sig-interoperability/blob/master/docs/vocabulary.md#pipeline-stages)/[Steps](https://github.com/cdfoundation/sig-interoperability/blob/master/docs/vocabulary.md#pipeline-step-types) terminology * The initial PR: https://github.com/cdfoundation/sig-interoperability/pull/97 * This will be useful as an input to [SIG PoC](https://hackmd.io/U6q685gFTdWRrkWZechvGw?view) #### Action Items * None #### Meeting Recording * https://www.youtube.com/watch?v=9mi8C106J28 ### April 14, 2022 #### Participants * Jason Hall (Red Hat) * Maxime Gréau (Elastic) * Ankit (Dexai Robotics) * Kara de la Marck (CDF) * Fatih Degirmenci (Ericsson Software Technology) * Terry Cox * Priya Wadhwa (Chainguard) * Liora Milbaum (Red Hat) #### Agenda and Notes * Action Item Review, All * Meeting Time Change, All * Meeting time changed to [15:00 UTC](https://time.is/1500_in_UTC) * Meeting invite sent to the SIG's maillist - https://lists.cd.foundation/g/sig-software-supply-chain * Setting the scope for the SIG PoC, All * PoC Document: https://hackmd.io/U6q685gFTdWRrkWZechvGw?view * [TektonCD Chains](https://github.com/tektoncd/chains) Presentation/Demo,Priya Wadhwa, Chainguard #### Action Items * None #### Meeting Recording * https://www.youtube.com/watch?v=U4-sRRAOTRA ### March 24, 2022 #### Participants * David Espejo [VMware] * Georg Kunz, Ericsson * Mike Lieberman [Citi, CNCF Supply Chain Security WG] * Billy Lynch [Google, Tekton] * Ankit Mohapatra [Dexai Robotics, Jenkins X] * Kara de la Marck, CDF * Erhan Vikyol, Storebrand * Liora Milbaum, Red Hat * Fatih Degirmenci, Ericsson Software Technology * Terry Cox * Andrea Frittoli, IBM * Ann Marie Fred, Red Hat * Enric Forn * Maor Kuriel * Moïse Kameni * Parth Patel * Praneetha Manthravadi * Timothy Miller #### Agenda and Notes * Action Item Review * Meeting Time Change * Meeting time will change to 15:00 UTC starting from next meeting on April 14th * Meeting invite will be sent to the SIG's maillist - https://lists.cd.foundation/g/sig-software-supply-chain * Upcoming Presentations * The schedule is available [here](https://hackmd.io/l1BfXp1kQKGKSaKLbl6xJw?view) * [TektonCD Chains](https://github.com/tektoncd/chains), Priya Wadhwa, Chainguard, 2022-04-14, 15:00 UTC * CNCF TAG App Delivery and [Pod-tato Head](https://github.com/podtato-head/podtato-head), Thomas Schuetz, Dynatrace, 2022-04-28, 15:00 UTC * [Cartographer](https://cartographer.sh/), James Rawlings, 2022-05-12, 15:00 UTC * Secure Software Factory Reference Architecture and SSF Presentation/Demo/Discussion, Michael Lieberman * Secure Software Factory Reference Architecture: https://docs.google.com/document/d/15M_Mzfqy634E_sqoslmOXsZJl4TedpbXpBjOfz-hnXk/edit * SSF Reference Implementation: https://github.com/buildsec/ssf #### Action Items * None #### Meeting Recording * https://www.youtube.com/watch?v=9SXcXk2cO3c ### March 10, 2022 #### Participants * Fatih Degirmenci, Ericsson Software Technology * Maxime Gréau, Elastic * Ann Marie Fred, Red Hat * Erhan Vikyol, Storebrand * Tracy Miranda, Chainguard * Kara de la Marck, CDF * Ankit D Mohapatra, Dexai Robotics * Melissa McKay, JFrog * Andrea Frittoli, IBM * Georg Kunz, Ericsson * Terry Cox * Liora Milbaum, Red Hat #### Agenda and Notes * Welcome and Introductions * What is SIG Software Supply Chain and Why? * Approach of the SIG * SIG Logistics * SIG Roadmap * Initial Topics for the SIG Roadmap * Knowledge Transfer * Next Meeting on March 24, 2022 * March 24th falls between when NA and EMEA makes the summer time change * If we meet at [16:00 UTC](https://time.is/compare/1600_24_Mar_2022_in_UTC/CET/PT), the meeting time will remain same for EMEA but will be 1h later for NA * If we meet at [15:00 UTC](https://time.is/compare/1500_24_Mar_2022_in_UTC/CET/PT), the meeting time will remain same for NA but will be 1h earlier for EMEA * Or we skip the meeting to keep things simple - our next meeting would be on April 14, 2022 * Open Discussion * References * [Meeting Presentation](https://docs.google.com/presentation/d/1-nt-1Pe4WwiKoDT-ooWAxKPDunSoqeES9Qb3WTEkE9M/edit) * [CDF SIG Software Supply Chain Charter](https://github.com/cdfoundation/sig-software-supply-chain#overview) * [CNCF TAG Security, Software Supply Chain Best Practices Whitepaper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) * Secure Software Factory * [Website](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) * [GitHub](https://github.com/buildsec/ssf) * [RFC](https://docs.google.com/document/d/15M_Mzfqy634E_sqoslmOXsZJl4TedpbXpBjOfz-hnXk/edit) * [TektonCD Chains](https://github.com/tektoncd/chains) * [CNCF TAG App Delivery Pod Tato Head](https://github.com/podtato-head/podtato-head) * CDF SIG Interoperability Terminology Work and Quality Gates Discussion * [PR on Pipeline Stage Terminology](https://github.com/cdfoundation/sig-interoperability/pull/76) * [PR on Pipeline Step Types](https://github.com/cdfoundation/sig-interoperability/pull/81) * [Quality Gates Discussion](https://github.com/cdfoundation/sig-interoperability/discussions/83) #### Action Items * None #### Meeting Recording * https://www.youtube.com/watch?v=3i6pcPr09Uk

Import from clipboard

Paste your markdown or webpage here...

Advanced permission required

Your current role can only read. Ask the system administrator to acquire write and comment permission.

This team is disabled

Sorry, this team is disabled. You can't edit this note.

This note is locked

Sorry, only owner can edit this note.

Reach the limit

Sorry, you've reached the max length this note can be.
Please reduce the content or divide it to more notes, thank you!

Import from Gist

Import from Snippet

or

Export to Snippet

Are you sure?

Do you really want to delete this note?
All users will lose their connection.

Create a note from template

Create a note from template

Oops...
This template has been removed or transferred.
Upgrade
All
  • All
  • Team
No template.

Create a template

Upgrade

Delete template

Do you really want to delete this template?
Turn this template into a regular note and keep its content, versions, and comments.

This page need refresh

You have an incompatible client version.
Refresh to update.
New version available!
See releases notes here
Refresh to enjoy new features.
Your user state has changed.
Refresh to load new user state.

Sign in

Forgot password

or

By clicking below, you agree to our terms of service.

Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in with Wallet
Wallet ( )
Connect another wallet

New to HackMD? Sign up

Help

  • English
  • 中文
  • Français
  • Deutsch
  • 日本語
  • Español
  • Català
  • Ελληνικά
  • Português
  • italiano
  • Türkçe
  • Русский
  • Nederlands
  • hrvatski jezik
  • język polski
  • Українська
  • हिन्दी
  • svenska
  • Esperanto
  • dansk

Documents

Help & Tutorial

How to use Book mode

Slide Example

API Docs

Edit in VSCode

Install browser extension

Contacts

Feedback

Discord

Send us email

Resources

Releases

Pricing

Blog

Policy

Terms

Privacy

Cheatsheet

Syntax Example Reference
# Header Header 基本排版
- Unordered List
  • Unordered List
1. Ordered List
  1. Ordered List
- [ ] Todo List
  • Todo List
> Blockquote
Blockquote
**Bold font** Bold font
*Italics font* Italics font
~~Strikethrough~~ Strikethrough
19^th^ 19th
H~2~O H2O
++Inserted text++ Inserted text
==Marked text== Marked text
[link text](https:// "title") Link
![image alt](https:// "title") Image
`Code` Code 在筆記中貼入程式碼
```javascript
var i = 0;
```		 
var i = 0;
:smile: :smile: Emoji list
{%youtube youtube_id %} Externals
$L^aT_eX$ LaTeX
:::info
This is a alert area.
:::

This is a alert area.
Versions and GitHub Sync
Get Full History Access

  • Edit version name
  • Delete

revision author avatar     named on  

More Less

Note content is identical to the latest version.
Compare
    Choose a version
    No search result
    Version not found
Sign in to link this note to GitHub
Learn more
This note is not linked with GitHub
 

Feedback

Submission failed, please try again

Thanks for your support.

On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

Please give us some advice and help us improve HackMD.

 

Thanks for your feedback

Remove version name

Do you want to remove this version name and description?

Transfer ownership

Transfer to
    Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

      Link with GitHub

      Please authorize HackMD on GitHub
      • Please sign in to GitHub and install the HackMD app on your GitHub repo.
      • HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.
      Learn more  Sign in to GitHub

      Push the note to GitHub Push to GitHub Pull a file from GitHub

        Authorize again
       

      Choose which file to push to

      Select repo
      Refresh Authorize more repos
      Select branch
      Select file
      Select branch
      Choose version(s) to push
      • Save a new version and push
      • Choose from existing versions
      Include title and tags
      Available push count

      Pull from GitHub

       
      File from GitHub
      File from HackMD

      GitHub Link Settings

      File linked

      Linked by
      File path
      Last synced branch
      Available push count

      Danger Zone

      Unlink
      You will no longer receive notification when GitHub file changes after unlink.

      Syncing

      Push failed

      Push successfully