Secure Software Supply Chain #26
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
arsulegai
commented
Sep 20, 2024
arsulegai
commented
- Introduce governance mechanism for secure software supply chain in LFDT.
- Introduce a mandatory scorecard badge.
- Introduce governance mechanism for release artifacts signing and verification.
tkuhrt
requested changes
Sep 20, 2024
| title: Release Signing | ||
| parent: Governing Documents | ||
| grand_parent: LF Decentralized Trust TAC | ||
| nav_order: 1 |
There was a problem hiding this comment.
Suggested change
| nav_order: 1 | |
| nav_order: 10 |
Not sure the right number, but I am guessing 10 is close.
There was a problem hiding this comment.
Do you think there's a possibility for us to improve the structure with sub-folders? For instance, project reports may have annual report and quarterly report in them. Security may have governing documents related to software supplychain, the other process related to having a representative from the project.
There was a problem hiding this comment.
I would like to avoid sub-folders as that results in too many clicks.
There was a problem hiding this comment.
+1 for trying to avoid too many/too deep folder structures in general
|
|
||
| LFDT has a holistic approach to governing the security of projects and implements the highest levels of standards. The objective is to establish a consistent and secure approach to signing artifacts, leveraging industry-standard tools and practices while allowing flexibility for individual project implementations. Software verification processes are made available to ensure the integrity and authenticity of all artifacts throughout their lifecycle. A monitoring framework is introduced to score the project, rating the release process. | ||
|
|
||
| This initiative aligns with efforts to establish a secure software supply chain for LFDT projects and achieve full [SLSA (Supply Chain Levels for Software Artifacts) compliance](https://slsa.dev/spec/v1.0/levels) in the release process. |
There was a problem hiding this comment.
Suggested change
| This initiative aligns with efforts to establish a secure software supply chain for LFDT projects and achieve full [SLSA (Supply Chain Levels for Software Artifacts) compliance](https://slsa.dev/spec/v1.0/levels) in the release process. | |
| This policy aligns with efforts to establish a secure software supply chain for LFDT projects and achieve full [SLSA (Supply Chain Levels for Software Artifacts) compliance](https://slsa.dev/spec/v1.0/levels) in the release process. |
| ## LFDT Project Compliance | ||
|
|
||
| 1. The LFDT Technical Advisory Committee (TAC) standardizes the signing of artifacts using tools from the Linux Foundation’s digital signing project, [OpenSSF Sigstore](https://openssf.org/projects/sigstore/). | ||
| 2. Each project must document the process of verifying the artifacts using [OpenSSF Sigstore](https://openssf.org/projects/sigstore/). The project must have a file called `RELEASE.md`. |
There was a problem hiding this comment.
Suggested change
| 2. Each project must document the process of verifying the artifacts using [OpenSSF Sigstore](https://openssf.org/projects/sigstore/). The project must have a file called `RELEASE.md`. | |
| 2. Each project must document the process of signing and verifying the artifacts using [OpenSSF Sigstore](https://openssf.org/projects/sigstore/) in a file called `RELEASE.md`. |
|
|
||
| 1. The LFDT Technical Advisory Committee (TAC) standardizes the signing of artifacts using tools from the Linux Foundation’s digital signing project, [OpenSSF Sigstore](https://openssf.org/projects/sigstore/). | ||
| 2. Each project must document the process of verifying the artifacts using [OpenSSF Sigstore](https://openssf.org/projects/sigstore/). The project must have a file called `RELEASE.md`. | ||
| 3. Each project must enable and apply for a Sigstore's scorecard. The project must capture the scorecard's result and generate a badge visible on the README.md file. |
There was a problem hiding this comment.
Suggested change
| 3. Each project must enable and apply for a Sigstore's scorecard. The project must capture the scorecard's result and generate a badge visible on the README.md file. | |
| 3. Each project must enable and apply for an [OpenSSF's scorecard](https://openssf.org/projects/scorecard/). The project must capture the scorecard's result and generate a badge visible on the `README.md` file. |
|
|
||
| ## LFDT Project Compliance | ||
|
|
||
| 1. The LFDT Technical Advisory Committee (TAC) standardizes the signing of artifacts using tools from the Linux Foundation’s digital signing project, [OpenSSF Sigstore](https://openssf.org/projects/sigstore/). |
There was a problem hiding this comment.
Suggested change
| 1. The LFDT Technical Advisory Committee (TAC) standardizes the signing of artifacts using tools from the Linux Foundation’s digital signing project, [OpenSSF Sigstore](https://openssf.org/projects/sigstore/). | |
| 1. The LFDT Technical Advisory Committee (TAC) standardizes the signing of artifacts and confirmation of signing using tools from the Linux Foundation’s Open Source Security Foundation (OpenSSF) -- [OpenSSF Sigstore](https://openssf.org/projects/sigstore/) and [OpenSSF Scorecard](https://openssf.org/projects/scorecard/), respectively. |
| 1. The LFDT Technical Advisory Committee (TAC) standardizes the signing of artifacts using tools from the Linux Foundation’s digital signing project, [OpenSSF Sigstore](https://openssf.org/projects/sigstore/). | ||
| 2. Each project must document the process of verifying the artifacts using [OpenSSF Sigstore](https://openssf.org/projects/sigstore/). The project must have a file called `RELEASE.md`. | ||
| 3. Each project must enable and apply for a Sigstore's scorecard. The project must capture the scorecard's result and generate a badge visible on the README.md file. | ||
| 4. An LFDT incubation project will follow at least SLSA Level 1, while graduated projects will meet at least SLSA Level 2. |
There was a problem hiding this comment.
Suggested change
| 4. An LFDT incubation project will follow at least SLSA Level 1, while graduated projects will meet at least SLSA Level 2. | |
| 4. An LFDT incubation project must meet at least SLSA Level 1, while graduated projects must meet at least SLSA Level 2. |
There was a problem hiding this comment.
I've gone back and forth on whether graduated projects MUST sign artifacts, but after discussion at the TAC meeting I'm fine with it if there is a reference example of signing using Github Actions that we can point projects to.
| - **Project Team:** | ||
| - Add a `RELEASE.md` file containing the build and release process of artifacts. Capture the information such as versioning followed, steps to reproduce the build, current release process, resources for verifying the signed artifacts at the least. | ||
| - Generate the scorecard and upload as a badge on `README.md` file. | ||
| - Each project will be responsible for the technical integration of Sigstore's cosign and scorecard into its build process. This approach allows projects to adapt the implementation to their specific needs while adhering to the overarching governance framework. |
There was a problem hiding this comment.
Suggested change
| - Each project will be responsible for the technical integration of Sigstore's cosign and scorecard into its build process. This approach allows projects to adapt the implementation to their specific needs while adhering to the overarching governance framework. | |
| - Each project will be responsible for the technical integration of Sigstore's cosign and OpenSSF's scorecard into its build process. This approach allows projects to adapt the implementation to their specific needs while adhering to the overarching governance framework. |
petermetz
approved these changes
Oct 5, 2024
tkuhrt
requested review from
mbrandenburger,
swcurran,
jimthematrix,
yacovm,
VRamakrishna and
denyeart
denyeart
reviewed
Oct 24, 2024
|
|
||
| ## Responsibilities | ||
| - **Project Team:** | ||
| - Add a `RELEASE.md` file containing the build and release process of artifacts. Capture the information such as versioning followed, steps to reproduce the build, current release process, resources for verifying the signed artifacts at the least. |
There was a problem hiding this comment.
We use a RELEASING.md file in Fabric. I think this is typical when the file describes the process of creating a release.
| 1. The LFDT Technical Advisory Committee (TAC) standardizes the signing of artifacts using tools from the Linux Foundation’s digital signing project, [OpenSSF Sigstore](https://openssf.org/projects/sigstore/). | ||
| 2. Each project must document the process of verifying the artifacts using [OpenSSF Sigstore](https://openssf.org/projects/sigstore/). The project must have a file called `RELEASE.md`. | ||
| 3. Each project must enable and apply for a Sigstore's scorecard. The project must capture the scorecard's result and generate a badge visible on the README.md file. | ||
| 4. An LFDT incubation project will follow at least SLSA Level 1, while graduated projects will meet at least SLSA Level 2. |
There was a problem hiding this comment.
I've gone back and forth on whether graduated projects MUST sign artifacts, but after discussion at the TAC meeting I'm fine with it if there is a reference example of signing using Github Actions that we can point projects to.
|
@arsulegai : Could you please update this pull request so that we may get it approved and checked in? |
| - The LFDT staff will maintain and secure the signing keys and the relevant infrastructure necessary for managing these keys. This centralization ensures a high level of security and reliability for key management practices. | ||
| - Scan for SBOM compliance. | ||
|
|
||
| ## General Recommendations |
There was a problem hiding this comment.
The document is called "Release Signing" but contains much more content. Maybe we extract the "General Recommendations" in a doc on the same level and name it "SLSA guidance" or something similar.
ryjones
requested review from
conor10 and
non-fungible-nelson
as code owners
arsulegai
requested review from
EnriqueL8,
cjhowland,
matthew1001 and
wenjing
as code owners
1. Introduce governance mechanism for secure software supply chain in LFDT. 2. Introduce a mandatory scorecard badge. 3. Introduce governance mechanism for release artifacts signing and verification. Signed-off-by: S m, Aruna <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.