-
Notifications
You must be signed in to change notification settings - Fork 632
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add in-toto incubation review #393
Conversation
cc @michelleN |
I'd love to get an update on a SIG recommendation for this project. As I understand it, there are some delays due to the pandemic. Whenever we're all back to normal, would love to follow up here. Thanks for submitting this proposal @SantiagoTorres. 🎉 |
I'll be taking up driving DD for this project. |
Just synced with @SantiagoTorres. They did a presentation to the Security folks last year and were recommended for incubation. The TOC asked to see more maturity in the project so we asked that in-toto be sandbox for the time being. Since then, there has been growth in adoption and has demonstrated growth and progress (see review) and would like to be considered for incubation. According to the incubation process, the TOC needs a recommendation from the SIG before moving into doing due diligence, so I'd love to get that before proceeding. Would @cncf/sig-security like another presentation from the in-toto project? Do you feel like you have enough information to recommend or not recommend in-toto for incubation? Either way seems fine to me since the first presentation resulted in an incubation recommendation. @lizrice - what do you think? |
@cncf/sig-security did a security assessment of the project May 2019 last year... More details here: https://github.com/cncf/sig-security/tree/master/assessments/projects/in-toto Since it's been quite a while since the assessment, I think we can probably get an update from the team of what's happened over the last year. But assuming things are only going to be the same or better, I think the recommendation would still stand. |
Hi @michelleN ! Thanks for following up on this at the TOC meeting - is there a document that you’d like SIG-Security recommendation on? Somewhat like what we did for OPA and Harbor DD docs - or should we put the recommendation in here? |
@lumjjb - let's review this doc together and do the user interviews in January. I'll ping you on slack to set up some time. |
I will be taking over the TOC due dil on this now, @lumjjb @SantiagoTorres lets sync on where things got to. |
reviews/incubation-in-toto.md
Outdated
and scope. | ||
|
||
* We document adopters on the | ||
[ADOPTERS.md](https://github.com/in-toto/in-toto/blob/develop/ADOPTERS.md) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a broken link, has it moved to a different repo?
the project. | ||
|
||
* Maintainers of the project are listed in our [MAINTAINERS.txt](https://github.com/in-toto/in-toto/blob/develop/MAINTAINERS.txt) file. There are currently 3 core maintainers plus 7 more maintainers from companies such as (Debian, Datadog, and VMWare) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
3+7 is not reflected in the linked file
I updated the document to address the review the comments. I've also added several things that has happened since it was first written. :) |
reviews/incubation-in-toto.md
Outdated
outlined in the project [GOVERNANCE.md](https://github.com/in-toto/in-toto/blob/develop/GOVERNANCE.md) | ||
file. | ||
|
||
* Finally, in-toto participated in Google Summer of Code (GSOC) 2020 through the CNCF. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to mention the CNCF blog article about the in-toto GSOC internship here?
https://www.cncf.io/blog/2020/10/07/gsoc-spotlight-my-google-summer-of-code-experience-at-cncf-in-2020/
It's something that underlines the welcome culture in the in-toto project imho :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this can be resolved.
Definitely! A lot happened since late 2020:
In my opinion, this clearly shows an increasing adoption of in-toto in other supply chain security related projects and speaks clearly for a good future for the project. |
Signed-off-by: Aditya Sirish <[email protected]> Co-authored-by: Santiago Torres-Arias <[email protected]> Co-authored-by: Christian Rebischke <[email protected]>
The DD doc is complete and links to the (public) interviews with adopters. |
No description provided.