SIG Release Roadmap and Vision update
215 views
Skip to first unread message
Sascha Grunert
Nov 29, 2021, 10:34:52 AM11/29/21
to Kubernetes developer/contributor discussion, kubernetes-sig-release
Hey folks,
I'd like to share the latest updates about our SIG Release Roadmap and
Vision [0]. We're right now working on outlining the Kubernetes
enhancements, which stack on top of each other [1]. The first KEP
outlines our overall goal to achieve full Supply-chain Levels for
Software Artifacts (SLSA) compliance [2] within the project. This
allows us to harden our software supply chain from a security
perspective as well as building a template for community-related
projects.
One major part of the SLSA KEP is the requirement to sign all of our
produced release artifacts. This is being discussed in the second KEP
[3], which proposes that we achieve GA by signing all artifacts
produced from the main Kubernetes repository. Everything which is not
user-facing, for example technical implementation details, are hidden
from both enhancements. This should frame the discussion and allow SIG
Release (Release Engineering) to own the internals.
Happy to receive input from y'all. Thank you and enjoy the rest of the week!
All the best,
Sascha
on behalf of SIG Release
[0]: https://github.com/kubernetes/sig-release/blob/f62149d/roadmap.md
[1]: https://github.com/kubernetes/sig-release/issues/1724
[2]: https://github.com/kubernetes/enhancements/pull/3051
[3]: https://github.com/kubernetes/enhancements/pull/3061
I'd like to share the latest updates about our SIG Release Roadmap and
Vision [0]. We're right now working on outlining the Kubernetes
enhancements, which stack on top of each other [1]. The first KEP
outlines our overall goal to achieve full Supply-chain Levels for
Software Artifacts (SLSA) compliance [2] within the project. This
allows us to harden our software supply chain from a security
perspective as well as building a template for community-related
projects.
One major part of the SLSA KEP is the requirement to sign all of our
produced release artifacts. This is being discussed in the second KEP
[3], which proposes that we achieve GA by signing all artifacts
produced from the main Kubernetes repository. Everything which is not
user-facing, for example technical implementation details, are hidden
from both enhancements. This should frame the discussion and allow SIG
Release (Release Engineering) to own the internals.
Happy to receive input from y'all. Thank you and enjoy the rest of the week!
All the best,
Sascha
on behalf of SIG Release
[0]: https://github.com/kubernetes/sig-release/blob/f62149d/roadmap.md
[1]: https://github.com/kubernetes/sig-release/issues/1724
[2]: https://github.com/kubernetes/enhancements/pull/3051
[3]: https://github.com/kubernetes/enhancements/pull/3061
Reply all
Reply to author
Forward
0 new messages