Thoughts on Jan 5th's Meeting

[Dan Lorenc]

Hey All,

Apologies I couldn't make today's meeting. I just caught up on the recording and wanted to give some feedback. I also left some comments in Slack and the agenda before the meeting.

I think starting a subgroup here is premature, and we need to better clarify the problem before this makes sense to start. We have a working group already and several projects working in this space (SLSA, Sigstore, In-Toto, DSSE), so I'd like to better understand the problem with the existing signing mechanisms before we charter a WG to go produce another set of recommendations. 

Santiago and Michael both raised excellent points that open source projects have been doing this already for years, I'd really like to prevent ending up in an xkcd.com/927 situation here.

I also agree with Henk that a concrete proposal would help frame the discussion as well. It sounds like there's already been some work internally, it would be helpful to share that so everyone can review before we get started.

To summarize, I'm **not in favor** of starting another subgroup here without more definition on the proposed work or a more shared understanding of the problem area. If necessary, I'd prefer to continue to use the existing meeting time rather than adding another recurring meeting to everyone's calendar.

Dan Lorenc

[Luke Hinds]

I have only read the minutes, but I echo what Dan says. I don't understand why we would not leverage or enhance (if there are gaps) existing projects in the OSSF that are actively working on the very goals listed.

"Agreeing on a standard format for signing digital artifacts"  - Between SLSA and In-toto , this is already well covered.

"Creating tooling to assist with signing and validation artifacts across a variety of formats" - a.k.a sigstore

I would be interested first in understanding what the current gaps are, before we bootstrap something to new and duplicate efforts?

--
You received this message because you are subscribed to the Google Groups "ossf-wg-developer-identity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossf-wg-developer-i...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossf-wg-developer-identity/CAKdVbG-N6mY64JYdQ4Peh44s0eGM%3DebmUHfO-82nESi%2BaM96jg%40mail.gmail.com.

[Michael Winser]

Given the widespread interest in the problem area, I like Dan's proposal. Let's have these conversations in the WG as it is composed today. We'll keep the topic on the agenda and maybe indulge in a little time boxing so that other topics can be addressed as well.

Thanks,

Michael

--

[Kim Lewandowski]

We’ve had a number of amazing presentations in this working group about specific open source problems projects or communities are facing, how the maintainers/contributors are trying to tackle them today, where the gaps are and how a working group like this can potentially help.

The agenda is light for the next meeting, a more detailed presentation on the open source problems here would be really helpful!

On Jan 6, 2022, at 3:13 PM, 'Michael Winser' via ossf-wg-developer-identity <ossf-wg-devel...@googlegroups.com> wrote:



To view this discussion on the web visit https://groups.google.com/d/msgid/ossf-wg-developer-identity/CAAs52u-gzGAYHPVhrPakj%3DUu7USGivOL3fmDT6kprVDOBtH1Xg%40mail.gmail.com.

[Kay Williams]

Thanks everyone for the feedback!  Yes, let’s plan some time in the next Supply Chain Integrity WG meeting for further discussion.

 

Perhaps we can start with the following scenario – which specification should organizations use to sign supply chain artifacts like Software Bills of Materials (SBOMs).

 

We’ve been grappling with this at Microsoft and can share our thoughts and the decision matrix we have been using to approach our decision.

 

Kay

To view this discussion on the web visit https://groups.google.com/d/msgid/ossf-wg-developer-identity/FDBCE77B-176B-443A-BDBD-517AE91B8104%40gmail.com.