--
You received this message because you are subscribed to the Google Groups "slsa-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to slsa-discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/CAMYDBzEg81Z4-YXY1LBcxdfb9nBvr9M4bwXW_EVyF48Wwp9NCg%40mail.gmail.com.
--
Thanks for getting this thread started! Yes, I will be running point from OpenSSF. We will also want to bring in others as we begin planning - for example, our PR firm for pitching, etc. Perhaps we should have a meeting to discuss this further?Best,Jennifer
--Jennifer BlySr. Marketing & Communications ManagerOpenSSF | The Linux Foundation
I’m interested in partaking! Copying my peer @Jeffrey Borek who knows the right path to take inside of IBM for things like this. @Jeffrey Borek we can start working internally (starting tomorrow) to figure out how to make this happen on our open-source blog we have on ibm.com
I’m traveling this week so I’m on and off the computer a lot (don’t have a lot of access to Slack). Feel free to send over a calendar invite and I’ll be crossing fingers that I can attend!
What about adding Microsoft/RedHat? I know they’ve been in many of the discussions and Jay/Laura have been helping a lot with SLSA positioning.
Melba Lopez
STSM, Supply Chain Security
E-mail: Melba...@ibm.com
Phone: (512) 850-9511
My working hours may not be your working hours! Please don’t feel obliged to read or reply to this e-mail outside of your normal working hours.
From:
Jennifer Bly <jb...@linuxfoundation.org>
Date: Tuesday, March 7, 2023 at 12:53 PM
To: Scott Westover <westov...@google.com>, Brian Behlendorf <bbehl...@linuxfoundation.org>, OpenS...@speakeasystrategies.com <OpenS...@speakeasystrategies.com>
Cc: Isaac Hepworth <isa...@google.com>, Michael Lieberman <mliebe...@gmail.com>, Joshua Lock <jl...@vmware.com>, Melba Lopez <Melba...@ibm.com>, slsa-di...@googlegroups.com <slsa-di...@googlegroups.com>, kay...@chainguard.dev <kay...@chainguard.dev>,
soro...@chainguard.dev <soro...@chainguard.dev>, Kimberly Samra <kimber...@google.com>
Subject: [EXTERNAL] Re: Comms for SLSA 1.0 — let's plan
+1! Also including @Brian Behlendorf and @OpenSSF_PR@ speakeasystrategies. com (our PR firm) to join as they are able. Best, Jennifer On Tue, Mar 7, 2023 at 1: 08 PM Scott Westover <westoverscott@ google. com> wrote: Adding Sarah and Kaylin
ZjQcmQRYFpfptBannerStart
|
ZjQcmQRYFpfptBannerEnd
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/MW4PR15MB4555AEB6A4B4C9AE1D8E170BF6B49%40MW4PR15MB4555.namprd15.prod.outlook.com.
Yes yes!! Didn’t mean to forget about Intel! I know you and Marcela have been working on the spec/positioning side too!
Melba Lopez
STSM, Supply Chain Security
E-mail: Melba...@ibm.com
Phone: (512) 850-9511
My working hours may not be your working hours! Please don’t feel obliged to read or reply to this e-mail outside of your normal working hours.
From:
Bruno Domingues <brun...@gmail.com>
Date: Tuesday, March 7, 2023 at 7:12 PM
To: Melba Lopez <Melba...@ibm.com>
Cc: Jennifer Bly <jb...@linuxfoundation.org>, Scott Westover <westov...@google.com>, Brian Behlendorf <bbehl...@linuxfoundation.org>, OpenS...@speakeasystrategies.com <OpenS...@speakeasystrategies.com>, Isaac Hepworth <isa...@google.com>, Michael
Lieberman <mliebe...@gmail.com>, Joshua Lock <jl...@vmware.com>, slsa-di...@googlegroups.com <slsa-di...@googlegroups.com>, kay...@chainguard.dev <kay...@chainguard.dev>, soro...@chainguard.dev <soro...@chainguard.dev>, Kimberly Samra <kimber...@google.com>,
Jeffrey Borek <jbo...@us.ibm.com>
Subject: [EXTERNAL] Re: Comms for SLSA 1.0 — let's plan
Hi, I am also interested in working on it from Intel's side. I will engage with Intel's PR and let me know how are you planning to coordinate On Tue, Mar 7, 2023 at 4: 59 PM 'Melba Lopez' via slsa-discussion <slsa-discussion@ googlegroups. com>
ZjQcmQRYFpfptBannerStart
|
ZjQcmQRYFpfptBannerEnd
Hi Brian,
I don’t think we can really say that the Community Spec protocol was followed rigorously per se but I don’t think we are too far off.
First the fact is that the 1.0 document is still being worked on so the decision to accept it as final has not been made yet. It’s a good reminder that a formal decision should be made and recorded though.
We’ve also been using additional names for the development stages of the spec. We do use “draft” but instead of “approved” we have “final”, so we ought to make it clear that this is meant to be the same from the protocol point of view.
Regards.
--
Arnaud Le Hors - Senior Technical Staff Member - Open Technologies - IBM
From:
slsa-di...@googlegroups.com <slsa-di...@googlegroups.com> on behalf of Brian Behlendorf <bbehl...@linuxfoundation.org>
Date: Wednesday, March 8, 2023 at 2:46 AM
To: Bruno Domingues <brun...@gmail.com>, Melba Lopez <Melba...@ibm.com>
Cc: Jennifer Bly <jb...@linuxfoundation.org>, Scott Westover <westov...@google.com>, OpenS...@speakeasystrategies.com <OpenS...@speakeasystrategies.com>, Isaac Hepworth <isa...@google.com>, Michael Lieberman <mliebe...@gmail.com>, Joshua Lock
<jl...@vmware.com>, slsa-di...@googlegroups.com <slsa-di...@googlegroups.com>, kay...@chainguard.dev <kay...@chainguard.dev>, soro...@chainguard.dev <soro...@chainguard.dev>, Kimberly Samra <kimber...@google.com>, Jeffrey Borek <jbo...@us.ibm.com>
Subject: [EXTERNAL] Re: Comms for SLSA 1.0 — let's plan
Hi all! I'm excited to see this released - SLSA is a pillar of the OpenSSF community and will play a key part in the more integrated-architecture picture we hope to paint over the next year. I am not in a position to answer this question for
ZjQcmQRYFpfptBannerStart
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/853EBB06-8795-4DD2-970D-5DCD6616FD42%40linuxfoundation.org.
Actually it’s not called “final” but “stable”:
I’m going to submit a PR to indicate that this corresponds to the “Approved” state of the Community Spec protocol or we could just rename it if deemed necessary.
--
Arnaud Le Hors - Senior Technical Staff Member - Open Technologies - IBM
From: slsa-di...@googlegroups.com <slsa-di...@googlegroups.com> on behalf of Arnaud Le Hors <leh...@us.ibm.com>
Date: Wednesday, March 8, 2023 at 2:09 PM
To: Brian Behlendorf <bbehl...@linuxfoundation.org>, Bruno Domingues <brun...@gmail.com>, Melba Lopez <Melba...@ibm.com>
Cc: Jennifer Bly <jb...@linuxfoundation.org>, Scott Westover <westov...@google.com>, OpenS...@speakeasystrategies.com <OpenS...@speakeasystrategies.com>, Isaac Hepworth <isa...@google.com>, Michael Lieberman <mliebe...@gmail.com>, Joshua Lock
<jl...@vmware.com>, slsa-di...@googlegroups.com <slsa-di...@googlegroups.com>, kay...@chainguard.dev <kay...@chainguard.dev>, soro...@chainguard.dev <soro...@chainguard.dev>, Kimberly Samra <kimber...@google.com>, Jeffrey Borek <jbo...@us.ibm.com>
Subject: [EXTERNAL] RE: Comms for SLSA 1.0 — let's plan
Hi Brian, I don’t think we can really say that the Community Spec protocol was followed rigorously per se but I don’t think we are too far off. First the fact is that the 1. 0 document is still being worked on so the decision to accept it as
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/DM4PR15MB5378B0131BED0BA2B23F87D0F4B49%40DM4PR15MB5378.namprd15.prod.outlook.com.
-- Brian Behlendorf General Manager, Open Source Security Foundation bbehl...@linuxfoundation.org Twitter: @brianbehlendorf
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/49c62151-c9a3-cfb7-6440-2e2a01ca47c0%40linuxfoundation.org.
Yes we can add it as an agenda item 😊
I know there are some follow-up blogs we were planning/working on to release shortly after as well to help promote/explain the why’s/how to various audiences.
Melba Lopez
STSM, Supply Chain Security
E-mail: Melba...@ibm.com
Phone: (512) 850-9511
My working hours may not be your working hours! Please don’t feel obliged to read or reply to this e-mail outside of your normal working hours.
From:
Isaac Hepworth <isa...@google.com>
Date: Wednesday, March 8, 2023 at 6:04 PM
To: Brian Behlendorf <bbehl...@linuxfoundation.org>
Cc: Aaron Bacchi <aaron....@gmail.com>, Jennifer Bly <jb...@linuxfoundation.org>, Arnaud Le Hors <leh...@us.ibm.com>, Bruno Domingues <brun...@gmail.com>, Jeffrey Borek <jbo...@us.ibm.com>, Joshua Lock <jl...@vmware.com>, Kimberly Samra <kimber...@google.com>,
Melba Lopez <Melba...@ibm.com>, Michael Lieberman <mliebe...@gmail.com>, OpenS...@speakeasystrategies.com <OpenS...@speakeasystrategies.com>, Scott Westover <westov...@google.com>, kay...@chainguard.dev <kay...@chainguard.dev>, slsa-di...@googlegroups.com
<slsa-di...@googlegroups.com>, soro...@chainguard.dev <soro...@chainguard.dev>
Subject: [EXTERNAL] Re: Comms for SLSA 1.0 — let's plan
Makes sense, thanks Brian. I drafted a one-pager to get us started, or at least on the same page; please take a look and holler if anything looks off, or surprising. @Jennifer Bly, I made you an editor to take this forward (or discard, and
ZjQcmQRYFpfptBannerStart
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/CAKyRQsVCtU%2B_gkyuj3ECgrtmJCBcHVmvYxPXspXK8hkqiiK3rg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/CAMYDBzE8%2BwJw3zQFgJ96%3DUrv%3Dm_%3DTynzppUO57Fxf8U44Vg7Jg%40mail.gmail.com.
--
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/CAChgSwTemz92xn8BxPd8T_GA55EnQna5Fxeht8vrAJ1bAnARiw%40mail.gmail.com.
Thank you!
--Laura Seay
Manager, Product Security Supply Chain Operations
Red Hat
Email: ls...@redhat.com
Mobile: (407)267-5666
Hi all – Sharla from the Speakeasy Strategies PR team (supporting OpenSSF). To add to what Jennifer shared below, if we get requests for additional commentary, or to speak to someone quoted in the release, we will be sure to reach out and connect you. Tl;dr version:
We are:
Congrats on the 1.0 release!
Thanks,
Sharla
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/CAPdZWJciwEu55mHBF3Q_h5gpQwz0PpHv81x%2BT-CFPmxJaKqROQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/MW4PR15MB455528E2AB63580E7F5371F6F6989%40MW4PR15MB4555.namprd15.prod.outlook.com.
Hi all,
Just a friendly reminder that the release is queued up to go live tomorrow at 9am ET. More details below:
Thanks again for your participation,
Sharla
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/CAM8dGvT%3DkH2VDZu%3DPJCvFCoq%3DT9k4TuNwxn07MMjUKMYfk1vQw%40mail.gmail.com.
To share a quick update on SLSA 1.0 announcement reception so far:
Earned Media Coverage (as of April 20th at 12 PM ET)
CSO Online - OpenSSF releases SLSA v1.0, adds software supply chain-specific tracks
The New Stack - OpenSSF Boosts Software Supply Chain Security with SLSA 1.0
SDX Central - OpenSSF gives supply chain security a boost with SLSA 1.0
Heise - Software Supply Chain: GitLab bringt Sicherheit, Effizienz und KI in Einklang
Linux Magazin - KubeCon & CloudNativeCon Europe: OpenSSF veröffentlicht SLSA 1.0
Le Entrepreneur - OpenSSF renforce la sécurité de la chaîne d’approvisionnement avec SLSA 1.0
Techzine Europe - OpenSSF strengthens supply chain security with SLSA 1.0
SD Times - Version 1.0 of SLSA provides specifications for software supply chain security
DevClass - Open source devs finally get a taste of full strength SLSA
AP News – Press release pickup (1 of 383 exact match pickups)
Owned Content
OpenSSF press release - OpenSSF Announces SLSA Version 1.0 Release - 507 views
PRNewswire – Press release to the wire - 847 views, 93 click-throughs
Social Media
56,844 impressions of @theopenssf SLSA 1.0 tweets
1,767 impressions of @OpenSSF SLSA 1.0 Linkedin post
Plus I know there are quite a few more from all of your accounts beyond. If there are any other content pieces I missed or other stats anyone would like to add, please do!
Best,
Agreed! A lot of work went into this version. More than most people will ever know. Well done, and thank you to all involved.
Emmy EideShe/HerDirector, Product Security, Software Supply ChainRed Hat