Comms for SLSA 1.0 — let's plan

[Isaac Hepworth]

Hello SLSA friends.

As we approach the 1.0 Stable release of the SLSA specification in the coming month, we have some joined-up comms to plan.

I expect we're going to want a blog post on openssf.org announcing and celebrating the milestone. I expect Chainguard will want to post something on its own blog; I expect Google will want to as well. Perhaps VMWare too? @Joshua Lock, you might know. IBM also, @Melba Lopez?

We'll likely want some press pre-briefing, too, using the OpenSSF blog post as its center of gravity. Social stuff as well.

In any case I wanted to make sure that the right folks are in touch with each other in order to make a proper plan. @Scott Westover here on cc will be leading comms from Google's side. @Jennifer Bly, am I right in thinking that you'll be leading from OpenSSF? Who else should be involved?

I'd happily draft a first pass at a comms plan, and share it with the group and community, but there may be others better placed to take the lead on that. Possibly much of this is already in motion! In which case, I'd just like to ask that Scott be included :)

Thanks,

Isaac

[Michael Lieberman]

Kusari has stuff planned as well. For planning, you can just include me.

--
You received this message because you are subscribed to the Google Groups "slsa-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to slsa-discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/CAMYDBzEg81Z4-YXY1LBcxdfb9nBvr9M4bwXW_EVyF48Wwp9NCg%40mail.gmail.com.

[Tracy Miranda]

Thanks Isaac.

Chainguard definitely want to help spread the word far and wide! 

Leading comms for Chainguard will be @Kaylin Trychon & @Sarah O'Rourke 

Thanks,

Tracy

On Tue, Mar 7, 2023 at 11:32 AM 'Isaac Hepworth' via slsa-discussion <slsa-di...@googlegroups.com> wrote:

--

[Isaac Hepworth]

I think a kick-off meeting would be a great idea. Perhaps we begin with folks who're on the critical path here:

- Jennifer (OpenSSF)

- Kaylin and Sarah (Chainguard)

- Scott (Google)

- Michael (Kusari)

- any others who want to make themselves known on this thread

I'd suggest that the small group gather to produce a draft 1.0 comms plan and share it out with the community for feedback.

Thank you!

Isaac

On Tue, Mar 7, 2023 at 9:50 AM Jennifer Bly <jb...@linuxfoundation.org> wrote:

Thanks for getting this thread started! Yes, I will be running point from OpenSSF. We will also want to bring in others as we begin planning - for example, our PR firm for pitching, etc. Perhaps we should have a meeting to discuss this further?

Best,

Jennifer

--

Jennifer Bly

Sr. Marketing & Communications Manager

OpenSSF  | The Linux Foundation

https://openssf.org/

[Jennifer Bly]

Thanks for getting this thread started! Yes, I will be running point from OpenSSF. We will also want to bring in others as we begin planning - for example, our PR firm for pitching, etc. Perhaps we should have a meeting to discuss this further?

Best,

Jennifer

On Tue, Mar 7, 2023 at 11:45 AM Michael Lieberman <mliebe...@gmail.com> wrote:

[Scott Westover]

Adding Sarah and Kaylin back in cause I think the thread forked, and also Kim who leads central security PR for Google. 

A meeting to kick off our outreach plans sounds great! 

[Jennifer Bly]

+1! Also including @Brian Behlendorf and @OpenS...@speakeasystrategies.com (our PR firm) to join as they are able.

Best,

Jennifer

[Claudia Ring]

I would love to join, we will be covering all the SLSA updates as well!

Claudia

[Melba Lopez]

I’m interested in partaking!  Copying my peer @Jeffrey Borek who knows the right path to take inside of IBM for things like this.  @Jeffrey Borek we can start working internally (starting tomorrow) to figure out how to make this happen on our open-source blog we have on ibm.com

 

I’m traveling this week so I’m on and off the computer a lot (don’t have a lot of access to Slack).  Feel free to send over a calendar invite and I’ll be crossing fingers that I can attend!

 

What about adding Microsoft/RedHat?  I know they’ve been in many of the discussions and Jay/Laura have been helping a lot with SLSA positioning.    

 

Melba Lopez

STSM, Supply Chain Security

E-mail: Melba...@ibm.com

Phone: (512) 850-9511

 

My working hours may not be your working hours! Please don’t feel obliged to read or reply to this e-mail outside of your normal working hours.

 

 

From: Jennifer Bly <jb...@linuxfoundation.org>
Date: Tuesday, March 7, 2023 at 12:53 PM
To: Scott Westover <westov...@google.com>, Brian Behlendorf <bbehl...@linuxfoundation.org>, OpenS...@speakeasystrategies.com <OpenS...@speakeasystrategies.com>
Cc: Isaac Hepworth <isa...@google.com>, Michael Lieberman <mliebe...@gmail.com>, Joshua Lock <jl...@vmware.com>, Melba Lopez <Melba...@ibm.com>, slsa-di...@googlegroups.com <slsa-di...@googlegroups.com>, kay...@chainguard.dev <kay...@chainguard.dev>, soro...@chainguard.dev <soro...@chainguard.dev>, Kimberly Samra <kimber...@google.com>
Subject: [EXTERNAL] Re: Comms for SLSA 1.0 — let's plan

+1! Also including @Brian Behlendorf and @OpenSSF_PR@ speakeasystrategies. com (our PR firm) to join as they are able. Best, Jennifer On Tue, Mar 7, 2023 at 1: 08 PM Scott Westover <westoverscott@ google. com> wrote: Adding Sarah and Kaylin

ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

[Bruno Domingues]

Hi, I am also interested in working on it from Intel's side. I will engage with Intel's PR and let me know how are you planning to coordinate

To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/MW4PR15MB4555AEB6A4B4C9AE1D8E170BF6B49%40MW4PR15MB4555.namprd15.prod.outlook.com.

[Brian Behlendorf]

Hi all! I'm excited to see this released - SLSA is a pillar of the OpenSSF community and will play a key part in the more integrated-architecture picture we hope to paint over the next year.

I am not in a position to answer this question for myself at the moment, but I trust that the Community Spec protocol was followed rigorously and there is a clear vote to accept this document as 1.0 final. Some references:
https://github.com/slsa-framework/governance/blob/main/5._Governance.md 
(https://github.com/slsa-framework/governance/blob/main/5._Governance.md#4-specification-development-process

I want to make sure not only is this a clear consensus product but that we also have no barriers to submitting this to standards bodies like ISO as a PAS, as the LF did with SPDX. I don't know if you have any plans to do that soon; if so it may be worth sharing them in this release. Or, other plans for next steps... Is there a 1.1 in the works, that sort of thing.

Finally and again probably stating something that's already been said, but the more we can get testimonials not just from the direct participants (be sure and reflect the range of participants as well) and large companies but also from end users and start ups who can share how they're using it. Jennifer Blu can lead collecting those and getting sign-offs, but we need to get connected to those orgs and you likely know them better than we do.

It would be helpful to draft some other collateral here if it's not already been done, for both business/PM style audiences and Dec audiences, so that any new traffic generated from the buzz can get connected in to the right place to participate. OpenSSF staff can help here but let us know.

So exciting!

Brian

[Melba Lopez]

Yes yes!! Didn’t mean to forget about Intel!  I know you and Marcela have been working on the spec/positioning side too!

 

Melba Lopez

STSM, Supply Chain Security

E-mail: Melba...@ibm.com

Phone: (512) 850-9511

 

My working hours may not be your working hours! Please don’t feel obliged to read or reply to this e-mail outside of your normal working hours.

 

 

From: Bruno Domingues <brun...@gmail.com>
Date: Tuesday, March 7, 2023 at 7:12 PM
To: Melba Lopez <Melba...@ibm.com>
Cc: Jennifer Bly <jb...@linuxfoundation.org>, Scott Westover <westov...@google.com>, Brian Behlendorf <bbehl...@linuxfoundation.org>, OpenS...@speakeasystrategies.com <OpenS...@speakeasystrategies.com>, Isaac Hepworth <isa...@google.com>, Michael Lieberman <mliebe...@gmail.com>, Joshua Lock <jl...@vmware.com>, slsa-di...@googlegroups.com <slsa-di...@googlegroups.com>, kay...@chainguard.dev <kay...@chainguard.dev>, soro...@chainguard.dev <soro...@chainguard.dev>, Kimberly Samra <kimber...@google.com>, Jeffrey Borek <jbo...@us.ibm.com>
Subject: [EXTERNAL] Re: Comms for SLSA 1.0 — let's plan

Hi, I am also interested in working on it from Intel's side. I will engage with Intel's PR and let me know how are you planning to coordinate On Tue, Mar 7, 2023 at 4: 59 PM 'Melba Lopez' via slsa-discussion <slsa-discussion@ googlegroups. com>

ZjQcmQRYFpfptBannerStart

This Message Is From an Untrusted Sender You have not previously corresponded with this sender.

ZjQcmQRYFpfptBannerEnd

[Arnaud Le Hors]

Hi Brian,

I don’t think we can really say that the Community Spec protocol was followed rigorously per se but I don’t think we are too far off.

 

First the fact is that the 1.0 document is still being worked on so the decision to accept it as final has not been made yet. It’s a good reminder that a formal decision should be made and recorded though.

 

We’ve also been using additional names for the development stages of the spec. We do use “draft” but instead of “approved” we have “final”,  so we ought to make it clear that this is meant to be the same from the protocol point of view.

 

Regards.

-- 

Arnaud  Le Hors - Senior Technical Staff Member - Open Technologies - IBM

 

 

From: slsa-di...@googlegroups.com <slsa-di...@googlegroups.com> on behalf of Brian Behlendorf <bbehl...@linuxfoundation.org>
Date: Wednesday, March 8, 2023 at 2:46 AM
To: Bruno Domingues <brun...@gmail.com>, Melba Lopez <Melba...@ibm.com>
Cc: Jennifer Bly <jb...@linuxfoundation.org>, Scott Westover <westov...@google.com>, OpenS...@speakeasystrategies.com <OpenS...@speakeasystrategies.com>, Isaac Hepworth <isa...@google.com>, Michael Lieberman <mliebe...@gmail.com>, Joshua Lock <jl...@vmware.com>, slsa-di...@googlegroups.com <slsa-di...@googlegroups.com>, kay...@chainguard.dev <kay...@chainguard.dev>, soro...@chainguard.dev <soro...@chainguard.dev>, Kimberly Samra <kimber...@google.com>, Jeffrey Borek <jbo...@us.ibm.com>
Subject: [EXTERNAL] Re: Comms for SLSA 1.0 — let's plan

Hi all! I'm excited to see this released - SLSA is a pillar of the OpenSSF community and will play a key part in the more integrated-architecture picture we hope to paint over the next year. I am not in a position to answer this question for

ZjQcmQRYFpfptBannerStart

To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/853EBB06-8795-4DD2-970D-5DCD6616FD42%40linuxfoundation.org.

[Arnaud Le Hors]

Actually it’s not called “final” but “stable”:

https://slsa.dev/spec-stages

 

I’m going to submit a PR to indicate that this corresponds to the “Approved” state of the Community Spec protocol or we could just rename it if deemed necessary.

-- 

Arnaud  Le Hors - Senior Technical Staff Member - Open Technologies - IBM

 

 

From: slsa-di...@googlegroups.com <slsa-di...@googlegroups.com> on behalf of Arnaud Le Hors <leh...@us.ibm.com>

Date: Wednesday, March 8, 2023 at 2:09 PM
To: Brian Behlendorf <bbehl...@linuxfoundation.org>, Bruno Domingues <brun...@gmail.com>, Melba Lopez <Melba...@ibm.com>
Cc: Jennifer Bly <jb...@linuxfoundation.org>, Scott Westover <westov...@google.com>, OpenS...@speakeasystrategies.com <OpenS...@speakeasystrategies.com>, Isaac Hepworth <isa...@google.com>, Michael Lieberman <mliebe...@gmail.com>, Joshua Lock <jl...@vmware.com>, slsa-di...@googlegroups.com <slsa-di...@googlegroups.com>, kay...@chainguard.dev <kay...@chainguard.dev>, soro...@chainguard.dev <soro...@chainguard.dev>, Kimberly Samra <kimber...@google.com>, Jeffrey Borek <jbo...@us.ibm.com>

Subject: [EXTERNAL] RE: Comms for SLSA 1.0 — let's plan

Hi Brian, I don’t think we can really say that the Community Spec protocol was followed rigorously per se but I don’t think we are too far off. First the fact is that the 1. 0 document is still being worked on so the decision to accept it as

To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/DM4PR15MB5378B0131BED0BA2B23F87D0F4B49%40DM4PR15MB5378.namprd15.prod.outlook.com.

[Brian Behlendorf]

Got it, thanks! I just want us to be clear that it's ready for tools vendors, process mavens, and people thinking about provenance and traceability in the context of new regulations, to dive in and consume and integrate with.

De we think a formal press release is worthwhile here? Something to elevate it above the average blog post, use it as a highlight for press pre-briefs, and tie it to other trends in the news? I'd support that.

Brian

-- 
Brian Behlendorf
General Manager, Open Source Security Foundation
bbehl...@linuxfoundation.org
Twitter: @brianbehlendorf

[Aaron Bacchi]

I’m happy to contribute a couple sentence quote from the industry consumer perspective (Verizon) for the OpenSSF release- I could work w my comms team to get the sign off. Just reach out. 

Thanks

Aaron

To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/49c62151-c9a3-cfb7-6440-2e2a01ca47c0%40linuxfoundation.org.

[Isaac Hepworth]

Thanks all, great to see the excitement here. I definitely share it!

Aaron, particular thanks for volunteering to provide a quote. I suspect we'll want to take you up on that.

I think we can perhaps split the work at hand into two at least to get started:

1. Crafting the comms around the 1.0 Stable release: developing a crisp message which lands well with the audiences about which we care. We have a great existing venue for this work in the form of the SCI Positioning working group. I'd propose that we have the group draft and circulate an initial set of talking points from which we can flesh out fuller comms.
2. Creating and driving a plan for distribution of the message. Here we currently have a gap, afaict, and it was this that I was hoping we might address. Work here would include determining the scope and nature of the comms (to your point, Brian), how PR could help (to yours, Jennifer), which collaborating companies will echo (hi Melba, Bruno, Michael, Scott, Kaylin, etc), what press outreach will look like, etc.

My working hypothesis is that we'll want OpenSSF squarely at the center of (2), and I understand from chatting with Jennifer that she's the right person to pick it up in the first instance. Perhaps I can frame where we're at in a one-pager and we can begin there?

Isaac

[Brian Behlendorf]

Jennifer Bly coordinates messaging across OpenSSF, and while we are extremely deferential to the project communities and local expertise for the specifics, we will want to ensure we're hitting a tone consistent with other OpenSSF comms and voice. So please include her in stream 1. On stream 2 we will need everyone's help of course, but Jennifer oversees the OpenSSF social, blog, and press release channels.

Brian

[Isaac Hepworth]

Makes sense, thanks Brian.

I drafted a one-pager to get us started, or at least on the same page; please take a look and holler if anything looks off, or surprising.

@Jennifer Bly, I made you an editor to take this forward (or discard, and create/share your own!). It's open to suggestions/comments from everyone else.

@Melba Lopez, might we add this to the agenda of the next SCI Positioning meeting?

Isaac

[Melba Lopez]

Yes we can add it as an agenda item 😊

 

I know there are some follow-up blogs we were planning/working on to release shortly after as well to help promote/explain the why’s/how to various audiences. 

 

Melba Lopez

STSM, Supply Chain Security

E-mail: Melba...@ibm.com

Phone: (512) 850-9511

 

My working hours may not be your working hours! Please don’t feel obliged to read or reply to this e-mail outside of your normal working hours.

 

 

From: Isaac Hepworth <isa...@google.com>
Date: Wednesday, March 8, 2023 at 6:04 PM
To: Brian Behlendorf <bbehl...@linuxfoundation.org>
Cc: Aaron Bacchi <aaron....@gmail.com>, Jennifer Bly <jb...@linuxfoundation.org>, Arnaud Le Hors <leh...@us.ibm.com>, Bruno Domingues <brun...@gmail.com>, Jeffrey Borek <jbo...@us.ibm.com>, Joshua Lock <jl...@vmware.com>, Kimberly Samra <kimber...@google.com>, Melba Lopez <Melba...@ibm.com>, Michael Lieberman <mliebe...@gmail.com>, OpenS...@speakeasystrategies.com <OpenS...@speakeasystrategies.com>, Scott Westover <westov...@google.com>, kay...@chainguard.dev <kay...@chainguard.dev>, slsa-di...@googlegroups.com <slsa-di...@googlegroups.com>, soro...@chainguard.dev <soro...@chainguard.dev>
Subject: [EXTERNAL] Re: Comms for SLSA 1.0 — let's plan

Makes sense, thanks Brian. I drafted a one-pager to get us started, or at least on the same page; please take a look and holler if anything looks off, or surprising. @Jennifer Bly, I made you an editor to take this forward (or discard, and

ZjQcmQRYFpfptBannerStart

[Jennifer Bly]

Hi everyone,

Thank you for your enthusiasm! I am looking forward to making this a great announcement. 

I'd really like to get a better sense of the timeline here as the end of March is only 2.5 weeks away, and we will have quite a few moving pieces to make sure we're all in snyc and then to execute on our plan. Would it be possible to aim for the 1.0 release later on a set date in April to give ourselves more time? 

Thanks to Issac for getting the one-pager started, looks great so far. Let's work from that and continue to build from there. Thank you Melba for adding this as an agenda item on the next SCI call, I would like to lean on this group to develop the messaging themes.

Aaron, would love to take you up on providing a quote, and likewise from each of your organizations and others recommended - please leave your recommendations on who else might be able to provide a testimonial in the document or contact me directly.

Best,
Jennifer

[Kris Kooi]

As a point of clarification, the comment period ends on March 24, but we haven't committed to a release date for the final version. We'll probably want at least a week after comments close to address any last-minute feedback, but I wouldn't personally want to push the release date too far into April.

Best,

Kris

To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/CAKyRQsVCtU%2B_gkyuj3ECgrtmJCBcHVmvYxPXspXK8hkqiiK3rg%40mail.gmail.com.

[Isaac Hepworth]

Thanks all! Particular thanks to Jennifer for taking this forward from here. I agree with Kris fwiw on release date. 

One quick note on the follow-up blog posts being planned: it'd be great imo if we had a very deliberate and careful eye on what information might be diverted instead to the core SLSA documentation. Particularly the "how"-type concerns might best belong there, and there's an existing issue capturing the target docs structure we can hang stuff off of.

Perhaps this is a conversation we can have in the Positioning working group next week too. I've added a couple of proposed items to the agenda corral.

Thanks again,

Isaac

[Emmy Eide]

Hi team, 

Sorry I am a bit late in responding. I was on PTO. Red Hat would like to participate in comms as well. Adding @Kathleen Goeschel and @Laura Seay (and myself) to help with that. 

Emmy Eide

She/Her

Director, Product Security, Software Supply Chain

Red Hat

To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/CAMYDBzE8%2BwJw3zQFgJ96%3DUrv%3Dm_%3DTynzppUO57Fxf8U44Vg7Jg%40mail.gmail.com.

[Jennifer Bly]

Thanks Emmy! 

And I'd like to set up a call in the next week for anyone who is able to make it for us to kick off the comms planning for SLSA 1.0. I started a doodle poll here to find a good time: https://doodle.com/meeting/participate/id/enR28vle Would be great to have someone from your organizations to join to discuss and coordinate strategy, but for anyone who is unable to make this call, we'll be sure to take notes.

Best,

Jennifer

--

[Jennifer Bly]

Hi everyone, looks like the best time for many of us is Wednesday, March 15th at 4 PM ET, so I will send around an invite for everyone on this email thread. If I am missing anyone please feel free to forward the invite. And I look forward to discussing strategy tomorrow with those who can make it. For anyone who can't, we will provide notes.

Best,

Jennifer

[Kaylin Trychon]

Thanks, Jennifer! 

--

Kaylin Trychon Vice President of Global Marketing, Communications & External Affairs  Chainguard kay...@chainguard.dev  |  978.490.4036 | chainguard.dev

[Laura Seay]

Thank you! 

--

Laura Seay 
Manager, Product Security Supply Chain Operations 
Red Hat
Email: ls...@redhat.com  
Mobile: (407)267-5666