fdegir
commented
2 years ago Cc'in some of the SIG Software Supply Chain folks who may have missed this PR since it was sent on the existing documentation in this repository: @lmilbaum @gkunz @mgreau @majinghe @todaywasawesome @davidmirror-ops @tdcox
Some notes from the discussion during SIG Software Supply Chain Meeting on 2022-04-28:
- The new stages or the overall approach in proposed stages doesn't seem to be inline with DevOps approach and more corporate type of process.
- There is lack of emphasis on automation.
- The organization may suffer from the lack of speed.
- Exceptions?
- Version aspects?
- Caching problem - the decisions taken at the point of the introduction may become invalid as the new CVEs disclosed, invalidating past decisions.
@tdcox tried to write the points you highlighted down based on the notes I've taken during the meeting. Please update if I missed and/or misquoted things.
justinabrahms
CDF SIG Software Supply Chain started working on identifying pipeline stages that may be employed by organizations to ensure the security and compliance of the software they are consuming and producing.
This commit is the first commit in series, adding the first pipeline stage, OSS Introduction Stage, in order to seek community feedback.
More information about this stage is available on SIG Software Supply Chain PoC document: https://hackmd.io/U6q685gFTdWRrkWZechvGw?view#OSS-Introduction