tracymiranda
commented
2 years ago Please let me know what info is need when and I'll start to pull it altogether!
Open tracymiranda opened 2 years ago
tracymiranda
commented
2 years ago Please let me know what info is need when and I'll start to pull it altogether!
AndreyKozlov1984
commented
2 years ago Hi, @tracymiranda Create a new repo, for a start, and add me as a collaborator to the repo.
caniszczyk
commented
2 years ago please ensure it's in an openssf owned repo end of day
On Wed, Apr 13, 2022 at 7:19 AM Andrey Kozlov @.***> wrote:
Hi, @tracymiranda https://github.com/tracymiranda Create a new repo, for a start, and add me as a collaborator to the repo.
— Reply to this email directly, view it on GitHub https://github.com/cncf/landscapeapp/issues/818#issuecomment-1097984255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSIN55DFR756VMOHUXMLVE23WLANCNFSM5TKOPVFA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
-- Cheers,
Chris Aniszczyk https://aniszczyk.org
tracymiranda
commented
2 years ago @AndreyKozlov1984 repo is here and you should have access: https://github.com/sigstore/landscape
AndreyKozlov1984
commented
2 years ago Ok, that is great! @caniszczyk just to make it clear, this will be its own landscape, because if we want to have a new tab in OpenSSF landscape, we would better start there.
But if we want its own guide, an independent landscape is the best option, and we can give a link from one landscape to the other from OpenSSF
caniszczyk
commented
2 years ago My preference is to do this as a tab in the openssf landscape: https://landscape.openssf.org
Like we have the serverless tab/landscape in the CNCF landscape.
On Thu, Apr 21, 2022 at 5:03 AM Andrey Kozlov @.***> wrote:
Ok, that is great! @caniszczyk https://github.com/caniszczyk just to make it clear, this will be its own landscape, because if we want to have a new tab in OpenSSF landscape, we would better start there.
But if we want its own guide, an independent landscape is the best option, and we can give a link from one landscape to the other from OpenSSF
— Reply to this email directly, view it on GitHub https://github.com/cncf/landscapeapp/issues/818#issuecomment-1104996344, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSIJSN3DKW74NYXHBVN3VGERXLANCNFSM5TKOPVFA . You are receiving this because you were mentioned.Message ID: @.***>
-- Cheers,
Chris Aniszczyk https://aniszczyk.org
AndreyKozlov1984
commented
2 years ago @tracymiranda @caniszczyk then here is what I'm going to do: In an OpenSSF landscape I'll make a new branch. There I'll add a new tab, called "SigStore" and will create a new category with subcategories to fill it. And will add few items for a start.
Regarding guide, right now the guide supports only the main landscape, but there are no reasons why it can not support an extra tab.
Is that fine?
caniszczyk
commented
2 years ago +1
On Thu, Apr 21, 2022 at 12:40 PM Andrey Kozlov @.***> wrote:
@tracymiranda https://github.com/tracymiranda @caniszczyk https://github.com/caniszczyk then here is what I'm going to do: In an OpenSSF landscape I'll make a new branch. There I'll add a new tab, called "SigStore" and will create a new category with subcategories to fill it. And will add few items for a start.
Regarding guide, right now the guide supports only the main landscape, but there are no reasons why it can not support an extra tab.
Is that fine?
— Reply to this email directly, view it on GitHub https://github.com/cncf/landscapeapp/issues/818#issuecomment-1105507211, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSIMMSKR4SMPDU457QITVGGHKNANCNFSM5TKOPVFA . You are receiving this because you were mentioned.Message ID: @.***>
-- Cheers,
Chris Aniszczyk https://aniszczyk.org
tracymiranda
commented
2 years ago SGTM, if we can still have the guide and meet the stated goals then I don't mind where this lives.
AndreyKozlov1984
commented
2 years ago @tracymiranda sorry for the delay, I started to put everything here, https://deploy-preview-140--ossflandscape.netlify.app/sigstore as a preview, I'm going to fill everything today with bogus records and then slowly we can put real info.
For each item in your sketch I need a homepage_url, github_url, icon, name and a crunchbase entry. I'll try to find this myself when it is something trivial.
Regarding the guide - let's start it right now, give me any text, better in a markdown, and I'll try to convert it to the guide.
Feel free to contact me in slack or here, I'm going to get this tab populated today
tracymiranda
commented
2 years ago 🎉 this is pretty sweet, thank you @AndreyKozlov1984.
Here's a fwv of a guide we can use (see below), let me know if this format works. I'll start to gather up the links and icons for the rest of the landscape.
## Introduction
Sigstore is a new standard for signing, verifying and protecting software.
It can be used to make sure your software is what it claims to be. Learn more at https://www.sigstore.dev/
<section data-category="Projects">
Sigstore is made up of a combination of technologies to handle signing, verification and provenance checks that respect privacy and work at scale. This section shows the open source subprojects that make up Sigstore as well as non-code projects that support the Sigstore community such as roadmap and specification.
<section data-category="Services">
In some cases Sigstore services are run as public instance, for example, the public instance of the Rekor transparency log used to verify signatures. This section allows you to discover public instances run by the community and or organizations who host Sigstore services.
<section data-category="Integrations">
Use of Sigstore is sometimes transparent to users as its signing and verification functionality is seamlessly integrated with version control or build software. This section highlights open source and closed source tools, platforms and applications that integrate Sigstore functionality such that users of those tools may benefit from software signing and verification.
<section data-category="Signed With">
This section highlights open source and closed source software that use Sigstore for signing artifacts. That means that users of these tools are able to verify the integrity of artifacts using Sigstore.
<section data-category="End user Adopters">
This section showcases organizations that currently use Sigstore as part of their software supply chain security toolbox. That means the organizations are at a minimum signing internal artifacts with Sigstore. Each organization links to a specific case study to highlight how they are using Sigstore.
(just updated the comment to make sure the markdown shows up properly)
AndreyKozlov1984
commented
2 years ago Great, that would be a good start. We have maximum one guide per website, but so far OpenSSF does not have any guide. I'll add your guide soon
tracymiranda
commented
2 years ago Ack - we can integrate this guide into a main one when openssf get to that stage.
Here are details of 2 entries in the 'signed-by' category:
Kubernetes - icon, website, repo & crunchbase same as is here https://landscape.cncf.io/?selected=kubernetes Additional field 'How to verify' should point to 'https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-images/'
Flux - icon, website, repo & crunchbase same as is here https://landscape.cncf.io/?selected=flux Additional field 'How to verify' should point to 'https://fluxcd.io/blog/2022/02/security-image-provenance/'
I'll aim to do the same for other categories next week. Please let me know if any questions.
AndreyKozlov1984
commented
2 years ago Thank you, all looks fine now, please provide more details for other categories, if you know that a certain item exist in other landscape, I'll just copy it from there, and will add extra fields like 'How to verify'
Regarding the guide, will update you later today, so far no issues
AndreyKozlov1984
commented
2 years ago @tracymiranda I've added a guide
tracymiranda
commented
2 years ago Thanks @AndreyKozlov1984 - is there a new link to see the deploy preview?
Also we now have the Sigstore logo for one entry: icon: https://github.com/ossf/artwork/blob/master/sigstore/stacked/color/Sigstore-logo_stacked-color.svg website: https://www.sigstore.dev/ repo: https://github.com/sigstore/sigstore crunchbase: https://www.crunchbase.com/organization/sigstore
Please let me know if I should submit a pr anywhere or if that is enough info to add it in. (Subproject logos still in progress...)
tracymiranda
commented
2 years ago We now have the logos ready for the subprojects. SVG-color-horizontal (1).zip
There are four entries:
Cosign website: https://docs.sigstore.dev/cosign/overview repo: https://github.com/sigstore/cosign
Gitsign website: https://docs.sigstore.dev/gitsign/overview repo: https://github.com/sigstore/gitsign
Fulcio website: https://docs.sigstore.dev/fulcio/overview repo: https://github.com/sigstore/fulcio
Rekor website: https://docs.sigstore.dev/rekor/overview repo: https://github.com/sigstore/rekor
If we need a crunchbase entry, then we'd use the parent one of sigstore: https://www.crunchbase.com/organization/sigstore
AndreyKozlov1984
commented
2 years ago Great, @tracymiranda , I'll update you after I add these entries
Sigstore is a project that is part of OpenSSF. This landscape would represent Sigstore's ecosystem (and eventually be embedded in the OpenSSF main landscape). Goals for the landscape:
Ideally l.sigstore.org would be hosted at https://github.com/sigstore/sigstore-landscape It should include a guide in the first version The initial layout is loosely based on l.graphql.org Here's a sketch: