[Project] "Research" Subactivity

[JustinCappos]

Description: The STAG group members often have good ideas they want to get out to the broader community. We've started to write up blog entries, etc. It may be useful to have a process to have them come out from STAG and be marketed as such.

Here is an example article: https://thenewstack.io/security-of-software-update-systems-in-2023/

Impact: This will help others get security awareness and bring in new contributors to TAG Security.

Scope: It will take a week to a month for the authors of each post depending on the content. There will be some minor work for the organizers to choose the topics and coordinate logistics. Most likely the group will publish 3-4 of these a year so that work will not be onerous.

Intent to lead:

• [X] I volunteer to be a project lead on this proposal if the community is interested in pursing this work. This statement of intent does not preclude others from co-leading or becoming lead in my stead. (I nominate @anvega to potentially take this over if he is interested)

Proposal to Project:

• [X] Added to the planned meeting template for August 30th
• [X] Raised in a Security TAG meeting to determine interest - August 30th
• [ ] Collaborators comment on issue for determine interest and nominate project lead
• [ ] Scope determined via meeting mm dd and/or shared document add link with call for participation in #tag-security slack channel thread add link and mailing list email add link
• [ ] Scope presented to Security TAG leadership and Sponsor is assigned

TO DO

• [X] Security TAG Leadership Representative: @JustinCappos @anvega
• [X] Project leader(s): @JustinCappos @anvega
• [ ] Issue is assigned to project leaders and Security TAG Leadership Representative
• [ ] Project Members:
• [ ] Fill in addition TODO items here so the project team and community can see progress!
• [ ] Scope
• [ ] Deliverable(s)
• [ ] Project Schedule
• [ ] Slack Channel (as needed)
• [ ] Meeting Time & Day:
• [ ] Meeting Notes (link)
• [ ] Meeting Details (zoom or hangouts link)
• [ ] Retrospective

[torinvdb]

Happy to assist with blog research and writing. I have experience as a graduate research student and am currently working on multiple CNCF security projects.

[anvega]

Formalized this project as a working group in https://github.com/cncf/tag-security/pull/1271

I'll be creating a new issue with the next research target and updating the research directory with potential future projects. We've started on, focusing on the state of the new NIST lattice-based algorithms and post-quantum crypto. Specifically, I'm examining liboqs, which has made significant progress with forks of OpenSSL and BoringSSL. However, there are still challenges with handling the large key and signature sizes. Additionally, I'm looking into a few projects that aim to integrate this into ecosystem projects.

[eddie-knight]

@JustinCappos This was just brought to my attention... I see we slipped it into the docs during the repo reorganization, but I don't believe any other steps were taken to launch this as a new WG.

[JustinCappos]

I'm not sure whether to think about this as a WG or whatever, but the basic idea was to encourage ourselves to publish something in this vein every 4-6 months.

The idea was also to trade off between authors. I wrote the prior one, so I'm out of rotation for a while...

On Mon, Nov 4, 2024 at 11:18 AM Eddie Knight @.***> wrote:

@JustinCappos https://github.com/JustinCappos This was just brought to my attention... I see we slipped it into the docs during the repo reorganization, but I don't believe any other steps were taken to launch this as a new WG.

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/1105#issuecomment-2455138607, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGROD42JYXGX4AGENH7J4DZ66F3XAVCNFSM6AAAAABJFIHVTWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJVGEZTQNRQG4 . You are receiving this because you were mentioned.Message ID: @.***>