Documentation and diagrams

[pburkholder]

A few questions in no particular order:

• http://opencontrol.xyz/pipelines/ references Spruce and has a notional architecture which includes it. Am I right that that is obsolete?
• This is a great diagram from @mogul: .
  • Does it still represent the design intentions?
  • Are "fork+append" and "fork+amend" still part of the envisioned workflow?
  • Probably nothing has been so useful to me this week than the sidebar comment "Certifications are just collections of references to standards" -- which was the "Oh! now I get it" moment for me.

[mogul]

I can't speak to what's on opencontrol.xyz... This is the first I was even aware that it existed! 😊

Yes, it's still roughly correct. It's gone even farther than "fork+append" and "fork+amend" now, in that your opencontrol.yaml can assemble "your controls" from multiple repositories, and in fact point at specific revisions in those repositories! I'm happy that the diagram was so helpful! 🎉

[mogul]

Thinking about this a little more: The boxes surrounding the stack of controls, standards, and certifications have essentially coalesced to become the opencontrol.yaml file which specifies what set you're working with in all three cases.

[afeld]

http://opencontrol.xyz/pipelines/ references Spruce and has a notional architecture which includes it. Am I right that that is obsolete?

There's an open issue around spruce here: https://github.com/opencontrol/compliance-masonry/issues/49. Followed up there.

Probably nothing has been so useful to me this week than the sidebar comment "Certifications are just collections of references to standards"

Good to know! Where would be a good place to document that?

[mogul]

Closing as inactive; open new issues if followup is needed!