add zarf as an openssf sandbox project

[lehors]

As documented in the Project creation or change of lifecycle stage this PR should also modify the table listing the projects in the README of this repo. In this case it should add the project with the status as Sandbox, with a link to the change request md file that you are adding as part of this PR. Thank you.

[hythloda]

We have requested the IP / License for this project intake

[salaxander]

As documented in the Project creation or change of lifecycle stage this PR should also modify the table listing the projects in the README of this repo. In this case it should add the project with the status as Sandbox, with a link to the change request md file that you are adding as part of this PR. Thank you.

Note: I've added Zarf to the table in the README. We will be moving the project to a company independent GitHub org in the near future. At that time I'll be sure to update this link.

[SecurityCRob]

@hepwori has this been discussed and approved by the SCI WG?

[lehors]

We will be moving the project to a company independent GitHub org in the near future. At that time I'll be sure to update this link.

Since you have to move it you might want to consider simply moving it under ossf.

[hepwori]

@hepwori has this been discussed and approved by the SCI WG?

Preliminarily, yes! We've had two live briefings over the last few months, and in the WG meeting earlier today we had a show of hands as to adding Zarf with no objections. The final approval step will be to inform the mailing list; I hope to send that out today, referencing the link to this issue.

[CoS-Harry]

Bennett will work with the maintainers of Zarf following TAC action on the application to move it to the right org.

[steiza]

Does this require a TAC vote? Or once @hepwori says it's accepted are we good to go (modulo any missing information on the pull request?)

From https://github.com/ossf/tac/blob/main/process/project-lifecycle.md:

Projects must seek one TAC sponsor or one WG sponsor (if reporting to a WG)

• TAC or WG sponsor agrees to attend Project meetings regularly
• TAC or WG sponsor does not need to have a formal role in Project, e.g., maintainer
• TAC or WG sponsor requests TAC approval

If the project is reporting to SCI WG, and @hepwori is the WG sponsor and says it's good, I think we're good to go? It is possible I misunderstand the process!

[hythloda]

Before merging we need to review the IP and license review.

Before any announcement the charter needs approval by zarf and the contribution agreement needs signed.

[sevansdell]

I approve pending IP and license review. the charter approval by zarf and the contribution agreement signed, the SCI WG approval, and the TAC sponsor is identified. (I will be out the June 11 TAC meeting, and am trying to be proactive).

[SecurityCRob]

Does this require a TAC vote? Or once @hepwori says it's accepted are we good to go (modulo any missing information on the pull request?)

From https://github.com/ossf/tac/blob/main/process/project-lifecycle.md:

Projects must seek one TAC sponsor or one WG sponsor (if reporting to a WG)

• TAC or WG sponsor agrees to attend Project meetings regularly
• TAC or WG sponsor does not need to have a formal role in Project, e.g., maintainer
• TAC or WG sponsor requests TAC approval

If the project is reporting to SCI WG, and @hepwori is the WG sponsor and says it's good, I think we're good to go? It is possible I misunderstand the process!

Yes, if SCI agrees, then we just need LF Legal to work their magic, and consider the TAC "informed". It sounds like we are in agreement on this proposal though. Looking forward to seeing cool things out of the team!

[hythloda]

The IP and License Review is expected by June 21st. Sorry for the delay.

[salaxander]

@hythloda everything going ok with the license review? Definitely let us know if there's anything we can do to help move things along :)

Thanks!

[hythloda]

@hythloda everything going ok with the license review? Definitely let us know if there's anything we can do to help move things along :)

Thanks!

Thanks @salaxander ! The review just takes some internal time. Hoping it gets done soon this week rather than later :)

[jeffcshapiro]

LF License Intake Scan Report:

LICENSE INTAKE SCAN & ANALYSIS: OpenSSF: Zarf DISTRIBUTION: Amanda Martin, https://github.com/ossf/tac/pull/341

• This intake scan is a static analysis of the source code in your repository. A dependency scan was not performed. Once a project is added to LFX [https://security.lfx.linuxfoundation.org], you can use SNYK to view a dependency scan for both licenses and vulnerabilities.

CODE SCANNED: [pulled 19–JUNE-2024] https://github.com/defenseunicorns/zarf

PROJECT LICENSE: Apache-2.0

• Top level project license file found in repo

SPDX LICENSE IDENTIFIERS: SPDX license identifiers were found in source file headers.

PERMISSIVE LICENSES: Apache-2.0

COPYLEFT LICENSES: None found

SOURCE AVAILABLE LICENSES: None found

PROPRIETARY LICENSES: None found

LICENSE CONFLICTS: None found

BINARY / PACKAGE FILES: None found

THIRD PARTY CODE / DEPENDENCIES: None found

THIRD PARTY NOTICE FILE: None found

SUMMARY FINDINGS: All of the scanned code is under the project license, Apache-2.0. SPDX license identifiers were found in source file headers. No license conflicts found. No dependencies or third party code detected in repo.

[salaxander]

@lehors updated now that the license scan is complete