Closed lukehinds closed 2 years ago
I'd like to add as an interested party that LFPH has both Cisco and VMWare on our BoD, and would welcome collaboration with SigStore and OSSF as part of medical device security and SBOMs. I can also see collaboration with Hyperledger for including SigStore as part of verifiable credentials (VCs) and decentralized identifiers with IoT devices, especially patient-facing. Thanks!
+1
Per our November 16th TAC meeting, Sigstore officially became an OpenSSF project! 🎉
From meeting minutes: "On voice vote of TAC, there were no objections and no deferments and many “yeses”. Sigstore is accepted into the OpenSSF by the TAC as a project (as sibling to WGs & Alpha-Omega)."
As discussed during the last TAC, sigstore is interested in joining the OpenSSF as a project. This issue is to facilitate discussions within the TAC.
sigstore is an open source answer to software supply chain trust and security. It consists of a community of 386 contributors across 20 organizations, who produce the tools and services to allow developers to easily sign , verify and attest all supply chain artifacts.
sigstore is currently situated in the Linux foundation as its own project and is now receptive to joining with the OpenSSF to help drive the improvement of supply chain security.
sigstore will run as a public good , non profit service funded by supporters. The project has to this date already been in soft launch for over 6 months with almost 1 million signing records stored within its public ledger service.
sigstore has secured an initial funding bootstrap via Chain Guard, Red Hat, Google, VMWare, Cisco, HPE to help with the large adoption the project is experiencing by means of a professional security audit and developer relations engineer. sigstore is supportive of receiving funding under the OpenSSF and seeking synergies around the supply chain space. This would place sigstore as an OpenSSF project, under the OpenSSF brand.
sigstore is currently being implemented into the scorecards project.
various quotes on sigstore:
“Securing a software deployment ought to start with making sure we're running the software we think we are. sigstore represents a great opportunity to bring more confidence and transparency to the open source software supply chain.” Josh Aas, Executive Director at ISRG / Let's Encrypt
“sigstore will make code signing free and easy for software developers, providing an important first line of defense.” Lily Hay Newman, Wired Magazine
“sigstore a small big significant step towards making OSS more secure: easy code signing and verification.” Urs Hölzle, SVP Engineering at Google
“sigstore is a key step towards building trust and transparency in the open source supply chain.” Chris Wright, CTO at Red Hat
Further details:
https://www.sigstore.dev/
https://github.com/sigstore