Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SBOMit Sandbox Project Application #192

Merged
merged 4 commits into from
Oct 5, 2023
Merged

SBOMit Sandbox Project Application #192

merged 4 commits into from
Oct 5, 2023

Conversation

idunbarh
Copy link
Contributor

@idunbarh idunbarh commented Aug 16, 2023

The SBOMit project is seeking sandbox maturity level entry into the OpenSSF.

SBOMit was presented to the Security Tooling WG on 8/15/23 and the slides are available at ...

We believe we meet OpenSSF Sandbox requirements.

  • Projects must have a minimum of two maintainers with different organization affiliations.
  • Projects must be aligned with the OpenSSF mission and either be a novel approach for existing areas or address an unfulfilled need. It is expected that the initial code needed for an OpenSSF WG to work be kept within their repository and will not function as a project in its own right. Should initial WG code grow and mature that it warrants its own Project status, then it is subject to Sandbox entry requirements. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project.
    • Software Bills of Materials (SBOMs) often suffer from inaccuracy, primarily due to a retrospective approach to software analysis that fails to accurately track components. This challenge is becoming more pressing with the rise of sophisticated supply chain attacks requiring advanced technology and robust frameworks like the Secure Software Development Framework (SSDF) for comprehensive security.
  • If contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF).

Remaining Actions

  • Complete IP Review
  • Security Tools WG support confirmation

SBOMit Links

SBOMit is licensed as CC-BY-4.0.

@idunbarh idunbarh marked this pull request as ready for review August 16, 2023 16:30
@mlieberman85
Copy link
Contributor

I read through what's currently there for the specification, and one big suggestion I have is an example, even if it's a contrived hello world example would be useful to really understand how SBOMit intends to solve the problem posed in the specification and presentation.

@idunbarh
Copy link
Contributor Author

idunbarh commented Sep 3, 2023

There is some discussion around licensing of the SBOMit specification on the LF License review issue. Initial discussion with the SBOMit maintainers is to accept a change to Community Specification License 1.0, OWFa or W3C on condition of Sandbox status being accepted.

Ideally the TAC can review our application and discuss at the next meeting. If the vote is to accept pending the license change, the SBOMit maintainers will work the license change in parallel.

I also updated slides (4 and 5) updated to detail the difference between SBOMit and signed SBOMs. This was a common question from TAC members.

@idunbarh
Copy link
Contributor Author

idunbarh commented Sep 7, 2023

Adding some updates since the TAC meeting on Tuesday.

  • Added proof of concept sample reference implementation https://github.com/SBOMit/protobomit.
  • Had agreement from maintainers to switch specification licensing to Community Specification License 1.0 and working on implementing the license change.

@idunbarh
Copy link
Contributor Author

idunbarh commented Sep 8, 2023

SBOMit lifecycle docs update to reflect change to using Community Specification License 1.0 as requested by LF IP Review.

@mlieberman85
Copy link
Contributor

(starting the voting thread) +1 Binding from me.

@SecurityCRob
Copy link
Contributor

voting - +1 for me to adopt based on reaction to feedback & adjustment of license (thanks!)

@steiza
Copy link
Member

steiza commented Sep 15, 2023

+1 for me - the project is in a early phase, but that's what the sandbox step is for!

@lehors
Copy link
Contributor

lehors commented Sep 15, 2023

As I explained multiple times in various places: under our current governance structure this cannot be brought in as a project. Because it is not primarily focused on producing code, it ought to be categorized as a SIG (for which there is no sandbox stage).
But I'm otherwise fine with bringing this work into OpenSSF.

@torgo
Copy link
Contributor

torgo commented Sep 17, 2023

+1 from me.

@bobcallaway
Copy link
Contributor

+1 from me

@jsoref
Copy link
Contributor

jsoref commented Sep 18, 2023

Assuming the other items are correctly spelled, can you try following the instructions in https://github.com/ossf/tac/actions/runs/6218203711?pr=192#summary-16874345424 ? (If they don't make sense, please let me know)

@JustinCappos
Copy link
Contributor

I'm finding a bit ironic that the OpenSSF is asking me to curl and run a perl script from the Internet... 😃

To accept ✔️ these unrecognized words as correct, run the following commands
... in a clone of the git@github.com:SBOMit/tac.git repository
on the main branch (ℹ️ how do I use this?):

curl -s -S -L 'https://raw.githubusercontent.com/check-spelling/check-spelling/v0.0.21/apply.pl' |
perl - 'https://github.com/ossf/tac/actions/runs/6218203711/attempts/1'

I'm not super conversant in Perl and I'm about to head to bed. The flagged items are actually spelled correctly, if someone else from the SBOMit group has a moment to sanity check what is happening and then tell the spellchecker to ignore these issues.

@jsoref
Copy link
Contributor

jsoref commented Sep 18, 2023

You can manually add the items to
https://github.com/SBOMit/tac/blob/main/.github/actions/spelling/expect.txt if you're more comfortable w/ that. And https://github.com/ossf/tac/blob/main/.github/actions/spelling/advice.md can be adjusted to provide instructions to do that.

(Updated to be slightly more precise, sorry about the confusion)

@di
Copy link
Member

di commented Sep 18, 2023

+1

@JustinCappos
Copy link
Contributor

Okay, I've submitted a PR with those words added. #200

@jsoref
Copy link
Contributor

jsoref commented Sep 19, 2023

@JustinCappos You kind of want to do something like SBOMit/tac@main...JustinCappos:tac:patch-2 -- i.e. creating the PR from your repo into the SBOMit repo.

check-spelling will suggest deleting things that aren't needed, so those would be orphaned and reaped by the next person who followed its instructions.

Copy link
Contributor

@SecurityCRob SecurityCRob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

6 of 7 TAC members voted to approve, with 1 not responding. Arnaud brings up good points that we need to have a spec-focused group entry in our governance, but that should not block this effort.

@mnm678
Copy link

mnm678 commented Oct 3, 2023

6 of 7 TAC members voted to approve, with 1 not responding. Arnaud brings up good points that we need to have a spec-focused group entry in our governance, but that should not block this effort.

Thanks! So is this pr ready to merge?

@mlieberman85
Copy link
Contributor

6 of 7 TAC members voted to approve, with 1 not responding. Arnaud brings up good points that we need to have a spec-focused group entry in our governance, but that should not block this effort.

Thanks! So is this pr ready to merge?

Yep just need to fix the merge conflicts and it's ready to go

@hythloda
Copy link
Member

hythloda commented Oct 4, 2023

6 of 7 TAC members voted to approve, with 1 not responding. Arnaud brings up good points that we need to have a spec-focused group entry in our governance, but that should not block this effort.

Thanks! So is this pr ready to merge?

Yep just need to fix the merge conflicts and it's ready to go

I tried to resolve the conflicts but I don't have write permission on this branch to help :(

idunbarh and others added 3 commits October 4, 2023 09:12
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
Co-authored-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Signed-off-by: Justin Cappos <justincappos@gmail.com>
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh
Copy link
Contributor Author

idunbarh commented Oct 4, 2023

@hythloda rebased the SBOMit application changes and resolved the conflicts.

@hythloda
Copy link
Member

hythloda commented Oct 5, 2023

@jsoref is the spelling workflow broken or something in the file?

@jsoref
Copy link
Contributor

jsoref commented Oct 5, 2023

@hythloda unfortunately check-spelling is looking at files as a whole, it found these items in the files changed in this PR:

CRob
Roadmap
Sigstore
TUF

The reason it cares about TUF and not tuf is because there's a pattern that means that it won't see the url that contains tuf -- and it has no idea if tuf is used throughout the rest of the repository because it isn't checking the other files.

I just released a version last week which would have told you which lines it found each item in (which should have helped things a lot) and which files it was checking (which would have improved things a little).

I need to think about the logic of the only changed files feature (it exists for this sort of repository use case, but I rarely use it) -- I suspect the advice it gives should be to add items into allow.txt instead of into expect.txt (a distinction here is that allow.txt doesn't do any pruning, and doesn't have any case tolerance, so it wouldn't have promised that the presence of tuf meant that TUF was ok). I have a PR drafted to upgrade this repository to the version I just released, but in testing it, I realized that it wasn't offering advice.md at all, which isn't great, so I was thinking about what to do (the easiest thing here is to change the advice.md file to suggest using allow.txt instead...)

But basically, the goal here is for it to ask people if they're ok with the words that are used, if they are, the check isn't mandatory and once it merges, future PRs that don't change those files won't be asked about those items.

Oh..., there is a workflow change we could/should make which is adding quit_without_error: 1 to these two with blocks:


That'd result in you not seeing a ❌ but instead getting the ✅ .

So, long story short:

  1. to get a ✅ here, add the four words to allow.txt or expect.txt (it won't care, I'd favor the former)
  2. to get ❌s to stop appearing going forward, we'd want to copy quit_without_error: 1 to those two other with: blocks.

@idunbarh
Copy link
Contributor Author

idunbarh commented Oct 5, 2023

@hythloda I'll make @jsoref's recommended changes in our fork. Thanks @jsoref for the info!

idunbarh referenced this pull request in SBOMit/tac Oct 5, 2023
@hythloda hythloda merged commit c158f54 into ossf:main Oct 5, 2023
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.