Skip to content

Commit

Permalink
Add gittuf application
Browse files Browse the repository at this point in the history
Signed-off-by: Aditya Sirish <[email protected]>
  • Loading branch information
adityasaky committed Sep 28, 2023
1 parent 993de76 commit f9337e2
Show file tree
Hide file tree
Showing 3 changed files with 134 additions and 0 deletions.
10 changes: 10 additions & 0 deletions .github/actions/spelling/expect.txt
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
Abhishek
adityasaky
Administrativia
adware
aeva
Expand All @@ -18,6 +19,7 @@ Benzies
blogging
Brasseur
Bressers
Cappos
CEOs
chainguard
Channable
Expand All @@ -29,11 +31,13 @@ Civs
CLA
CNCF
Coinbase
COPYLEFT
Corail
CPython
crob
CSAF
curating
curtmola
CVD
CVEs
CVRF
Expand All @@ -53,6 +57,7 @@ Ferraioli
Foxboron
frenemy
fyi
gittuf
Gendreau
Gesmer
google
Expand Down Expand Up @@ -133,6 +138,7 @@ repurposable
rescope
rescoping
resourcing
reza
Rezilion
RFPs
rhaning
Expand All @@ -154,8 +160,10 @@ Shopify
Shortlist
sif
sigstore
Sirish
SKF
SLSA
SNYK
Sonatype
sourcing
stakeholders
Expand Down Expand Up @@ -190,7 +198,9 @@ wagoodman
WGs
Wipro
wishlist
wlynch
Yehuda
Yelgundhalli
Yoav
Yotam
youtube
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ Diagrams with an overview of the OpenSSF, including its projects and SIGs, are a
| Best Practices Badge | https://github.com/coreinfrastructure/best-practices-badge | [Mailing list](https://lists.coreinfrastructure.org/mailman/listinfo/cii-badges) | Best Practices WG | TBD |
| Criticality Score | https://github.com/ossf/criticality_score | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit?usp=sharing) | Securing Critical Projects WG | TBD |
| Fuzz Introspector | https://github.com/ossf/fuzz-introspector | [Meeting Notes](https://docs.google.com/document/d/1jzxhzIfkOMTagpeFWYoZpMKwHYeO4Gc7Eq5FcMFEw2c/edit?usp=sharing) | Security Tooling WG | TBD |
| gittuf | https://github.com/gittuf/gittuf | TBD | Supply Chain Integrity WG | Sandbox |
| OSV Schema | https://github.com/ossf/osv-schema | [Meeting Notes](https://docs.google.com/document/d/1jzqhW9SK9QRA39fQz0RiAkvpRWB0xztt1TAFJEseTlA/edit?usp=sharing) | Vulnerability Disclosures WG | TBD |
| Package Analysis | https://github.com/ossf/package-analysis | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit) | Securing Critical Projects WG | TBD |
| Package Feeds | https://github.com/ossf/package-feeds | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit) | Securing Critical Projects WG | TBD |
Expand Down
123 changes: 123 additions & 0 deletions process/project-lifecycle-documents/gittuf_sandbox_stage.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
## Application for gittuf at Sandbox stage

### List of project maintainers

* Aditya Sirish A Yelgundhalli (New York University, @adityasaky)
* Billy Lynch (Chainguard, @wlynch)
* Justin Cappos (New York University, @JustinCappos)
* Reza Curtmola (New Jersey Institute of Technology, @reza-curtmola)

### Mission of the project

Git is the most popular source control management system in the world but it
largely leaves security controls either to the developers or to the hosts
storing a copy of some repository. gittuf's mission is to implement security
controls into Git repositories using existing Git semantics like its support for
cryptographic signatures and its content addressed store. By embedding source
security policies into the repository, gittuf makes policies transparent that
enables _distributed verification_ by all repository users. Further, as gittuf
versions and tracks changes to policies using Git semantics, past repository
states can be _audited_ against the then-applicable policies.

gittuf aims to embed features like distribution, rotation, and revocation of the
keys trusted for repositories. In addition, gittuf allows repository owners to
define access control policies for Git branches, tags, and files. Also, gittuf
aims to implement support for SLSA's (under development) source security track
by allowing repository owners to define policies for code review attestations,
automated testing attestations, and more. Finally, gittuf presents an extensible
layer that can implement more Git-specific security features in future.

In summary, gittuf aims to offer the following improvements / properties to
Git's security:
* Key Management: distribute and revoke Git signing keys in the context of
repositories
* Reference State Log: unambiguous, ordered log of repository activity with
authorship verified using cryptographic signatures
* Access Control Policies: create policies that dictate which developers can
write to specific Git branches, tags, and files tracked in the repository
using the reference state log
* Support Attestations: support in-toto and SLSA source track attestations to
enable verifying source code policies like code review requirements, test
results and more
* Distributed and Transparent Verification: enable all developers to verify
without reliance on centralized policy verification
* Auditable Repository Policies: track all versions of policies using the
reference state log so historic repository states can be verified against the
then-applicable policies, making repositories more auditable
* Git-native and Backwards Compatible: compatible with all Git repositories,
including existing repositories, with no hard requirement of specific
Git-ecosystem tools
* Extensible Security Layer: support the addition of security features as new
solutions or desirable Git repository properties emerge

#### Alignment with the OpenSSF

The mission of the gittuf project aligns with the
[OpenSSF's Technical Vision](https://openssf.org/about/), especially with:

> Developers, auditors, and regulators can create and easily distribute security
policies that are enforced through tooling and automation, providing continuous
assurance of the results.

gittuf also has synergy with the mission of the [OpenSSF Supply Chain Integrity
Working Group](https://github.com/ossf/wg-supply-chain-integrity):

> scalable standardized attestable practices for supply chain security
gittuf provides a framework to implement such practices for securing Git
repositories, and is complementary to other efforts under the working group like
SLSA.

Finally, gittuf meets the sandbox entry requirements. The project has active
maintainers from three organizations, aligns as described above with the OpenSSF
mission, and presents a novel approach to securing Git repositories. In
addition, gittuf has achieved the first level of the OpenSSF Best Practices
badge.

### IP policy and licensing due diligence

License due diligence is complete and no conflicts were found. Here are the
findings from the corresponding issue (https://github.com/ossf/tac/issues/199):

```
LICENSE INTAKE SCAN & ANALYSIS: OpenSSF: gittuf
This intake scan is a static analysis of the source code in your repository. A dependency scan was not performed. Once a project is added to LFX, you can use SNYK to view a dependency scan for both licenses and vulnerabilities.
CODE SCANNED: https://github.com/gittuf [pulled 22–Sept-2023]
3 repos scanned
PROJECT LICENSE: Apache-2.0
SPDX LICENSE IDENTIFIERS: SPDX license identifiers were not found in any source file headers.
We recommend that SPDX license identifiers be added to ALL source file headers. [see https://spdx.dev/ids for examples]
PERMISSIVE LICENSES: Apache-2.0
COPYLEFT LICENSES: None found
PROPRIETARY LICENSES: None found
LICENSE CONFLICTS: None found
BINARY / PACKAGE FILES: None found
THIRD PARTY CODE / DEPENDENCIES: None found
THIRD PARTY NOTICE FILE: None found
SUMMARY FINDINGS: The code is licensed under the Apache-2.0 license, which is the project license. SPDX license identifiers were not found and should be added to all source file headers. No license conflicts found.
```

### Project References

| Reference | URL |
|----------------------------------------|------------------------------------------------------------------------------------------------------|
| Repo | https://github.com/gittuf/gittuf |
| Website | https://gittuf.github.io |
| Contributing guide | https://github.com/gittuf/gittuf/blob/main/CONTRIBUTING.md |
| Roadmap | https://github.com/gittuf/gittuf/blob/main/docs/roadmap.md |
| Demos | https://github.com/gittuf/demo |
| Presentation to the SCI WG | https://docs.google.com/presentation/d/12ivx9LwMe1xgOvazMqXeJpkmK80Z-rhD1_CIy8T2d6I/edit?usp=sharing |
| Video Recording of SCI WG Presentation | https://zoom.us/rec/play/X1-avN0pWIzxWRQLpFSlDcjWVVsrZvdXta_6lK88Gvz2DbBReDYVJgDaDigdHAb0eoBvzhhBYQEaDWpt.CkXNT4amJEseG6q8 |

0 comments on commit f9337e2

Please sign in to comment.