Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gittuf OpenSSF Sandbox Application #198

Merged
merged 1 commit into from
Oct 3, 2023

Conversation

adityasaky
Copy link
Contributor

@adityasaky adityasaky commented Sep 1, 2023

gittuf is seeking admission to the OpenSSF Sandbox. We aim to be part of the Supply Chain Integrity WG, where we presented gittuf in the August 30th, 2023 meeting.

Overview

gittuf implements security controls into Git repositories using existing Git semantics like its support for cryptographic signatures and its content addressed store. By embedding source security policies into the repository, gittuf makes policies transparent that enables distributed verification by all repository users. Further, as gittuf versions and tracks changes to policies using Git semantics, past repository states can be audited against the then-applicable policies.

Sandbox Requirements

We believe gittuf meets the Sandbox entry requirements.

Maintainers

gittuf currently has four maintainers across three organizations:

Alignment to the OpenSSF

The mission of the gittuf project aligns with the OpenSSF's Technical Vision, especially with:

Developers, auditors, and regulators can create and easily distribute security policies that are enforced through tooling and automation, providing continuous assurance of the results.

gittuf also has synergy with the mission of the OpenSSF Supply Chain Integrity Working Group:

scalable standardized attestable practices for supply chain security

gittuf provides a framework to implement such practices for securing Git repositories, and is complementary to other efforts under the working group like SLSA.

License Review

All gittuf repositories (implementation, website, and demo) use the Apache-2.0 license. The review found no conflicts.

Issue: #199

Links

Repository: https://github.com/gittuf/gittuf
Website: https://gittuf.github.io
Demo: https://github.com/gittuf/demo

@steiza steiza self-requested a review September 8, 2023 14:43
@steiza
Copy link
Member

steiza commented Sep 8, 2023

Sorry! I mistakenly though I was just reviewing 314df73

@adityasaky adityasaky force-pushed the submit-gittuf-sandbox branch from 314df73 to 57baaf5 Compare September 18, 2023 14:54
@mlieberman85
Copy link
Contributor

Looking forward to presentation. This looks good. Also, if still needing a TAC sponsor I offer to sponsor.

Copy link
Member

@steiza steiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a promising project to accept at the Sandbox stage!

@adityasaky adityasaky force-pushed the submit-gittuf-sandbox branch from 57baaf5 to 9c536c9 Compare September 25, 2023 14:51
@adityasaky
Copy link
Contributor Author

Update: the IP / license check is complete (#199) and no conflicts were found. I've updated the application to reflect that.

@adityasaky adityasaky force-pushed the submit-gittuf-sandbox branch from 9c536c9 to b6ee2ca Compare September 25, 2023 14:53
@adityasaky adityasaky force-pushed the submit-gittuf-sandbox branch from b6ee2ca to f9337e2 Compare September 28, 2023 14:49
Signed-off-by: Aditya Sirish <[email protected]>
@adityasaky adityasaky force-pushed the submit-gittuf-sandbox branch from f9337e2 to b8c82db Compare October 3, 2023 14:42
@SecurityCRob
Copy link
Contributor

Vote to adopt (TAC is at quorum): +5 in favor, 0 opposed 0 abstain.
Welcome aboard to our newest sandbox project! We look forward to it!

@SecurityCRob SecurityCRob merged commit f11de8b into ossf:main Oct 3, 2023
4 checks passed
@adityasaky adityasaky deleted the submit-gittuf-sandbox branch October 3, 2023 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants