Secure Software Supply Chain Direction
🎯 Intent
Provide a common place for a shared and coordinated direction for Secure Software Supply Chain work happening across the Manage, Protect, Secure, Verify and Package (and possibly Release) stages.
Background
In the PLT offsite we agreed that the Sec Section would take the lead on Secure Software Supply Chain direction. At the time I was thinking of this as exclusively related to displaying SLSA levels in GitLab. Since then it's become clear that the direction is much more expansive and involves multiple teams including:
- Manage:Compliance to display levels
- Secure:Composition Analysis
- Verify:Runner to provide an attestation of the build process
- Verify:Pipeline Authoring to provide atestation of build artifacts
- Package to provide container or package signing and provenance
- Release to validate that the built artifact is the same that is deployed
Sam White merged a central (outside any stage) direction page with initial content as:
The Sec Section maintains GitLab's vision for Secure Software Supply Chain (SSSC) and leads coordination with numerous groups across GitLab to execute on that vision. This direction page is intended to help facilitate cross-stage collaboration as well as to provide a single reference describing our overarching vision for the myriad product capabilities that together comprise our SSSC solution.
Less than 24 hours later, Jackie and team created and contributed to a more expansive MR that includes more details.
Proposal
I think we should keep a single maintainer in Sam White for the direction, but evolve our contribution model to expect multiple PMs to flesh out the page collaboratively. This is a win, win, win in my opinion:
- We rapidly and jointly tackle a critical market problem that GitLab is well positioned to solve
- We encourage collaboration across PMs for a truly cross-stage experience
- We enable PMs to understand prioritization and capabilities in other stages outside their standard domain
Tasks
If we agree with the above proposal. I'd suggest we.
-
Retarget the open MR to the initial page -
Update the handbook with guidance/model for this "Cross-Stage Direction" collaboration process