Michael Lieberman
Michael Lieberman
> fwiw, I continue to think that the goal should not be a chain of custody on the build process, but rather to make it easy to verify that the...
I think folks from my end would like to attend. This is a big problem we're running into particularly in two spots: 1. How can we parse vulnerability information in...
@TheFoxAtWork I think it would be worthwhile to chat this over with everyone once folks are back from Kubecon EU. We initially avoided Kubernetes specific work because of how large...
@TheFoxAtWork Now with folks back from Valencia, when might people want to have a chat about some details. We still have the meetings weekly at 11AM Eastern time for the...
Cool. As part of the analysis around this, I created a few graph visualizations (difficult to read I know, took overnight to render) to just show how complicated the supply...
 Here is a 7-ish mb SVG of the graph. It struggles to render.... It also is a graph PURELY of the non-go dependencies. The idea here is not...
To also provide some context. Whatever project(s) we end up working with as part of this proposal the idea would be to apply best practices and other guidance from CNCF...
> @mlieberman85 I'd like to contribute to this but the first supply chain security meeting I can join is 6/23. I will stay in touch via #tag-security-supply-chain-wg. Does it make...
These are k8s related threads that @justaugustus posted in kubernetes sig-release slack. https://github.com/kubernetes/sig-release/blob/master/roadmap.md https://github.com/kubernetes/enhancements/issues/3027 https://github.com/kubernetes/enhancements/tree/master/keps/sig-release/3027-slsa-compliance These are related to roadmaps and work that kubernetes is working on for supply chain...
This makes sense. My intention for this proposal is to focus more on taking stuff and refining it, rather than wholesale building something new like a whole CI/CD pipeline for...