This is an experiment help with CNCF project onboarding tasks (that some projects are slow on) and security practices recommended by https://sos.dev/#what-security-improvements-qualify and OpenSSF. We

We point to the Linux Kernel as an example in the FAQ as the original and canonical DCO reference: https://github.com/torvalds/linux/blob/master/Documentation/process/submitting-patches.rst#developers

Hey folks, just to let you know, this is a policy that has been in place for awhile in multiple LF communities like the Linux Kernel, Hyperledger etc. I'm not reverting the change as this is what the

FYI ---------- Forwarded message --------- From: Brandon Lum <lumjjb@...> Date: Tue, May 17, 2022 at 11:50 AM Subject: [cncf-tag-security] RFC Cloud Native Serverless Security Whitepaper To: <cn

FYI ---------- Forwarded message --------- From: <pushkarj.at.work@...> Date: Wed, Apr 6, 2022 at 2:26 PM Subject: [cncf-tag-security] RFC: Cloud Native Security Whitepaper v2 ends April 27 To:

FYI ---------- Forwarded message --------- From: Michael Lieberman <mlieberman85@...> Date: Thu, Feb 10, 2022 at 3:19 PM Subject: [cncf-tag-security] [RFC] Secure Software Factory Reference Arch

The CNCF Security TAG put together an excellent resource: https://github.com/cncf/tag-security/tree/master/supply-chain-security https://www.cncf.io/blog/2021/05/14/evaluating-your-supply-chain-securi

I hope everyone had an amazing KubeCon + CloudNativeCon! Due to the recent re-licensing of a couple popular permissive projects to AGPL, the CNCF has posted guidance for projects that may be affected:

Please don't send spam to this list again or you will be banned from CNCF messaging systems. You can take advantage of CNCF marketing/online programs here: https://github.com/cncf/foundation/blob/mast

FYI ---------- Forwarded message --------- From: Emily Fox <themoxiefoxatwork@...> Date: Fri, Apr 9, 2021 at 11:20 AM Subject: [cncf-sig-security] Supply Chain Security Paper Open for public com

Hey all, thanks for the candid email here, I know that it can be a challenge as we don't timebox due diligence periods and that sometimes it can be hard to give and take feedback, especially as projec

Alexis, the tool is freely available just like a variety of other security tools that CNCF projects use, from LFX Security (white labeled Snyk), Snyk, FOSSA, CodeQL, WhiteSource etc, lots of great opt

+1 to what Liz said here, this should be opt-in for project maintainers like any tool Can we please just leave this as a per project decision as any other tool as we decided last time this came up, th

That depends on your viewpoint, the maintainers ideally should make that call per project based on whatever security process they have in place for the project. You can have a view that maintainers sh

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see

It's https://github.com/docker/distribution They will pick a new org name and so on.

It wasn't in the sandbox, they went straight for incubation: https://github.com/datawire/ambassador I know it can be confusing as they were originally considered a sandbox contribution but decided to

I don't think we have to fully pause everything but it's up to the TOC here, if the TOC is saying "choose another name than IC4EP or something else that wouldn't confuse end users" before we accept th

The problem is the company rebranded to Ambassador also here: https://www.getambassador.io, so the project needs to be renamed to deal with the obvious trademark conflict here. The CNCF is open to wha

Just a reminder about upcoming TOC elections for the GB and end user seats! Feel free to petition your GB and end user member representatives! ---------- Forwarded message --------- From: Amye Scavard