FYI ---------- Forwarded message --------- From: Brandon Lum <lumjjb@...> Date: Tue, May 17, 2022 at 11:50 AM Subject: [cncf-tag-security] RFC Cloud Native Serverless Security Whitepaper To: <cn

FYI ---------- Forwarded message --------- From: <pushkarj.at.work@...> Date: Wed, Apr 6, 2022 at 2:26 PM Subject: [cncf-tag-security] RFC: Cloud Native Security Whitepaper v2 ends April 27 To:

FYI ---------- Forwarded message --------- From: Michael Lieberman <mlieberman85@...> Date: Thu, Feb 10, 2022 at 3:19 PM Subject: [cncf-tag-security] [RFC] Secure Software Factory Reference Arch

The CNCF Security TAG put together an excellent resource: https://github.com/cncf/tag-security/tree/master/supply-chain-security https://www.cncf.io/blog/2021/05/14/evaluating-your-supply-chain-securi

I hope everyone had an amazing KubeCon + CloudNativeCon! Due to the recent re-licensing of a couple popular permissive projects to AGPL, the CNCF has posted guidance for projects that may be affected:

Please don't send spam to this list again or you will be banned from CNCF messaging systems. You can take advantage of CNCF marketing/online programs here: https://github.com/cncf/foundation/blob/mast

FYI ---------- Forwarded message --------- From: Emily Fox <themoxiefoxatwork@...> Date: Fri, Apr 9, 2021 at 11:20 AM Subject: [cncf-sig-security] Supply Chain Security Paper Open for public com

Hey all, thanks for the candid email here, I know that it can be a challenge as we don't timebox due diligence periods and that sometimes it can be hard to give and take feedback, especially as projec

Alexis, the tool is freely available just like a variety of other security tools that CNCF projects use, from LFX Security (white labeled Snyk), Snyk, FOSSA, CodeQL, WhiteSource etc, lots of great opt

+1 to what Liz said here, this should be opt-in for project maintainers like any tool Can we please just leave this as a per project decision as any other tool as we decided last time this came up, th

That depends on your viewpoint, the maintainers ideally should make that call per project based on whatever security process they have in place for the project. You can have a view that maintainers sh

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see

It's https://github.com/docker/distribution They will pick a new org name and so on.

It wasn't in the sandbox, they went straight for incubation: https://github.com/datawire/ambassador I know it can be confusing as they were originally considered a sandbox contribution but decided to

I don't think we have to fully pause everything but it's up to the TOC here, if the TOC is saying "choose another name than IC4EP or something else that wouldn't confuse end users" before we accept th

The problem is the company rebranded to Ambassador also here: https://www.getambassador.io, so the project needs to be renamed to deal with the obvious trademark conflict here. The CNCF is open to wha

Just a reminder about upcoming TOC elections for the GB and end user seats! Feel free to petition your GB and end user member representatives! ---------- Forwarded message --------- From: Amye Scavard

Hey TOC and the wider community, some of our projects have taken advantage of fuzzing (through oss-fuzz and other tools), also we recently funded some fuzzing/audit work for fluentbit to see the impac

Hey all, hope everyone is having a great 2021! At the end of last year, we posted the CNCF annual report covering what we accomplished in 2020: https://www.cncf.io/blog/2020/12/29/2020-cncf-annual-rep

Hey all, we are doing our traditional TOC panel at KubeCon today: https://kccncna20.sched.com/event/f6Z1 Feel free to join us at the tail end of kubecon and if you have any questions, please let us kn