Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a Sigstore Landscape #818

Open
tracymiranda opened this issue Apr 13, 2022 · 19 comments
Open

Create a Sigstore Landscape #818

tracymiranda opened this issue Apr 13, 2022 · 19 comments

Comments

@tracymiranda
Copy link

Sigstore is a project that is part of OpenSSF. This landscape would represent Sigstore's ecosystem (and eventually be embedded in the OpenSSF main landscape). Goals for the landscape:

  • Highlight the sigstore ecosystem of projects and services (make discovery easy)
  • Have a central place where folks can see projects adopting sigstore
  • Make it easy for folks to contribute their own case studies/adoptions
  • Highlight integrations, end user case studies, etc.
  • Make it easy to find guides to the various parts of the ecosystem

Ideally l.sigstore.org would be hosted at https://github.com/sigstore/sigstore-landscape
It should include a guide in the first version
The initial layout is loosely based on l.graphql.org
Here's a sketch:
20220412_094036 (2)
@tracymiranda
Copy link
Author

Please let me know what info is need when and I'll start to pull it altogether!

@AndreyKozlov1984
Copy link
Contributor

Hi, @tracymiranda
Create a new repo, for a start, and add me as a collaborator to the repo.

@caniszczyk
Copy link

caniszczyk commented Apr 13, 2022 via email

@tracymiranda
Copy link
Author

@AndreyKozlov1984 repo is here and you should have access: https://github.com/sigstore/landscape

@AndreyKozlov1984
Copy link
Contributor

Ok, that is great! @caniszczyk just to make it clear, this will be its own landscape, because if we want to have a new tab in OpenSSF landscape, we would better start there.

But if we want its own guide, an independent landscape is the best option, and we can give a link from one landscape to the other from OpenSSF

@caniszczyk
Copy link

caniszczyk commented Apr 21, 2022 via email

@AndreyKozlov1984
Copy link
Contributor

@tracymiranda @caniszczyk then here is what I'm going to do:
In an OpenSSF landscape I'll make a new branch. There I'll add a new tab, called "SigStore" and will create a new category with subcategories to fill it. And will add few items for a start.

Regarding guide, right now the guide supports only the main landscape, but there are no reasons why it can not support an extra tab.

Is that fine?

@caniszczyk
Copy link

caniszczyk commented Apr 21, 2022 via email

@tracymiranda
Copy link
Author

SGTM, if we can still have the guide and meet the stated goals then I don't mind where this lives.

@AndreyKozlov1984 AndreyKozlov1984 mentioned this issue May 4, 2022
Merged
@AndreyKozlov1984
Copy link
Contributor

@tracymiranda sorry for the delay, I started to put everything here,
https://deploy-preview-140--ossflandscape.netlify.app/sigstore
as a preview, I'm going to fill everything today with bogus records and then slowly we can put real info.

For each item in your sketch I need a homepage_url, github_url, icon, name and a crunchbase entry. I'll try to find this myself when it is something trivial.

Regarding the guide - let's start it right now, give me any text, better in a markdown, and I'll try to convert it to the guide.

Feel free to contact me in slack or here, I'm going to get this tab populated today

@tracymiranda
Copy link
Author

tracymiranda commented May 5, 2022
edited
Loading

🎉 this is pretty sweet, thank you @AndreyKozlov1984.

Here's a fwv of a guide we can use (see below), let me know if this format works. I'll start to gather up the links and icons for the rest of the landscape.

## Introduction

Sigstore is a new standard for signing, verifying and protecting software.
It can be used to make sure your software is what it claims to be. Learn more at https://www.sigstore.dev/ 

<section data-category="Projects">

Sigstore is made up of a combination of technologies to handle signing, verification and provenance checks that respect privacy and work at scale. This section shows the open source subprojects that make up Sigstore as well as non-code projects that support the Sigstore community such as roadmap and specification. 

<section data-category="Services">
In some cases Sigstore services are run as public instance, for example, the public instance of the Rekor transparency log used to verify signatures. This section allows you to discover public instances run by the community and or organizations who host Sigstore services. 

<section data-category="Integrations">

Use of Sigstore is sometimes transparent to users as its signing and verification functionality is seamlessly integrated with version control or build software. This section highlights open source and closed source tools, platforms and applications that integrate Sigstore functionality such that users of those tools may benefit from software signing and verification. 

<section data-category="Signed With">

This section highlights open source and closed source software that use Sigstore for signing artifacts. That means that users of these tools are able to verify the integrity of artifacts using Sigstore. 

<section data-category="End user Adopters">

This section showcases organizations that currently use Sigstore as part of their software supply chain security toolbox. That means the organizations are at a minimum signing internal artifacts with Sigstore. Each organization links to a specific case study to highlight how they are using Sigstore.

@tracymiranda
Copy link
Author

(just updated the comment to make sure the markdown shows up properly)

@AndreyKozlov1984
Copy link
Contributor

Great, that would be a good start. We have maximum one guide per website, but so far OpenSSF does not have any guide. I'll add your guide soon

@tracymiranda
Copy link
Author

Ack - we can integrate this guide into a main one when openssf get to that stage.

Here are details of 2 entries in the 'signed-by' category:

  1. Kubernetes - icon, website, repo & crunchbase same as is here https://landscape.cncf.io/?selected=kubernetes
    Additional field 'How to verify' should point to 'https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-images/'

  2. Flux - icon, website, repo & crunchbase same as is here https://landscape.cncf.io/?selected=flux
    Additional field 'How to verify' should point to 'https://fluxcd.io/blog/2022/02/security-image-provenance/'

I'll aim to do the same for other categories next week. Please let me know if any questions.

@AndreyKozlov1984
Copy link
Contributor

Thank you, all looks fine now, please provide more details for other categories, if you know that a certain item exist in other landscape, I'll just copy it from there, and will add extra fields like 'How to verify'

Regarding the guide, will update you later today, so far no issues

@AndreyKozlov1984
Copy link
Contributor

@tracymiranda I've added a guide

@tracymiranda
Copy link
Author

Thanks @AndreyKozlov1984 - is there a new link to see the deploy preview?

Also we now have the Sigstore logo for one entry:
icon: https://github.com/ossf/artwork/blob/master/sigstore/stacked/color/Sigstore-logo_stacked-color.svg
website: https://www.sigstore.dev/
repo: https://github.com/sigstore/sigstore
crunchbase: https://www.crunchbase.com/organization/sigstore

Please let me know if I should submit a pr anywhere or if that is enough info to add it in. (Subproject logos still in progress...)

@tracymiranda
Copy link
Author

We now have the logos ready for the subprojects.
SVG-color-horizontal (1).zip

There are four entries:

  1. Cosign
    website: https://docs.sigstore.dev/cosign/overview
    repo: https://github.com/sigstore/cosign

  2. Gitsign
    website: https://docs.sigstore.dev/gitsign/overview
    repo: https://github.com/sigstore/gitsign

  3. Fulcio
    website: https://docs.sigstore.dev/fulcio/overview
    repo: https://github.com/sigstore/fulcio

  4. Rekor
    website: https://docs.sigstore.dev/rekor/overview
    repo: https://github.com/sigstore/rekor

If we need a crunchbase entry, then we'd use the parent one of sigstore: https://www.crunchbase.com/organization/sigstore

@AndreyKozlov1984
Copy link
Contributor

Great, @tracymiranda , I'll update you after I add these entries

@bureado bureado mentioned this issue Sep 1, 2022
Open
AndreyKozlov1984 added a commit to ossf/ossf-landscape that referenced this issue Sep 12, 2022
@AndreyKozlov1984 @tracymiranda
starting a new tab (#140)
7a270e7 
Work in progress, the goal is to create a new tab for 
cncf/landscapeapp#818

Signed-off-by: Tracy Miranda <[email protected]>
Co-authored-by: Andrey Kozlov <[email protected]>
Co-authored-by: Tracy Miranda <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@caniszczyk @AndreyKozlov1984 @tracymiranda