This is a workstream within the CDF SIG Software Supply Chain.
The forming of this workstream was suggested at a recent SIG Software Supply Chain meeting
The workstream will cover CICD beyond build and deploy.
The workstream seeks to define industry standards for Supply Chain Maturity that augment SLSA. Where SLSA covers the supply chain from code through artifact, maturity covers the artifact lifecycle, including deployments, rollouts, testing, rollbacks, and more.
The workstream seeks to define an industry standard to augment SLSA.
Proposed names so far include:
- Code Health Project Score ("CHiPS") (but it conflicts with CHIPS Alliance under the Linux Foundation)
- Guide for Understanding Application Concerns ("GUAC")
Our first priority will be to identify additional clever retronyms and settle on a memorable name.
Current members:
- David Bendory, Google
- Justin Abrahms, eBay/CDF
- Ankit D Mohapatra, Berkshire Grey
- Parth Patel, Kusari
- Kara de la Marck, CDF
- David Espejo, VMware
- <your-name-here!>
Membership to this workstream is open and self-declared.
New members are invited to:
- Join the #wg-supply-chain-maturity on CDF Slack and introduce yourself.
- Regularly join the workstream meetings
Please join our Slack channel on CDF Slack.
Supply Chain Maturity workstream meetings:
- When: every other Tuesday at 12:00PM ET (check your timezone here)
- Where: https://zoom.us/j/94947282554?pwd=UndPWjFkQTJSUGo4WTRZWjlDaEQvUT09
- Meeting agenda and minutes here
- Zoom International dial-in
- Meeting recordings: CDF Youtube Channel SIG Software Supply Chain Playlist
- CDF Public Calendar (UTC)