What if...? infrastructure projects

[Mark J Cox <mj...@apache.org>]

We've worked on the brainstorm initiatives [1], but what if we were able to
have dedicated people working on some of those overarching projects to the
benefit of security of each of our projects? What would they work on, how
many people would we need?

So we've pulled out some of the initiatives into things that might fit into
ASF Infrastructure related projects, see [2] and will start to fill out a
bit more detail on what those projects would look like.  It still needs
some work, like what success looks like for each, so please log in and
comment there or discuss here.

Regards, Mark J Cox
ASF Security

[1]
https://cwiki.apache.org/confluence/display/COMDEV/Brainstorm+Initiatives
[2]
https://cwiki.apache.org/confluence/display/COMDEV/Infrastructure+related+projects

Re: What if...? infrastructure projects

[Jarek Potiuk <ja...@potiuk.com>]

Great list Mark, Very concrete and almost all of them pretty
actionable, which is great :). It's fantastic to see the general
brainstorming into actionable items.

Happy to be involved (and even lead some parts of those if needs be).
While I know most of the projects of Apache are Java/Maven, so this
might be not relevant to a lot of the projects out there, I think
there are quite a few prominent ASF Python projects, so having those
ideas working in the Python ecosystem is also important for the ASF I
think.

Here are things I think are best for my involvement:

* Simplifying Signing - this is fantastic. Literally today I listened
to the podcast of PyPI packaging maintainer Dustin Ingram, who is one
of the PSF directors and he also works at the new Google Open Source
Security team and he praised sigstore a lot including the fact that
Python 3.11 will be released for the first time with sigstore and GPG.
Happy to lead a pilot in Apache Airflow to have a similar dual-signing
approach (we are closely following what the Python community does so
it should be an easy sell to other PMC members).

* Happy also to make an SBOM pilot in Apache Airflow for a
dependence-heavy Python-based project. We are completing a rather
major modernization of our build pipeline (make it 100% Pure Python
only) with the goal of making it easier to extend and maintain. We
already have a very good (though non-standard in places) grip on all
our 600+ dependencies we have (and yes we are one of the biggest PyPI
projects when it comes to those :). Integrating and publishing an SBOM
standard inventory as a pilot would be a great step building on those
foundations.

* Builds, Dependencies - Super happy to continue the discussion there
(or even leading it). I created even this proposal some time ago that
directly addresses the need to update the convenience packages
policies, and while it focused more on licensing side rather than
security, I will be happy to resurrect those discussions (all the
details, relevant discussions lare put together there):
https://cwiki.apache.org/confluence/display/COMDEV/Updates+of+policies+for+the+convenience+packages
- I am happy to either incorporate the security parts into this
discussion or merge the licensing part into "security" discussion as I
think it would be great to generally refresh the policy on those - and
I cannot tell which of the two sides are more important to tackle -
probably both. This also has an opportunity to join with the SBOM and
signing pilots. I am about to complete a 2 years long back-burner
project where I iterated on the way how we are building, releasing and
publishing our Docker Images for Airflow - with the end result being
making it an "official" image by DockerHub (same as Python and
others). I think our image is fulfilling all the criteria there and I
am planning to submit it to DockerHub soon, and one of the last
"issues" in the project (https://github.com/apache/airflow/projects/3)
is to get the published image signed (and then if we have SBOM -
possibly also joined with SBOM). Again - making a pilot to get all
this working to Airflow as an example - would be a super interesting
way to make some discussions more concrete. And It could likely be
based on the "Simplifying Signing" and "SBOM" work above.

While the others look super interesting too, I think those three are
some actionable ones that I might be able to fit in my plate
especially those Airflow-specific pilots, they will come under my
"Airflow CI and dev env" umbrella rather neatly.

J.

On Tue, Aug 16, 2022 at 3:41 PM Mark J Cox <mj...@apache.org> wrote:
>
> We've worked on the brainstorm initiatives [1], but what if we were able to
> have dedicated people working on some of those overarching projects to the
> benefit of security of each of our projects? What would they work on, how
> many people would we need?
>
> So we've pulled out some of the initiatives into things that might fit into
> ASF Infrastructure related projects, see [2] and will start to fill out a
> bit more detail on what those projects would look like.  It still needs
> some work, like what success looks like for each, so please log in and
> comment there or discuss here.
>
> Regards, Mark J Cox
> ASF Security
>
> [1]
> https://cwiki.apache.org/confluence/display/COMDEV/Brainstorm+Initiatives
> [2]
> https://cwiki.apache.org/confluence/display/COMDEV/Infrastructure+related+projects

---------------------------------------------------------------------
To unsubscribe, e-mail: security-discuss-unsubscribe@community.apache.org
For additional commands, e-mail: security-discuss-help@community.apache.org