The Software Supply Chain Security Paper is a CNCF Security Technical Advisory Group effort to ensure the cloud native community has access to information about building, distributing, deploying, and running secure software supply chains.
The Software Supply Chain Security Paper (SSCSP) is intended to be a living document created and maintained for the community, by its members.
Updates to the paper, suggestions for updates, or discussion for updates should initiate with an issue submitted to the repo and labeled with "suggestion" and "supplychain".
The living SSCSP is maintained in markdown and all updates will be made in markdown.
All members of the community are welcome to contribute updates to the SSCSP. We ask potential contributors to refer to the original design decisions, listed below, as guidance when determining the content of their updates.
It is highly recommended that you seek peer review for your updates beyond that of the Technical Leads and Co-Chairs of the group.
Once the PR is submitted, please place the link in the CNCF Security TAG Channel for the SSCSP: #tag-security-supply-chain-wg to request a review.
It is expected that many minor updates will occur, corrections to grammar, spelling, clarification in language, translations, etc. When these occur they are considered minor changes to the overall content and will not warrant the regeneration of the PDF.
When significant changes to the intent, content, or numerous minor changes occur, the SSCSP working group will assess and determine if a new major version of the PDF needs published. When this decision is made, the markdown content will be converted to text document and sent to the CNCF technical writers to create the PDF. The PDF will then be published back into the repository annotating the new version, updating the links in the README.md accordingly.
Minor updates to the markdown shall receive a minor version bump indicated in the Metadata table of the document and recorded as WIP. When enough significant changes have been recorded, the markdown will be placed "In Review" (via PR) and solicited to the CNCF Security TAG and TOC mailing list for review, at a minimum.
Upon completion of review, the Security TAG TOC Liaison shall provide final approval on the PR. At which point the markdown state will be changed to "Approved" and merged.
Links: