profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/kimsterv/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Kim Lewandowski kimsterv Product Manager at Google working on OSS security.

ossf/scorecard 1969

Security Scorecards - Security health metrics for Open Source

google/osv 403

Open source vulnerability DB and triage service.

ossf/wg-digital-identity-attestation 74

Our objective is to enable open source maintainers, contributors and end-users to understand and make decisions on the provenance of the code they maintain, produce and use.

cdfoundation/foundation 19

Interactions with the CDF Staff and Board

kimsterv/django-ses 5

A Django email backend for Amazon's Simple Email Service

aguynamedben/flume 3

Flume is a distributed, reliable, and available service for efficiently collecting, aggregating, and moving large amounts of log data. It has a simple and flexible architecture based on streaming data flows. It is robust and fault tolerant with tunable reliability mechanisms and many failover and recovery mechanisms. The system is centrally managed and allows for intelligent dynamic management. It uses a simple extensible data model that allows for online analytic applications.

kimsterv/dotfiles 2

My dotfiles (.zshrc, .vimrc, .gitconfig, etc)

kimsterv/facebook-sdk 2

Facebook Platform Python SDK

issue closedossf/allstar

جمع واتحاد ستارها

اتحاد ستارهای زمین برای جاودانگی

closed time in 9 days

Alistar031

issue commentslsa-framework/slsa

Is a 'personified' SLSA a dip or a dancer?

This is amazing. How about a version with heels? 👠

TomHennen

comment created time in 19 days

PR opened slsa-framework/slsa

adding community info
+18 -0

0 comment

1 changed file

pr created time in 2 months

create barnchkimsterv/slsa

branch : community

created branch time in 2 months

push eventkimsterv/slsa

Tom Hennen

commit sha 5bfb221fcfa39285ab88cfc00febe15cafdd8696

Document some SLSA use cases Still very much draft. Lots of work left to do.

view details

Tom Hennen

commit sha fdbc0ed70442bd1f43b44c63a165e3748e54194e

Fix numbering.

view details

Tom Hennen

commit sha 4f45a263cdb94062d29363e97b56dd4d078a5069

Make linter happy Weren't enough spaces after the list numbers. Hopefully this will also make it happy with the sublist.

view details

Tom Hennen

commit sha bd35bea9b151f4bf07dc2ac7265ae5ed9ec0dca5

Have the Vendor publishing a container image

view details

Tom Hennen

commit sha e91aeed02b1cd76ddac77f03cb96e4325ef5ad95

Added developer use case

view details

Tom Hennen

commit sha 2f464c29f38d7da6f65def7a51e4a46646850984

First use case is the most ready for adoption

view details

Tom Hennen

commit sha 56bf197d0f894a18833d1358d7c626ff7119e43a

Try to make linter happy.

view details

Tom Hennen

commit sha 22751914897e55d9acd57e2b92785d89716859d5

Add use case for a Package Repository

view details

dependabot[bot]

commit sha e2ca73066b47c5697cd12772eb3152df6d0e2011

Bump actions/setup-node from 2.2.0 to 2.3.0 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/38d90ce44d5275ad62cc48384b3d8a58c500bb5f...aa759c6c94d3800c55b8601f21ba4b2371704cb7) --- updated-dependencies: - dependency-name: actions/setup-node dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

view details

Kim Lewandowski

commit sha f834741f9674efb97d162d37a247310dffc6f473

adding a new folder for community members to submit their own case studies trying to reach SLSA levels

view details

Tom Hennen

commit sha 78d6e939cffb5af82b8458694908a1d35f50874f

choke -> control choke-point doesn't sound nice. control-point gets the same idea across.

view details

Mark Lodato

commit sha 94dea13daec5641a038d1d63173bb5f1114ec75d

Merge pull request #102 from slsa-framework/dependabot/github_actions/actions/setup-node-2.3.0 Bump actions/setup-node from 2.2.0 to 2.3.0

view details

Mark Lodato

commit sha ae46830d4ed3c5b57d76a906ada7711acffbd165

Remove version comments from pinned actions. Dependabot automated version bumps only update the hash, not the comment, so the comment is likely to get stale. Example: #102.

view details

Mark Lodato

commit sha b7590f4d1aa4a56e78708936896bb7423764e46d

Merge pull request #104 from MarkLodato/version-string Remove version comments from pinned actions.

view details

Kim Lewandowski

commit sha ba9d9c15d046b33035cbc576cd2ae7de45ab41cd

Merge pull request #103 from kimsterv/casestudies new folder for community members to submit case studies

view details

Tom Hennen

commit sha 071cbcc0e3633f6928862b4884182d787239bac5

Address @MarkLodato's comments.

view details

Tom Hennen

commit sha d83510807a01cd8e62e9d052b5afb18ac61d3d88

Address @kimsterv's comments.

view details

Mark Lodato

commit sha 7d0009bc13e396556af3c0d16c1f0e969c299827

Use .markdownlintignore. This allows us to automatically ignore all gitignore'd files, rather than having to maintain the patterns in package.json.

view details

Mark Lodato

commit sha 0d537eb1a44fe4b33d1aa38347e602a51fb135aa

Fix lint issues with case-studies/README.md

view details

Mark Lodato

commit sha 60b611827ce2539b98b8c3d2b16d746e92de30dd

Merge pull request #105 from MarkLodato/markdownlint-ignore Use .markdownlintignore.

view details

push time in 2 months

MemberEvent
MemberEvent

create barnchossf/osv-schema

branch : main

created branch time in 2 months

created repositoryossf/osv-schema

created time in 2 months

PullRequestReviewEvent

push eventslsa-framework/slsa

Kim Lewandowski

commit sha f834741f9674efb97d162d37a247310dffc6f473

adding a new folder for community members to submit their own case studies trying to reach SLSA levels

view details

Kim Lewandowski

commit sha ba9d9c15d046b33035cbc576cd2ae7de45ab41cd

Merge pull request #103 from kimsterv/casestudies new folder for community members to submit case studies

view details

push time in 2 months

PR merged slsa-framework/slsa

new folder for community members to submit case studies

trying to reach SLSA levels

+8 -0

1 comment

1 changed file

kimsterv

pr closed time in 2 months

Pull request review commentslsa-framework/slsa

Document some SLSA use cases

+# Use Cases++These are some of the use cases for SLSA.  Of these the first use case (a vendor checking their+own packages prior to publishing) is the most ready for adoption as it does not require+interactions with any other party.++## Vendor publishing a software package++A vendor, BarInc, has the following goals in applying SLSA:++1.  Protect their users from malicious changes to the BarImage container image+2.  Protect their reputation, which would be harmed, if BarImage were compromised+
  1. Access to metadata for auditing and ad-hoc analysis.
TomHennen

comment created time in 2 months

PullRequestReviewEvent

Pull request review commentslsa-framework/slsa

Document some SLSA use cases

+# Use Cases++These are some of the use cases for SLSA.  Of these the first use case (a vendor checking their

Instead of vendor, how about developer? I think that would capture both vendors and maintainers of open source projects.

TomHennen

comment created time in 2 months

PullRequestReviewEvent

PR opened slsa-framework/slsa

new folder for community members to submit case studies

trying to reach SLSA levels

+8 -0

0 comment

1 changed file

pr created time in 2 months

create barnchkimsterv/slsa

branch : casestudies

created branch time in 2 months

push eventkimsterv/slsa

Kim Lewandowski

commit sha 117a325625162e13f256e2c7a0532b5d37382440

fixing typo

view details

Mark Lodato

commit sha 67ba65854bc37d87759350b39da6d64939fd3ed6

Add SLSA 1.5 and split Tamper Resistant. Add a new level, SLSA 1.5, between 1 and 2. We will renumber all the levels to integers right before we finalize the first version. In the meantime, we keep numbering the same to reduce confusion. Split Tamper Resistant into Authenticated + Service Generated + Non-Falsifiable. This split makes the meaning more clear, particularly that SLSA 1 is unauthenticated. SLSA 1.5 requires only the first two, with non-falsifiable being a property at SLSA 2.

view details

Mark Lodato

commit sha 068b491152179fd5fb59f9efa3d343caf38e4723

Replace nouns with adjectives in requirements. This reads better and is consistent with the new provenance requirements, which all use adjectives. Example: Isolation -> Isolated.

view details

Mark Lodato

commit sha 9873d44055036d4ff38d4027e395b4ef92625528

Rename "Retained" to "Retained Indefinitely" This makes the table easier to read since one box is not a simple checkmark instead of a word.

view details

Mark Lodato

commit sha 036991180911a9f27cb795bf9faf435ff500f5a9

Remove Resource and Deploy to simplify the model. Previously, we differentiated between Resources and Artifacts, and SLSA was a property of a Resource's security policy. However, many readers found this concept very confusing. Now, SLSA is purely a property of the artifact. If provenance exists showing that it met the requirements, the artifact meets the level. No policy or notion of "resource" is required. This simplifies the model at some cost of security, which we have collectively decided is worth the trade-off. NOTE: The Vision section will be updated in a future change.

view details

Mark Lodato

commit sha 6f552a33d25e17e4e86c5547f5809853a33be5b7

Merge pull request #53 from MarkLodato/terminology Remove Resource and Deploy to simplify the model.

view details

Mark Lodato

commit sha 6ee42edd8b8a17955e6901acd6e6596d26aab444

Update Vision section with latest changes. - Make the vision diagrams consistent with the terminology section: - Output is on the right, input is on the left. - Use colors consistently. - Rename "resource" to "artifact locator". - Simplify the diagram to reduce confusion (fixes #31). - Update the level explanations based on recent changes: - SLSA 1 is unsigned. - Add SLSA 1.5 (merged with the SLSA 2 section). - Minor wording updates. - Remove Deployment Policies section. We will eventually need to explain policies, but for now let's omit it until we agree on what that should look like.

view details

Mark Lodato

commit sha 17b779189169af24d61f654adccfd6938d747e62

Merge pull request #54 from MarkLodato/diagrams Update Vision section with latest changes.

view details

Mark Lodato

commit sha d0c791475d82bcb02c0dd7d1892a4202a129c392

Clarify SLSA requirements. Changes to requirements: - Remove "Source Integrity", add immutable references to "Hermetic". - Drop "Common" from SLSA 2 because it is likely expensive. Clarifications: - Split out "Ephemeral Environment" from "Isolation" (from #52). - Explain that GH-generated merge commits meet Verified History (from #52). - Clarify that all artifact references are immutable (from #52). - Rename "Dependencies" to "Dependencies Complete" to avoid confusion. - Define "SLSA level", "provenance", and "top-level source." - Other minor cleanups.

view details

Mark Lodato

commit sha acc814a12fb75819c5f1262578c29be937fb4d0a

Merge pull request #55 from MarkLodato/clarification Clarify SLSA requirements.

view details

Mark Lodato

commit sha 529afa03a33146601e0ae2d913772b098958cb0f

Remove "proposed" wording. Minor changes to remove the notion that this is a "proposal" and instead just describe SLSA as it is. Also explain that levels 2-3 are likely to change in the future, rather than using some sort of symbol (*) or term (provisional), since technically all requirements are subject to change. It's just that 2-3 are more likely to change.

view details

Mark Lodato

commit sha 21e12e7144a98ef28a5d19acef38a26eedf5d67d

Merge pull request #56 from MarkLodato/provisional Remove "proposed" wording.

view details

Mark Lodato

commit sha 749007eaf627ba97d6d05db30376b89f7d4ed825

Add detailed source requirements. This should now give enough detail that platforms can start implementing SLSA 1.5 and above. Further clarifications are likely needed, but this is a good start.

view details

Mark Lodato

commit sha 94319618fe0d169fa376f411e8873266920e0097

Minor clarifications of source-requirements

view details

Mark Lodato

commit sha 311d0ab6a3cc503cc52e53a1d2c4759fe8ee7e5e

Further clarifications to source requirements

view details

Mark Lodato

commit sha 7fc63393113d33580dfedc5e58f665ecfc7834c3

Merge pull request #17 from MarkLodato/source-reqs Add detailed source requirements.

view details

Mark Lodato

commit sha a743d830fcf6f6823e34210265ae17adfadc3796

Renumber levels to be integers. That is: - 1.5 => 2 - 2 => 3 - 3 => 4

view details

Abhishek Arya

commit sha db7a8e0730a7efab32c9095243eefeee1d1038bf

Merge pull request #58 from MarkLodato/slsa-2-rename Renumber levels to be integers.

view details

Mark Lodato

commit sha 333ad28a3f06d699378767ffca8a816d0a4fe348

Define build requirements; add "Parameterless". Fully define all build requirements. The document still needs an introduction, including diagram, threat model, and high-level description. Add a "Parameterless" requirement to SLSA 4, which we forgot previously.

view details

Mark Lodato

commit sha 300804fbd8ccf741cfba421bd71f80227f611d81

Merge pull request #59 from MarkLodato/build-reqs Define build requirements; add "Parameterless".

view details

push time in 2 months

issue openedslsa-framework/slsa

Provide guidance for projects with only a single maintainer

Many open source projects only have one maintainer. How will they meet the 2 person review requirement? Are tools like automated code reviews in scope for meeting this requirement?

created time in 2 months

push eventslsa-framework/slsa

Kim Lewandowski

commit sha 8a7bcedf66a01aa9fadaa92f0b1371680defb0e7

Create CNAME

view details

push time in 3 months

push eventslsa-framework/slsa

Kim Lewandowski

commit sha 6ca5e6612c2e03e2f86a7e599999150998b1a270

Delete CNAME

view details

push time in 3 months