From 55990540d7f3fd865aca8f823869ed9e843db57a Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 27 Sep 2022 14:00:28 -0700 Subject: [PATCH 001/120] Create openssf_metrics.md Related: https://github.com/ietf-scitt/use-cases/issues/14 --- openssf_metrics.md | 66 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 openssf_metrics.md diff --git a/openssf_metrics.md b/openssf_metrics.md new file mode 100644 index 0000000..56a6551 --- /dev/null +++ b/openssf_metrics.md @@ -0,0 +1,66 @@ +# OpenSSF Metrics + +Collection of metric / Alpha-Omega data into shared DB. + +## Misc. Notes + +Mike from OpenSSF has been thinking about SCITT as a schema +and rules on how one would assert facts, weither it's +confidential compute or traditional permissions is impelmenetation details. + +- TODO + - As consumer, how can I discover that fact and trust that it's accruate + - Could imagine a world where things like Scorecard express the data as as SCITT attestation + - You go and query that (source code data mining data or vuln data) store (via DID resolution) + and you say tell me everythig you know about foo and you get it all back. + - Addresses OpenSSF/Christine's: Looking at trying to connect all the different data sources + - Until we have an implementation with Web5 (https://github.com/TBD54566975) that's at at least beta, we could expore what that looks like. + - Open Architecture: need to track usages / `reuse` of contexts `ictx`, `nctx`, etc. with + something predeclared, aka at runtime if your `Operation` data structure doesn't + allowlist your usage of it you can pass it to a subflow for reuse. + This allows us to use the format within our orchrestration and for static analysis + because we can use this same format to describe the trust boundry proeprties that + other domain sepcific represenatations of architecture have, for instance we could + if we were doing and Open Architecture (OA) Intermediate Representation (IR) for + and ELF file we might note that the input network context is not reused from + the top level system context. Where as if we did an OA IR for Python code we + would say that the input network is reused from the top level system context + (it has access to that memory region, whereas when you launch and ELF you look + access to the parents memory region, typically). + +We care about data provenance. This provenance could be for example on +inference derived from provenance from training data and model training +env and config. This will allow us to ensure the prioritizer make +decisions based on Sprit of the law / aka intent based policy derived from +[Trinity of Static Analysis, Dynamic Analysis, and Intent](https://github.com/intel/dffml/tree/alice/docs/tutorials/rolling_alice/0000_architecting_alice#entity-analysis-trinity). + +Living Threat Model threats, mitigations, trust boundaries as initial data +set for cross domain conceptual mapping of the the trinity to build pyramid +of thought alignment to strategic principles. + +- One of our strategic plans / principles might say + - "We must be able to trust the sources of all input data used for all + model training was done from research studies with these ethical + certifications" +- This allows us to write policies (Open Policy Agent to JSON to DID/VC/SCITT + translation/application exploration still in progress) for the organizations + we form and apply them as overlays to flows we execute where context appropriate. + These overlaid flows define the trusted parties within that context as applicable + to the active organizational policies as applicable to the top level system context. +- The policy associated with the principle that consumes the overlaid trust + attestations we will implement and LTM auditor for which checks + the SCITT provenance information associated with the operation implementations and + the operation implementation network, input network, etc. within the orchestrator + trust boundary + + TODO + +- References + - https://github.com/intel/dffml/blob/alice/docs/arch/0009-Open-Architecture.rst + - https://github.com/intel/dffml/blob/alice/docs/arch/0008-Manifest.md + - https://github.com/intel/dffml/tree/alice/docs/tutorials/rolling_alice + - https://datatracker.ietf.org/doc/html/draft-birkholz-scitt-architecture + - https://www.w3.org/2022/07/pressrelease-did-rec.html.en + - https://docs.microsoft.com/en-us/azure/confidential-ledger/architecture + - Similar work to address + - https://docs.google.com/presentation/d/1WF4dsJiwR6URWPgn1aiHAE3iLVl-oGP4SJRWFpcOlao/edit#slide=id.g14078b5bab0_0_517 From d7e7810102052a10903804f24aa56a4699255e66 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 27 Sep 2022 14:04:55 -0700 Subject: [PATCH 002/120] openssf metrics: todo: Align with Software Supply Chain Artifact Examples use case --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 56a6551..b9b0a97 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -9,6 +9,8 @@ and rules on how one would assert facts, weither it's confidential compute or traditional permissions is impelmenetation details. - TODO + - Align with Software Supply Chain Artifact Examples use case + - https://github.com/ietf-scitt/use-cases/pull/17/files - As consumer, how can I discover that fact and trust that it's accruate - Could imagine a world where things like Scorecard express the data as as SCITT attestation - You go and query that (source code data mining data or vuln data) store (via DID resolution) From b70a00a0c94f7cc014e15950e2f8e9f9fcd50a26 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 27 Sep 2022 14:28:41 -0700 Subject: [PATCH 003/120] openssf metrics: Add link to PR for review --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index b9b0a97..3c54796 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -1,5 +1,7 @@ # OpenSSF Metrics +> Pull Request Review (WIP): https://github.com/ietf-scitt/use-cases/pull/18 + Collection of metric / Alpha-Omega data into shared DB. ## Misc. Notes From a93cdd729b63e7ce15ceb562e0df7c8fc454e7d8 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 29 Sep 2022 11:42:00 -0700 Subject: [PATCH 004/120] openssf metrics: Add link to 2022-09-29 IETF SCITT Technical Meeting notes --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 3c54796..a25aa37 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -63,6 +63,7 @@ of thought alignment to strategic principles. - https://github.com/intel/dffml/blob/alice/docs/arch/0009-Open-Architecture.rst - https://github.com/intel/dffml/blob/alice/docs/arch/0008-Manifest.md - https://github.com/intel/dffml/tree/alice/docs/tutorials/rolling_alice + - [2022-09-29 IETF SCITT Technical Meeting](https://github.com/intel/dffml/discussions/1406#discussioncomment-3763647) - https://datatracker.ietf.org/doc/html/draft-birkholz-scitt-architecture - https://www.w3.org/2022/07/pressrelease-did-rec.html.en - https://docs.microsoft.com/en-us/azure/confidential-ledger/architecture From 768f8819e220a6a9143affb37f5a0c01007ec4dd Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 29 Sep 2022 11:44:05 -0700 Subject: [PATCH 005/120] openssf metrics: Mention tie in with distributed compute --- openssf_metrics.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index a25aa37..13c8785 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -13,6 +13,9 @@ confidential compute or traditional permissions is impelmenetation details. - TODO - Align with Software Supply Chain Artifact Examples use case - https://github.com/ietf-scitt/use-cases/pull/17/files + - As CI/CD velocity increases, we approach a similar threat model to distributed + compute, address here. + - https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0000_forward.md#supply-chain-security - As consumer, how can I discover that fact and trust that it's accruate - Could imagine a world where things like Scorecard express the data as as SCITT attestation - You go and query that (source code data mining data or vuln data) store (via DID resolution) From ab70fea395f729c1ee07f041745d790762904134 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 3 Oct 2022 15:08:46 -0700 Subject: [PATCH 006/120] openssf metrics: Mention future work: Rolling Alice: Coach Alice: Down the Dependency Rabbit-Hole Again Engineering Log: https://github.com/intel/dffml/discussions/1406#discussioncomment-3787805 --- openssf_metrics.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 13c8785..322237d 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -10,7 +10,21 @@ Mike from OpenSSF has been thinking about SCITT as a schema and rules on how one would assert facts, weither it's confidential compute or traditional permissions is impelmenetation details. +- Future + - As a follow on to the OpenSSF Metrics use case document and + [Living Threat Models are better than Dead Threat Models](https://www.youtube.com/watch?v=TMlC_iAK3Rg&list=PLtzAOVTpO2jYt71umwc-ze6OmwwCIMnLw) + [Rolling Alice: Volume 1: Coach Alice: Chapter 1: Down the Dependency Rabbit-Hole Again](https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0001_coach_alice/0001_down_the_dependency_rabbit_hole_again.md) + will cover how we identify and query provenance on dependencies where caching + on data flow execution is assisted via quering public SCITT infrastructure + and sourcing cached state from trustworthy parties. - TODO + - Go over `.github/workflows/alice_shouldi_contribute.yml` which is called as reusable + workflow using SLSA demos as conceptual upstream. + - This gives us metric collection with overlays applied to input network which log + data provenance later used via policy referenced in a Living Threat Model + of a downstream end user facing application. The use case document will cover + how we effectivly self notarize the data provenance assisted by the OIDC token + issused to the workflow from GitHub. - Align with Software Supply Chain Artifact Examples use case - https://github.com/ietf-scitt/use-cases/pull/17/files - As CI/CD velocity increases, we approach a similar threat model to distributed From 5dbc6f8f72acb1300efa34b0a6825ca628930ba8 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 3 Oct 2022 18:25:03 -0700 Subject: [PATCH 007/120] openssf metrics: Add ethics --- openssf_metrics.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 322237d..f31b5d6 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -10,13 +10,6 @@ Mike from OpenSSF has been thinking about SCITT as a schema and rules on how one would assert facts, weither it's confidential compute or traditional permissions is impelmenetation details. -- Future - - As a follow on to the OpenSSF Metrics use case document and - [Living Threat Models are better than Dead Threat Models](https://www.youtube.com/watch?v=TMlC_iAK3Rg&list=PLtzAOVTpO2jYt71umwc-ze6OmwwCIMnLw) - [Rolling Alice: Volume 1: Coach Alice: Chapter 1: Down the Dependency Rabbit-Hole Again](https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0001_coach_alice/0001_down_the_dependency_rabbit_hole_again.md) - will cover how we identify and query provenance on dependencies where caching - on data flow execution is assisted via quering public SCITT infrastructure - and sourcing cached state from trustworthy parties. - TODO - Go over `.github/workflows/alice_shouldi_contribute.yml` which is called as reusable workflow using SLSA demos as conceptual upstream. @@ -86,3 +79,13 @@ of thought alignment to strategic principles. - https://docs.microsoft.com/en-us/azure/confidential-ledger/architecture - Similar work to address - https://docs.google.com/presentation/d/1WF4dsJiwR6URWPgn1aiHAE3iLVl-oGP4SJRWFpcOlao/edit#slide=id.g14078b5bab0_0_517 +- Future + - As a follow on to the OpenSSF Metrics use case document and + [Living Threat Models are better than Dead Threat Models](https://www.youtube.com/watch?v=TMlC_iAK3Rg&list=PLtzAOVTpO2jYt71umwc-ze6OmwwCIMnLw) + [Rolling Alice: Volume 1: Coach Alice: Chapter 1: Down the Dependency Rabbit-Hole Again](https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0001_coach_alice/0001_down_the_dependency_rabbit_hole_again.md) + will cover how we identify and query provenance on dependencies where caching + on data flow execution is assisted via quering public SCITT infrastructure + and sourcing cached state from trustworthy parties. + - Leveraging our restoration of cached state from trustworthy parties and + LTM policy we can measure alignment of ML model's used within BOM components + so as to report conceptual alignment with entity strategic plans / principles. From e5d4087ee52230f2ba307e5524247d58c18181d3 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 3 Oct 2022 18:50:13 -0700 Subject: [PATCH 008/120] openssf metrics: Refactor and mention end user focused --- openssf_metrics.md | 57 +++++++++++++++++++++++----------------------- 1 file changed, 28 insertions(+), 29 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index f31b5d6..c2813b7 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -2,7 +2,9 @@ > Pull Request Review (WIP): https://github.com/ietf-scitt/use-cases/pull/18 -Collection of metric / Alpha-Omega data into shared DB. +Collection of metric data into shared (crowdsourcable) DB. There are many repos +to search, we want to enable self reporting and granularity as applicable to +ad-hoc formed policy as desired by end-user. ## Misc. Notes @@ -41,42 +43,17 @@ confidential compute or traditional permissions is impelmenetation details. would say that the input network is reused from the top level system context (it has access to that memory region, whereas when you launch and ELF you look access to the parents memory region, typically). - -We care about data provenance. This provenance could be for example on -inference derived from provenance from training data and model training -env and config. This will allow us to ensure the prioritizer make -decisions based on Sprit of the law / aka intent based policy derived from -[Trinity of Static Analysis, Dynamic Analysis, and Intent](https://github.com/intel/dffml/tree/alice/docs/tutorials/rolling_alice/0000_architecting_alice#entity-analysis-trinity). - -Living Threat Model threats, mitigations, trust boundaries as initial data -set for cross domain conceptual mapping of the the trinity to build pyramid -of thought alignment to strategic principles. - -- One of our strategic plans / principles might say - - "We must be able to trust the sources of all input data used for all - model training was done from research studies with these ethical - certifications" -- This allows us to write policies (Open Policy Agent to JSON to DID/VC/SCITT - translation/application exploration still in progress) for the organizations - we form and apply them as overlays to flows we execute where context appropriate. - These overlaid flows define the trusted parties within that context as applicable - to the active organizational policies as applicable to the top level system context. -- The policy associated with the principle that consumes the overlaid trust - attestations we will implement and LTM auditor for which checks - the SCITT provenance information associated with the operation implementations and - the operation implementation network, input network, etc. within the orchestrator - trust boundary - - TODO - - References - https://github.com/intel/dffml/blob/alice/docs/arch/0009-Open-Architecture.rst - https://github.com/intel/dffml/blob/alice/docs/arch/0008-Manifest.md - https://github.com/intel/dffml/tree/alice/docs/tutorials/rolling_alice - [2022-09-29 IETF SCITT Technical Meeting](https://github.com/intel/dffml/discussions/1406#discussioncomment-3763647) + - https://github.com/transmute-industries/did-eqt/blob/main/docs/did-eqt-opa-primer.md#securing-did-method-operations-with-opa - https://datatracker.ietf.org/doc/html/draft-birkholz-scitt-architecture - https://www.w3.org/2022/07/pressrelease-did-rec.html.en - https://docs.microsoft.com/en-us/azure/confidential-ledger/architecture + - In search of more easy options to faciliate public/private hybrid chains + of supply chain data. ideally OSS (SSI Service?). - Similar work to address - https://docs.google.com/presentation/d/1WF4dsJiwR6URWPgn1aiHAE3iLVl-oGP4SJRWFpcOlao/edit#slide=id.g14078b5bab0_0_517 - Future @@ -89,3 +66,25 @@ of thought alignment to strategic principles. - Leveraging our restoration of cached state from trustworthy parties and LTM policy we can measure alignment of ML model's used within BOM components so as to report conceptual alignment with entity strategic plans / principles. + - We care about data provenance. This provenance could be for example on + inference derived from provenance from training data and model training + env and config. This will allow us to ensure the prioritizer make + decisions based on Sprit of the law / aka intent based policy derived from + [Trinity of Static Analysis, Dynamic Analysis, and Intent](https://github.com/intel/dffml/tree/alice/docs/tutorials/rolling_alice/0000_architecting_alice#entity-analysis-trinity). + - Living Threat Model threats, mitigations, trust boundaries as initial data + set for cross domain conceptual mapping of the the trinity to build pyramid + of thought alignment to strategic principles. + - One of our strategic plans / principles might say + - "We must be able to trust the sources of all input data used for all + model training was done from research studies with these ethical + certifications" + - This allows us to write policies (Open Policy Agent to JSON to DID/VC/SCITT + translation/application exploration still in progress) for the organizations + we form and apply them as overlays to flows we execute where context appropriate. + These overlaid flows define the trusted parties within that context as applicable + to the active organizational policies as applicable to the top level system context. + - The policy associated with the principle that consumes the overlaid trust + attestations we will implement and LTM auditor for which checks + the SCITT provenance information associated with the operation implementations and + the operation implementation network, input network, etc. within the orchestrator + trust boundary. From a256cbcc45f47a5fabd9edb3a93d05de3f94712f Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 10 Nov 2022 10:35:24 -0800 Subject: [PATCH 009/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index c2813b7..1876a47 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -44,6 +44,7 @@ confidential compute or traditional permissions is impelmenetation details. (it has access to that memory region, whereas when you launch and ELF you look access to the parents memory region, typically). - References + - https://scitt.io/distributing-with-oci-registries.html - https://github.com/intel/dffml/blob/alice/docs/arch/0009-Open-Architecture.rst - https://github.com/intel/dffml/blob/alice/docs/arch/0008-Manifest.md - https://github.com/intel/dffml/tree/alice/docs/tutorials/rolling_alice From bbb418ed5ff33dc7c7e8be3dbfad459c4072811e Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 16 Nov 2022 12:37:21 -0800 Subject: [PATCH 010/120] Update openssf_metrics.md https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4157129 --- openssf_metrics.md | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 1876a47..1b1abd8 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -6,6 +6,45 @@ Collection of metric data into shared (crowdsourcable) DB. There are many repos to search, we want to enable self reporting and granularity as applicable to ad-hoc formed policy as desired by end-user. +- NVD API style as first way to distribute VEX. + - ActivityPub publish as well + - Websub for new notifications? Look up how Mastodon does. +- Added CLI command `alice threats vulns serve nvdstyle` + - https://github.com/intel/dffml/commit/cb2c09ead795ba0046cb5911bcd6e939419058d8 + - https://github.com/intel/dffml/blob/4101595a800e74f57cec5537ea2c65680135b71a/entities/alice/alice/threats/vulns/serve/nvdstyle.py#L1-L241 +- The Open Architecture (Alice) sits at the interesction of CI/CD, Security, and AI/ML. + - We metion Alice here as a follow on who's development sees this use case as critical (comms ;) +- Think cross between review system (SCITT as the proof, TDB on identity preknown at this point, OpenSSF members stream 8 vuln sharing CCF ledger) +- https://scitt.io/distributing-with-oci-scitt.html +- https://www.darkreading.com/dr-tech/cybersecurity-nutrition-labels-still-a-work-in-progress + - https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/20/statement-by-nsc-spokesperson-adrienne-watson-on-the-biden-harris-administrations-effort-to-secure-household-internet-enabled-devices/ + - > Yesterday, the White House convened leaders from the private sector, academic institutions, and the U.S. Government to advance a national cybersecurity labeling program for Internet-of-Things (IoT) devices. The Biden-Harris Administration has made it a priority to strengthen our nation’s cybersecurity, and a key part of that effort is ensuring the devices that have become a commonplace in the average American household – like baby monitors or smart home appliances – are protected from cyber threats. A labeling program to secure such devices would provide American consumers with the peace of mind that the technology being brought into their homes is safe, and incentivize manufacturers to meet higher cybersecurity standards and retailers to market secure devices. + > + > Yesterday’s dialogue focused on how to best implement a national cybersecurity labeling program, drive improved security standards for Internet-enabled devices, and generate a globally recognized label. Government and industry leaders discussed the importance of a trusted program to increase security across consumer devices that connect to the Internet by equipping devices with easily recognized labels to help consumers make more informed cybersecurity choices (e.g., an “EnergyStar” for cyber). These conversations build on the foundational work that has been pioneered by the private sector and the National Institute of Standards and Technology (NIST) to help build more secure Internet-connected devices. It also follows President Biden’s Executive Order on Improving the Nation’s Cybersecurity, which highlighted the need for improved IoT security and tasked NIST, in partnership with the Federal Trade Commission, to advance improved cybersecurity standards and standardized product labels for these devices. +- https://csrc.nist.gov/publications/detail/white-paper/2022/11/09/implementing-a-risk-based-approach-to-devsecops/final + - > DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full understanding and consideration of security. Also, most software today relies on one or more third-party components, yet organizations often have little or no visibility into and understanding of how these components are developed, integrated, deployed, and maintained, as well as the practices used to ensure the components’ security. To help improve the security of DevOps practices, the NCCoE is planning a DevSecOps project that will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. This project will apply these DevSecOps practices in proof-of-concept use case scenarios that will each be specific to a technology, programming language, and industry sector. Both closed source (proprietary) and open source technology will be used to demonstrate the use cases. This project will result in a freely available NIST Cybersecurity Practice Guide. +- https://www.intel.com/content/www/us/en/newsroom/news/2022-intel-innovation-day-2-livestream-replay.html#gs.djq36o + - Similar to the software labeling, with Alice we are trying to cross these streams + - Datasheets for Datasets + - https://arxiv.org/abs/1803.09010 + - > The machine learning community currently has no standardized process for documenting datasets, which can lead to severe consequences in high-stakes domains. To address this gap, we propose datasheets for datasets. In the electronics industry, every component, no matter how simple or complex, is accompanied with a datasheet that describes its operating characteristics, test results, recommended uses, and other information. By analogy, we propose that every dataset be accompanied with a datasheet that documents its motivation, composition, collection process, recommended uses, and so on. Datasheets for datasets will facilitate better communication between dataset creators and dataset consumers, and encourage the machine learning community to prioritize transparency and accountability. + +![image](https://user-images.githubusercontent.com/5950433/193330714-4bcceea4-4402-468f-82a9-51882939452c.png) + +- Possible alignment with Andrew's "Data-Centric AI" + - is the discipline of systematically engineering the data used to build an AI system + - This is what we're doing with Alice +- Possible alignment with Andrew's "The iterative process of ML development" + - https://github.com/intel/dffml/tree/alice/docs/tutorials/rolling_alice/0000_architecting_alice#entity-analysis-trinity + - Intent / Train model + - Establish correlations between threat model intent and collected data / errors (telemetry or static analysis, policy, failures) + - Dynamic analysis / Improve data + - We tweak the code to make it do different things to see different data. The application of overlays. Think over time. + - Static / Error analysis + - There might be async debug initiated here but this maps pretty nicely conceptually since we'd think of this as a static process, we already have some errors to analyze if we're at this step. + +![Entity Analysis Trinity](https://user-images.githubusercontent.com/5950433/188203911-3586e1af-a1f6-434a-8a9a-a1795d7a7ca3.svg) + ## Misc. Notes Mike from OpenSSF has been thinking about SCITT as a schema From d030dbc1fe4afe0772806fc69951d68ca41713f8 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 16 Nov 2022 12:38:34 -0800 Subject: [PATCH 011/120] Update openssf_metrics.md --- openssf_metrics.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 1b1abd8..a81a365 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -29,7 +29,9 @@ ad-hoc formed policy as desired by end-user. - https://arxiv.org/abs/1803.09010 - > The machine learning community currently has no standardized process for documenting datasets, which can lead to severe consequences in high-stakes domains. To address this gap, we propose datasheets for datasets. In the electronics industry, every component, no matter how simple or complex, is accompanied with a datasheet that describes its operating characteristics, test results, recommended uses, and other information. By analogy, we propose that every dataset be accompanied with a datasheet that documents its motivation, composition, collection process, recommended uses, and so on. Datasheets for datasets will facilitate better communication between dataset creators and dataset consumers, and encourage the machine learning community to prioritize transparency and accountability. -![image](https://user-images.githubusercontent.com/5950433/193330714-4bcceea4-4402-468f-82a9-51882939452c.png) +> Side from Andrew Ng's Intel Innovation 2022 Luminary Keynote +> Source: https://www.intel.com/content/www/us/en/newsroom/news/2022-intel-innovation-day-2-livestream-replay.html#gs.iex8mr +> ![image](https://user-images.githubusercontent.com/5950433/193330714-4bcceea4-4402-468f-82a9-51882939452c.png) - Possible alignment with Andrew's "Data-Centric AI" - is the discipline of systematically engineering the data used to build an AI system From 0733779a2b20b9082bf1c66cd159734220473fcc Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 16 Nov 2022 12:43:12 -0800 Subject: [PATCH 012/120] Update openssf_metrics.md --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index a81a365..371607a 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -45,6 +45,8 @@ ad-hoc formed policy as desired by end-user. - Static / Error analysis - There might be async debug initiated here but this maps pretty nicely conceptually since we'd think of this as a static process, we already have some errors to analyze if we're at this step. +*Gif of Alice on roller skates throwing a bowling ball which is a software vuln, strike, she frontflips throwing knife style throws the pins into pull requests. We zoom out and see her just doing this over and over again around the Entity Analysis Trinity. Intent/LTM is where the throwing board is. Bowling alley is static analysis and the end of the bowling ally where she frontflips over (through hoop of CI/CD fire?) is where she pics up the pins and throws them as pull request (titles and numbers maybe, pulls/1401 style maybe?) knives into the board at the top which is the LTM and codebase. Then from top, LTM to static analysis where bowling alley starts shes in the lab, cooking up the vuln or maybe out looking for it. Or maybe refactoring after pull requests!* + ![Entity Analysis Trinity](https://user-images.githubusercontent.com/5950433/188203911-3586e1af-a1f6-434a-8a9a-a1795d7a7ca3.svg) ## Misc. Notes From 36b4578a8ae7978f55c10e4e0a2eabd88788da27 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 23 Nov 2022 12:04:47 -0800 Subject: [PATCH 013/120] Update openssf_metrics.md --- openssf_metrics.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 371607a..3ea6cf5 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -100,6 +100,10 @@ confidential compute or traditional permissions is impelmenetation details. of supply chain data. ideally OSS (SSI Service?). - Similar work to address - https://docs.google.com/presentation/d/1WF4dsJiwR6URWPgn1aiHAE3iLVl-oGP4SJRWFpcOlao/edit#slide=id.g14078b5bab0_0_517 +- We first issue the verifiable credentials, with a reference to the rest of the hashlinks (or whatever the CBOR style thing is) + - Open Source Decentralized Identifiers and Verifiable Credentials Infrastructure and Tooling - verifiable-data/Hashlink.ts at c80cab9abe4db478add16b14837ba9a3afc3a70f + - Then we hashlink that, and that's the top level ref. effectivly the evolution of the zephyr.stripped shasum patchset + - https://github.com/zephyrproject-rtos/zephyr/pull/51954 - Future - As a follow on to the OpenSSF Metrics use case document and [Living Threat Models are better than Dead Threat Models](https://www.youtube.com/watch?v=TMlC_iAK3Rg&list=PLtzAOVTpO2jYt71umwc-ze6OmwwCIMnLw) From 11c0368b483f51c476f95b116341e95153f24081 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 25 Nov 2022 20:38:42 -0800 Subject: [PATCH 014/120] See about cross with UCAN Related: https://github.com/ucan-wg/invocation/pull/1 --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 3ea6cf5..fd997b7 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -88,6 +88,7 @@ confidential compute or traditional permissions is impelmenetation details. access to the parents memory region, typically). - References - https://scitt.io/distributing-with-oci-registries.html + - https://github.com/ucan-wg/invocation/pull/1/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R85 - https://github.com/intel/dffml/blob/alice/docs/arch/0009-Open-Architecture.rst - https://github.com/intel/dffml/blob/alice/docs/arch/0008-Manifest.md - https://github.com/intel/dffml/tree/alice/docs/tutorials/rolling_alice From 4c9d15ed78ec693130ddb00925008c130c8a5e8b Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 30 Nov 2022 05:56:13 -0800 Subject: [PATCH 015/120] Update openssf_metrics.md --- openssf_metrics.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index fd997b7..cb6765c 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -13,7 +13,7 @@ ad-hoc formed policy as desired by end-user. - https://github.com/intel/dffml/commit/cb2c09ead795ba0046cb5911bcd6e939419058d8 - https://github.com/intel/dffml/blob/4101595a800e74f57cec5537ea2c65680135b71a/entities/alice/alice/threats/vulns/serve/nvdstyle.py#L1-L241 - The Open Architecture (Alice) sits at the interesction of CI/CD, Security, and AI/ML. - - We metion Alice here as a follow on who's development sees this use case as critical (comms ;) + - We metion Alice here as a follow on who's development sees this use case as critical - Think cross between review system (SCITT as the proof, TDB on identity preknown at this point, OpenSSF members stream 8 vuln sharing CCF ledger) - https://scitt.io/distributing-with-oci-scitt.html - https://www.darkreading.com/dr-tech/cybersecurity-nutrition-labels-still-a-work-in-progress @@ -91,7 +91,7 @@ confidential compute or traditional permissions is impelmenetation details. - https://github.com/ucan-wg/invocation/pull/1/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R85 - https://github.com/intel/dffml/blob/alice/docs/arch/0009-Open-Architecture.rst - https://github.com/intel/dffml/blob/alice/docs/arch/0008-Manifest.md - - https://github.com/intel/dffml/tree/alice/docs/tutorials/rolling_alice + - https://www.cisa.gov/sites/default/files/publications/VEX_Use_Cases_Aprill2022.pdf - [2022-09-29 IETF SCITT Technical Meeting](https://github.com/intel/dffml/discussions/1406#discussioncomment-3763647) - https://github.com/transmute-industries/did-eqt/blob/main/docs/did-eqt-opa-primer.md#securing-did-method-operations-with-opa - https://datatracker.ietf.org/doc/html/draft-birkholz-scitt-architecture From 887f5bea15bb1df5c1ca77d9f35b9fbc00fff577 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 7 Feb 2023 13:11:23 -0800 Subject: [PATCH 016/120] Update openssf_metrics.md --- openssf_metrics.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index cb6765c..a0856cb 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -9,9 +9,7 @@ ad-hoc formed policy as desired by end-user. - NVD API style as first way to distribute VEX. - ActivityPub publish as well - Websub for new notifications? Look up how Mastodon does. -- Added CLI command `alice threats vulns serve nvdstyle` - - https://github.com/intel/dffml/commit/cb2c09ead795ba0046cb5911bcd6e939419058d8 - - https://github.com/intel/dffml/blob/4101595a800e74f57cec5537ea2c65680135b71a/entities/alice/alice/threats/vulns/serve/nvdstyle.py#L1-L241 +- [service: sw: src: change: notify: Service to facilitate poly repo pull model dev tooling: activitypubsecuritytxt](https://github.com/intel/dffml/issues/1315#issuecomment-1416392795) - The Open Architecture (Alice) sits at the interesction of CI/CD, Security, and AI/ML. - We metion Alice here as a follow on who's development sees this use case as critical - Think cross between review system (SCITT as the proof, TDB on identity preknown at this point, OpenSSF members stream 8 vuln sharing CCF ledger) From f107077db9d9b3734e9b3163092570b84ce5f79e Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 7 Feb 2023 13:12:03 -0800 Subject: [PATCH 017/120] Update openssf_metrics.md --- openssf_metrics.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index a0856cb..941cf49 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -6,10 +6,9 @@ Collection of metric data into shared (crowdsourcable) DB. There are many repos to search, we want to enable self reporting and granularity as applicable to ad-hoc formed policy as desired by end-user. -- NVD API style as first way to distribute VEX. - - ActivityPub publish as well - - Websub for new notifications? Look up how Mastodon does. - [service: sw: src: change: notify: Service to facilitate poly repo pull model dev tooling: activitypubsecuritytxt](https://github.com/intel/dffml/issues/1315#issuecomment-1416392795) + - We first way to distribute VEX. + - Later interop with Aradine's Rapunzel - The Open Architecture (Alice) sits at the interesction of CI/CD, Security, and AI/ML. - We metion Alice here as a follow on who's development sees this use case as critical - Think cross between review system (SCITT as the proof, TDB on identity preknown at this point, OpenSSF members stream 8 vuln sharing CCF ledger) From 5c0d939b1296b890e419c2f95581bad64d3405bd Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 7 Feb 2023 13:13:47 -0800 Subject: [PATCH 018/120] Update openssf_metrics.md --- openssf_metrics.md | 387 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 387 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 941cf49..94d59cb 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -7,8 +7,395 @@ to search, we want to enable self reporting and granularity as applicable to ad-hoc formed policy as desired by end-user. - [service: sw: src: change: notify: Service to facilitate poly repo pull model dev tooling: activitypubsecuritytxt](https://github.com/intel/dffml/issues/1315#issuecomment-1416392795) + - Reproduced below - We first way to distribute VEX. - Later interop with Aradine's Rapunzel + + +- [Alice Engineering Comms: 2023-02-03 Engineering Logs](https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4863663) +- docs: tutorials: rolling alice: architecting alice: stream of consciousness: Link to activitypubsecuritytxt + - https://github.com/intel/dffml/commit/a5e638884e565f727ae4fedf91a33b3ce68bcfa9 + - https://github.com/pdxjohnny/activitypubsecuritytxt + +--- +# activitypubsecuritytxt + +A methodology allowing organizations to nominate security contact points and policies via ActivityPub Actors. + +> This proposal was first made public on January 30, 2023 and is is currently a draft. We welcome comments and feedback! To make suggestions please comment via Github or [submit a ticket](https://github.com/intel/dffml/issues). Thanks for your interest! + +VEX documents should be aligned with the either the https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html or OpenVEX specs: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex (https://github.com/pdxjohnny/activitypubsecuritytxt/commit/1e35f549a33347918335e89200055841b267e86c). We can then communicate the IDs via ActivityPub like so. + +- References + - RFC9116: https://securitytxt.org/ + - https://github.com/ietf-scitt/use-cases/issues/14 + - https://github.com/openvex/spec/issues/9 + - https://mastodon.social/@ariadne@treehouse.systems/109784681116604896 + - > meanwhile at work, a thing i've been working on for the past few months has dropped: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex it's basically like ActivityStreams, but for security vulnerability data sharing. with a little bit of work, we can lift up to something more like ActivityPub for real-time collaboration, a blog is forthcoming about it. + - aka the Manifest Transport ADR + - Associated Alice tutorial: [Rolling Alice: Architecting Alice: Stream of Consiousness](https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0000_architecting_alice/0005_stream_of_consciousness.md) + - https://social.treehouse.systems/@ariadne/109808644259234008 + - We'll want to align with Ariadne's Rapunzel + - [Alice Engineering Comms: 2023-02-06 Engineering Logs](https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4883572) +- TODO + - [ ] OIDC to keypair to post replys (fulcio?) + - Or just the noterizing proxy + +## Summary + +When entities find security issues in source code, the correct channel to report security issues can be found if the repo has an RFC 9116 `security.txt` file with a `Contact` field. This contact field can be a URL which points to an ActivityPub Actor. + +Via traversal of ActivityPub AcivityStream objects, reporters are enabled to discover reporting endpoints. Researchers are also enabled to receive up to date events by following declared ActivityPub Actors. When a researcher finds a vulnerability, they can submit their evidence to an [eNotary](https://scitt.io/components/enotary.html) (could be self notarized). The eNotary attests validity of the vuln and then replys to ActivityPub threads to facilite communication of valid vuln to upstream. + +--- + +Scratch work upstream: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4819872 + +- Just FYI, have been playing with the idea of using security.txt contact as an AcivityPub Actor to advertise things such as delegate Actors for various purposes. For example, list via attachments actors which publish content addresses of an orgs SBOMs This would enable leveraging ActivityPub as a means for definition and broadcast for entities delegated to various roles. We could do the same for the 3rd parties to advertise what actors are within which roles, aka are authorized to say this thing is FIPs certified. We could then attach SCITT receipts to these: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4794771 + - The SCITT registry then becomes the quick lookup path (analogously database view) to verify this. This way end users don't have to traverse the full Knowledge Graph (Activity Pub in this case). Receipt we care about for verification would be is this `inReplyTo` DAG hop path valid, aka is `did:merkle` in SCITT. + - Can have a thread linked in attachments for manifests, can discover from there + - Can watch for replies and execute jobs based off listening for manifest instances `inReplyTo` to the manifest. + - Post content addresses of manifest existing in oras.land (a container "image" registry) + - `FROM scratch` + - [Alice Engineering Comms: 2023-01-19 @pdxjohnny Engineering Logs](https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4729296) + - https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/advance-readings/Enhancing_DID_Privacy_through_shared_Credentials.md + - https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/draft-documents/did-merkle.md +- Looks like we can have four attachments, we can make one link to a post as an attachment, then replies to that to build more trees of data +- https://policymaker.disclose.io/policymaker/introduction + +--- + +```mermaid +graph TD + subgraph bob[Bob's Cool Software] + actor[ActivityPub Actor - @ bob@ forge.mycoolsoftware.example.com] + actor_attachment[Attachment PropertyValue activitypubsecuritytxt] + activitypubsecuritytxt_root_post[activitypubsecuritytxt root post] + activitypubsecuritytxt_vcs_push[vcs.push root post] + activitypubsecuritytxt_vcs_push_content[vcs.push content - content address of manifest instance in registry] + + actor --> actor_attachment + actor_attachment -->|Link| activitypubsecuritytxt_root_post + activitypubsecuritytxt_vcs_push -->|inReplyTo| activitypubsecuritytxt_root_post + activitypubsecuritytxt_vcs_push_content -->|inReplyTo| activitypubsecuritytxt_vcs_push + end + + subgraph alice[Alice] + alice_shouldi_contribute[Static Analysis Result] -->|inReplyTo| activitypubsecuritytxt_vcs_push_content + end +``` + +```json +{ + "@context": [ + "https://www.w3.org/ns/activitystreams", + "https://w3id.org/security/v1", + ], + "id": "https://mastodon.social/users/alice", + "type": "Person", + "following": "https://mastodon.social/users/alice/following", + "followers": "https://mastodon.social/users/alice/followers", + "inbox": "https://mastodon.social/users/alice/inbox", + "outbox": "https://mastodon.social/users/alice/outbox", + "featured": "https://mastodon.social/users/alice/collections/featured", + "featuredTags": "https://mastodon.social/users/alice/collections/tags", + "preferredUsername": "alice", + "name": "Alice", + "summary": "An ActivityPub Actor", + "url": "https://mastodon.social/@alice", + "publicKey": { + "id": "https://mastodon.social/users/alice#main-key", + "owner": "https://mastodon.social/users/alice", + "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgk\n-----END PUBLIC KEY-----\n" + }, + "attachment": [ + { + "type": "PropertyValue", + "name": "activitypubextensions", + "value": "https://mastodon.social/users/alice/statuses/1" + } + ], + "endpoints": { + "sharedInbox": "https://mastodon.social/inbox" + } +} +``` + + + +```json +{ + "@context": [ + "https://www.w3.org/ns/activitystreams" + ], + "id": "https://mastodon.social/users/alice/statuses/1", + "type": "Note", + "summary": null, + "inReplyTo": null, + "published": "2022-11-11T04:40:17Z", + "url": "https://mastodon.social/@alice/1", + "attributedTo": "https://mastodon.social/users/alice", + "to": [ + "https://www.w3.org/ns/activitystreams#Public" + ], + "cc": [ + "https://mastodon.social/users/alice/followers" + ], + "sensitive": false, + "content": "activitypubextensions", + "updated": "2022-11-11T04:42:27Z", + "attachment": [], + "replies": { + "id": "https://mastodon.social/users/alice/statuses/1/replies", + "type": "Collection", + "first": { + "type": "CollectionPage", + "next": "https://mastodon.social/users/alice/statuses/1/replies?min_id=1&page=true", + "partOf": "https://mastodon.social/users/alice/statuses/1/replies", + "items": [ + "https://mastodon.social/users/alice/statuses/2" + ] + } + } +} +``` + +- TODO for root nodes, should we be using a manifest instance? + - https://github.com/intel/dffml/blob/alice/docs/arch/0010-Schema.rst + - https://github.com/intel/dffml/blob/alice/docs/arch/0008-Manifest.md + +```json +{ + "@context": [ + "https://www.w3.org/ns/activitystreams" + ], + "id": "https://mastodon.social/users/alice/statuses/2", + "type": "Note", + "summary": null, + "inReplyTo": "https://mastodon.social/users/alice/statuses/1", + "published": "2022-11-11T04:40:17Z", + "url": "https://mastodon.social/@alice/2", + "attributedTo": "https://mastodon.social/users/alice", + "to": [ + "https://www.w3.org/ns/activitystreams#Public" + ], + "cc": [ + "https://mastodon.social/users/alice/followers" + ], + "sensitive": false, + "content": "activitypubsecuritytxt", + "updated": "2022-11-11T04:42:27Z", + "attachment": [], + "replies": { + "id": "https://mastodon.social/users/alice/statuses/2/replies", + "type": "Collection", + "first": { + "type": "CollectionPage", + "next": "https://mastodon.social/users/alice/statuses/2/replies?min_id=2&page=true", + "partOf": "https://mastodon.social/users/alice/statuses/2/replies", + "items": [ + "https://mastodon.social/users/alice/statuses/3" + ] + } + } +} +``` + +```json +{ + "@context": [ + "https://www.w3.org/ns/activitystreams" + ], + "id": "https://mastodon.social/users/alice/statuses/3", + "type": "Note", + "summary": null, + "inReplyTo": "https://mastodon.social/users/alice/statuses/2", + "published": "2022-11-11T04:40:17Z", + "url": "https://mastodon.social/@alice/3", + "attributedTo": "https://mastodon.social/users/alice", + "to": [ + "https://www.w3.org/ns/activitystreams#Public" + ], + "cc": [ + "https://mastodon.social/users/alice/followers" + ], + "sensitive": false, + "content": "vcs.push", + "updated": "2022-11-11T04:42:27Z", + "attachment": [], + "replies": { + "id": "https://mastodon.social/users/alice/statuses/3/replies", + "type": "Collection", + "first": { + "type": "CollectionPage", + "next": "https://mastodon.social/users/alice/statuses/3/replies?min_id=3&page=true", + "partOf": "https://mastodon.social/users/alice/statuses/3/replies", + "items": [ + "https://mastodon.social/users/alice/statuses/4" + ] + } + } +} +``` + +```json +{ + "@context": [ + "https://www.w3.org/ns/activitystreams" + ], + "id": "https://mastodon.social/users/alice/statuses/4", + "type": "Note", + "summary": null, + "inReplyTo": "https://mastodon.social/users/alice/statuses/3", + "published": "2022-11-11T04:54:56Z", + "url": "https://mastodon.social/@alice/4", + "attributedTo": "https://mastodon.social/users/alice", + "to": [ + "https://www.w3.org/ns/activitystreams#Public" + ], + "cc": [ + "https://mastodon.social/users/alice/followers" + ], + "sensitive": false, + "content": "registry.example.org/vex:sha256@babebabe", + "attachment": [], + "tag": [], + "replies": { + "id": "https://mastodon.social/users/alice/statuses/4/replies", + "type": "Collection", + "first": { + "type": "CollectionPage", + "next": "https://mastodon.social/users/alice/statuses/4/replies?only_other_accounts=true&page=true", + "partOf": "https://mastodon.social/users/alice/statuses/4/replies", + "items": [] + } + } +} +``` + +- Now we want to translate to OpenVEX and have the content addresses of the signature for the post + - https://github.com/package-url/purl-spec + - https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#example +- `statements.impact_statement` is Webhook payload object with SCITT enchancements + - https://scitt.io/distributing-with-oci-scitt.html + - Registry content addresses contains granular results (webhook payload, `alice shouldi contribute`, etc.) + - Then our webhook watch on the registry publishes the replys + - Or we update an example container with a pinned sha on the `FROM` + - By watching the `push@vcs` (Version Control System) for the file + - We should upload the VEX without the `@id` to the registry, then use that ID as the VEX + `@id` when we `createPost()`. + - Or better yet just have it do a kontain.me lightwieght proxy from the registry object + +```json +{ + "@context": "https://openvex.dev/ns", + "@id": "https://mastodon.social/users/alice/statuses/vex-sha256@feedface", + "author": "GitHub Actions ", + "role": "GitHub Actions", + "timestamp": "2023-02-02T14:24:00.000000000-07:00", + "version": "1", + "statements": [ + { + "vulnerability": "vex-vcspush-sha256@feedface", + "products": [ + "pkg:github/intel/dffml@ddb32a4e65b0d79c7561ce2bdde16d963c8abde1" + ], + "status": "not_affected", + "justification": "vulnerable_code_not_in_execute_path" + "impact_statement": "registry.example.org/vcspush:sha256@feedface", + } + ] +} +``` + +- **TODO** https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html example +- We can now watch for events + - **TODO** Update the following with the `xargs` call to https://github.com/genuinetools/reg (or equivilant) to do the double hop download of the VEX (without the `@id` right now because there is no proxy, just add on download), and then the subsquent manifest download of the vsspush webhook payload, then finally do the `.commits[].modified[]` selection + - `$ websocat --exit-on-eof --basic-auth alice:$(cat ../password) ws://localhost:8000/listen/websocket | jq --unbuffered -r .object.id | xargs -l -I '{}' -- sh -c "curl -sfL '{}' | jq -r" &` + - https://github.com/jakelazaroff/activitypub-starter-kit/pull/2 + +```console +$ curl -sfL https://vcs.example.org/push/outbox | jq --unbuffered -r '.orderedItems[].object.content' | grep stream_of | grep modified | jq -r --unbuffered '.commits[].modified[]' +Dockerfile +``` + +- Example use cases + - DFFML 2nd party downstream rebuilds + - https://github.com/intel/dffml/pull/1061/files#diff-c7d7828822f15922ed830bb6f3148edc97c291c809836b1a1808165d36bd8c9dR225-R229 + - https://github.com/pdxjohnny/dffml/blob/a7b2b0585862bda883be5f475a50945f91043b2f/docs/arch/0001-2nd-and-3rd-party-plugins.rst + - ref: PR validation + - Rebuild upstream container when we get an VEX (via AcivityPub) from upstream saying that any of the files we want to watch have changed + - At first we will just watch all files within the downstream container build workflow + - `on.workflow_dispatch && on.push.paths: ["https://github.com/intel/dffml.git#branch=main/*"]` + - Later we will watch for the example container with the pinned version + - `on.workflow_dispatch && on.push.paths: ["https://github.com/intel/dffml.git#branch=main/dffml/util/skel/common/Dockerfile"]` + - `dffml/util/skel/common/Dockerfile` + - `FROM registry.dffml.org/dffml:sha256@babebabe` + +## Why? + +### Decentralized + +Actors can be spun up ad-hoc, mirrors decentralized nature of OSS development. + +Enables projects to update based on policy. + +> Upstream of following mermaid: https://github.com/intel/dffml/tree/alice/docs/tutorials/rolling_alice/0000_architecting_alice#what-is-alice + +```mermaid +graph BT + subgraph Alice[Alice the Entity] + subgraph compute[Compute] + Web5[Web 5] + KCP + CI_CD[CI/CD] + end + subgraph soul[Strategic Plans and Principles] + Threat_Modeling[Threat Modeling] + Debug + end + subgraph collector[Collector] + subgraph dynamic_analysis[Dynamic Analysis] + policy[policy.yml] + sandbox_policy_generator[Adaptive Sandboxing] + end + subgraph static_analysis[Static Analysis] + cve_bin_tool[CVE Binary Tool] + SBOM + end + end + Open_Architecture + Open_Architecture[Alice the Open Architecture] + snapshot_system_context[Alice the Overlay
Snapshot of System Context] + orchestartor[Orchestartor] + + + Open_Architecture --> Threat_Modeling + Open_Architecture --> Debug + + Threat_Modeling --> orchestartor + Debug --> orchestartor + + orchestartor --> KCP + orchestartor --> Web5 + orchestartor --> CI_CD + + CI_CD --> snapshot_system_context + KCP --> snapshot_system_context + Web5 --> snapshot_system_context + + snapshot_system_context --> sandbox_policy_generator + snapshot_system_context --> cve_bin_tool + + sandbox_policy_generator --> policy --> Open_Architecture + cve_bin_tool --> SBOM --> Open_Architecture + cve_bin_tool --> VEX -->|Trigger validation run of mitigation suggestion| orchestartor + policy -->|Check if policy says out of scope
client vs. server usage| VEX + end +``` + +--- + - The Open Architecture (Alice) sits at the interesction of CI/CD, Security, and AI/ML. - We metion Alice here as a follow on who's development sees this use case as critical - Think cross between review system (SCITT as the proof, TDB on identity preknown at this point, OpenSSF members stream 8 vuln sharing CCF ledger) From 621fb90606425ac8174fbce4dac7a382b604444b Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 7 Feb 2023 13:14:45 -0800 Subject: [PATCH 019/120] Update openssf_metrics.md Related: https://github.com/intel/dffml/issues/1315 --- openssf_metrics.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 94d59cb..7eccb77 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -11,14 +11,7 @@ ad-hoc formed policy as desired by end-user. - We first way to distribute VEX. - Later interop with Aradine's Rapunzel - -- [Alice Engineering Comms: 2023-02-03 Engineering Logs](https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4863663) -- docs: tutorials: rolling alice: architecting alice: stream of consciousness: Link to activitypubsecuritytxt - - https://github.com/intel/dffml/commit/a5e638884e565f727ae4fedf91a33b3ce68bcfa9 - - https://github.com/pdxjohnny/activitypubsecuritytxt - ---- -# activitypubsecuritytxt +## activitypub exetensions for security.txt A methodology allowing organizations to nominate security contact points and policies via ActivityPub Actors. From 9ef13e0e02b1aefdb99118ed1a0d5b22ddc1692e Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 7 Feb 2023 13:19:40 -0800 Subject: [PATCH 020/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 7eccb77..67fb580 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -15,7 +15,7 @@ ad-hoc formed policy as desired by end-user. A methodology allowing organizations to nominate security contact points and policies via ActivityPub Actors. -> This proposal was first made public on January 30, 2023 and is is currently a draft. We welcome comments and feedback! To make suggestions please comment via Github or [submit a ticket](https://github.com/intel/dffml/issues). Thanks for your interest! +> This proposal was first made public on January 30, 2023 and is is currently a draft. We welcome comments and feedback! To make suggestions please comment via Github or [submit a ticket](https://github.com/ietf-scitt/use-cases/issues). Thanks for your interest! VEX documents should be aligned with the either the https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html or OpenVEX specs: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex (https://github.com/pdxjohnny/activitypubsecuritytxt/commit/1e35f549a33347918335e89200055841b267e86c). We can then communicate the IDs via ActivityPub like so. From fd00340917bf31b7b75b920748ef9591693a1dbe Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 7 Feb 2023 13:19:58 -0800 Subject: [PATCH 021/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 67fb580..949c751 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -17,7 +17,7 @@ A methodology allowing organizations to nominate security contact points and pol > This proposal was first made public on January 30, 2023 and is is currently a draft. We welcome comments and feedback! To make suggestions please comment via Github or [submit a ticket](https://github.com/ietf-scitt/use-cases/issues). Thanks for your interest! -VEX documents should be aligned with the either the https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html or OpenVEX specs: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex (https://github.com/pdxjohnny/activitypubsecuritytxt/commit/1e35f549a33347918335e89200055841b267e86c). We can then communicate the IDs via ActivityPub like so. +VEX documents should be aligned with the either the https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html or OpenVEX specs: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex. We can then communicate the IDs via ActivityPub like so. - References - RFC9116: https://securitytxt.org/ From 4768cc9fa98cf7954237282931b1ac45bfecb450 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 8 Feb 2023 13:37:45 -0800 Subject: [PATCH 022/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 949c751..b57d788 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -11,7 +11,7 @@ ad-hoc formed policy as desired by end-user. - We first way to distribute VEX. - Later interop with Aradine's Rapunzel -## activitypub exetensions for security.txt +## activitypub extensions for security.txt A methodology allowing organizations to nominate security contact points and policies via ActivityPub Actors. From de2b016b37d6762fba9f5b1bcde96324c67ce25e Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 8 Feb 2023 13:38:19 -0800 Subject: [PATCH 023/120] Update openssf_metrics.md --- openssf_metrics.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index b57d788..d0f9502 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -514,3 +514,29 @@ confidential compute or traditional permissions is impelmenetation details. the SCITT provenance information associated with the operation implementations and the operation implementation network, input network, etc. within the orchestrator trust boundary. + - https://time.crystals.prophecy.chadig.com + - https://twitter.com/OR13b/status/1621907110572310528 + - Actor `acquire` + - `attachments` `Link` to `activitypubextensions` thread + - `content: "activitypubextensions"` thread + - `inReplyTo: "$activitypubextensions_thread", content: "https://time.crystals.prophecy.chadig.com/bulk.1.0.0.schema.json"` thread + - This becomes analogous to shared stream of consciousness uniform API for submitting across contexts (Manifests). + - CI/CD across projects with different orchestrators for downstream validation of the 2nd and 3rd party plugin ecosystem. + - This facilitates communication across pipelines across repos across PRs so we can use versioned learning to promote across trust boundaries (3rd party to 2nd party or support level 2 to 1) + - #1207 + - #1315 + - Alice helps us see risk over time, this is where we see Coach Alice, cartography used applied to dev branches, we grow closer to distributed compute with this, as iteration time is on dev branches rather than release or main + - This will probably be part of Alice and the Health of the Ecosystem + - Ask him to reply to `@acquire@time.crystals.prophecy.chadig.com` + - ActivityPub Actor watches for messages replying to certain threads + - https://github.com/pdxjohnny/activitypubsecuritytxt + - Actor creates pull request to https://github.com/OR13/endor style repo + - Actor creates didme.me and gets VC SCITT receipt for associated `did:pwk:` (committed into Endor fork, he'd used git as database) + - This could also be our content address of something in oras.land + - In the AI training data/human case we see the input data (meme) validated via SCITT + - We want to enable application of policy to data set ingestion, because this will happen in MLOps aka CI/CD + - Workstream: AI Ethics + - In the CI/CD use case, we see the input data (manifest referenced content, images, packages, metrics data output `FROM scratch` OpenSSF metrics use case) validated via SCITT. + - Later we build up the threat modeling for the dynamic analysis portion of Alice which plays with input data as changes to repos and connects more of our Data, Analysis, Control for the software development process. + - Actor replies to Orie's reply with his receipt for his time crystals. + - For k8s style or OS DecentAlice style deployments (OSS scanning feeding OpenSSF metrics) we could run the graphed trust / event chain to a sidecar ActivityPub Actor / root of trust. From 380d924867ccee79caa43979a344e1ae2a970ff9 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Sat, 11 Feb 2023 02:31:02 -0800 Subject: [PATCH 024/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index d0f9502..bb44cae 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -15,7 +15,7 @@ ad-hoc formed policy as desired by end-user. A methodology allowing organizations to nominate security contact points and policies via ActivityPub Actors. -> This proposal was first made public on January 30, 2023 and is is currently a draft. We welcome comments and feedback! To make suggestions please comment via Github or [submit a ticket](https://github.com/ietf-scitt/use-cases/issues). Thanks for your interest! +> This proposal was first made public on January 30, 2023 and is is currently a draft. We welcome comments and feedback! To make suggestions please comment via ActivityPub inReplyTo https://mastodon.social/@pdxjohnny/109804930974811967. Thank you for your interest! VEX documents should be aligned with the either the https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html or OpenVEX specs: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex. We can then communicate the IDs via ActivityPub like so. From 2219efc992ee9053aada7fc6a0f331428febc9ad Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 13 Feb 2023 08:05:45 -0800 Subject: [PATCH 025/120] Update openssf_metrics.md --- openssf_metrics.md | 232 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 232 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index bb44cae..7ad947d 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -387,6 +387,238 @@ graph BT end ``` +## 2023-02-13 @pdxjohnny Engineering Logs + +- Downstream request + +``` +Data to sign (request-target): post /push/inbox +host: vcs.activitypub.securitytxt.dffml.chadig.com +date: Mon, 13 Feb 2023 14:38:08 GMT +digest: SHA-256=xvQlt8xT5UzECmeLhU94qWLWL6hHug6smeMqgqEihTE= +``` + +- Upstream verification + +``` +Data to compare (request-target): post /push/inbox +host: vcs.activitypub.securitytxt.dffml.chadig.com:80 +date: Mon, 13 Feb 2023 14:38:08 GMT +digest: SHA-256=xvQlt8xT5UzECmeLhU94qWLWL6hHug6smeMqgqEihTE= +Error: Invalid request signature. +``` + +- It was the port on `host` +- Within `src/request.ts:verify()` it's not using the FDQN, it's using the + `Host` header which will be modified by the reverse proxy. + +```typescript +return `${header}: ${req.get(header)}` +``` + +- https://caddyserver.com/docs/quick-starts/reverse-proxy#reverse-proxy-quick-start + - https://caddyserver.com/docs/command-line#reverse-proxy + - > `--change-host-header` will cause Caddy to change the Host header from the incoming value to the address of the upstream. + - Not it rebuilds `host` within `verify()` to just be `:8000`, not what we want, we want the `FDQN` + +```console +$ FDQN=vcs.activitypub.securitytxt.dffml.chadig.com WEBHOOK_PATH=$(cat ../webhook) NODE_ENV=production PORT=8000 ACCOUNT=push ADMIN_USERNAME=admin ADMIN_PASSWORD=$(cat ../password) PUBLIC_KEY=$(cat publickey.crt) PRIVATE_KEY=$(cat pkcs8.key) npm run start + +> dumbo@1.0.0 start +> node build/index.js + +Dumbo listening on port 8000… +GET /push 200 1493 - 11.075 ms +Data to compare (request-target): post /push/inbox +host: :8000 +date: Mon, 13 Feb 2023 14:44:32 GMT +digest: SHA-256=3TGS+O9ajWB71TSN6Tm5IBVBizH35dxrE1wDw7LAw9Y= +Error: Invalid request signature. + at verify (file:///home/alice/activitypub-starter-kit-alternate_port/build/request.js:123:15) + at processTicksAndRejections (node:internal/process/task_queues:96:5) + at async file:///home/alice/activitypub-starter-kit-alternate_port/build/activitypub.js:36:16 +POST /push/inbox 401 12 - 616.413 ms +``` + +[![use-the-source](https://img.shields.io/badge/use%20the-source-blueviolet)](https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0000_easter_eggs.md#use-the-source-) + +```console +$ git grep FDQN +src/index.ts:7:import { ADMIN_USERNAME, ADMIN_PASSWORD, ACCOUNT, HOSTNAME, PORT, PROTO, FDQN } from "./env.js"; +src/index.ts:78:const endpoint: string = (FDQN != null ? FDQN: `${HOSTNAME}:${PORT}`); +``` + +```typescript + else if (FDQN != null && header === "host") + return `host: ${FDQN}`; +``` + +- Downstream + +```console +$ curl -ku alice:$(cat ../password) -X POST -v http://localhost:8000/admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https +* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1' +* Trying 127.0.0.1:8000... +* TCP_NODELAY set +* Connected to localhost (127.0.0.1) port 8000 (#0) +* Server auth using Basic with user 'alice' +> POST /admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https HTTP/1.1 +> Host: localhost:8000 +> Authorization: Basic YWxpY2U6ODkyZTI1Y2MwMTMzYTcwYTEzMzRlYTIyNmQ2NDNkNTNhMDRjYzc5MDIwOWM0MzY1ZTUwMzA2Mjc3MGVmZTdmOWVlM2M3MDI4OWNlODdiYzJmZThiYzE2NGNlNTQxYTYx +> User-Agent: curl/7.68.0 +> Accept: */* +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 204 No Content +< X-Powered-By: Express +< ETag: W/"a-bAsFyilMr4Ra1hIU5PyoyFRunpI" +< Date: Mon, 13 Feb 2023 14:50:51 GMT +< Connection: keep-alive +< Keep-Alive: timeout=5 +< +* Connection #0 to host localhost left intact +``` + +- Upstream + +``` +Dumbo listening on port 8000… +GET /push 200 1493 - 7.432 ms +Data to compare (request-target): post /push/inbox +host: vcs.activitypub.securitytxt.dffml.chadig.com +date: Mon, 13 Feb 2023 14:50:49 GMT +digest: SHA-256=4byRebHbzxk6BlJopQYVQcI+9YiHojWKhaI2S0J8w68= +Data to sign (request-target): post /alice/inbox +host: d30a15e2d986dc.lhr.life +date: Mon, 13 Feb 2023 14:50:50 GMT +digest: SHA-256=QOPUiXd5oq6u0i+DNQu9TZRIydnRewGdlN1eoiaEsKs= +GET /push 200 1493 - 1.654 ms +POST /push/inbox 204 - - 1557.550 ms +``` + +- 🚀 BOOYAH BABY WE HAVE LIFTOFF! 🛤️🛤️🛤️🛤️🛤️🛤️🛤️ +- Rebase and cleanup + - `HEAD` is 6 commits, at 9d16b1fe04b5e880be59d6fcddde698cfd036b2f +- Redeploy upstream + +```console +$ curl -sfL https://github.com/pdxjohnny/activitypub-starter-kit/archive/refs/heads/alternate_port.tar.gz | tar xvz +$ cd activitypub-starter-kit-alternate_port +$ cat > .env <<'EOF' +# The Node environment +NODE_ENV="production" + +# The path to the database schema +SCHEMA_PATH="db/schema.sql" + +# The path to the database file +DATABASE_PATH="db/database.sqlite3" + +# The hostname (i.e. the "example.com" part of https://example.com/alice) +HOSTNAME="vcs.activitypub.securitytxt.dffml.chadig.com" + +# The account name (i.e. the "alice" part of https://example.com/alice) +ACCOUNT="push" +EOF +$ npm i +$ head -n 10000 /dev/urandom | sha384sum | awk '{print $1}' | tee ../webhook +$ head -n 10000 /dev/urandom | sha384sum | awk '{print $1}' | tee ../password +$ openssl genrsa -out keypair.pem 4096 && openssl rsa -in keypair.pem -pubout -out publickey.crt && openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key +$ mkdir node_modules/@types/simple-proxy-agent/ +$ echo "declare module 'simple-proxy-agent';" | tee node_modules/@types/simple-proxy-agent/index.d.ts +$ npm run build +$ FDQN=vcs.activitypub.securitytxt.dffml.chadig.com WEBHOOK_PATH=$(cat ../webhook) NODE_ENV=production PORT=8000 ACCOUNT=push ADMIN_USERNAME=admin ADMIN_PASSWORD=$(cat ../password) PUBLIC_KEY=$(cat publickey.crt) PRIVATE_KEY=$(cat pkcs8.key) npm run start + +> dumbo@1.0.0 start +> node build/index.js + +Dumbo listening on port 8000… +GET /push 200 1493 - 8.201 ms +GET /push 200 1493 - 1.200 ms +POST /push/inbox 204 - - 1583.186 ms +``` + +- Redeploy downstream and send follow request + +```console +$ rm -f db/database.sqlite3; ssh -R 80:localhost:8000 nokey@localhost.run 2>&1 | tee >(grep --line-buffered 'tunneled with tls termination' | awk -W interactive '{print $1}' | xargs -l -I '{}' -- sh -c 'reset; echo "{}"; PROTO=https FDQN="{}" WEBHOOK_PATH=$(cat ../webhook) NODE_ENV=production PORT=8000 ACCOUNT=alice ADMIN_USERNAME=alice ADMIN_PASSWORD=$(cat ../password) PUBLIC_KEY=$(cat publickey.crt) PRIVATE_KEY=$(cat pkcs8.key) npm run start & +c4d2dfa777b86f.lhr.life + +> dumbo@1.0.0 start +> node build/index.js + +Dumbo listening on port 8000… +GET /alice 200 1354 - 2.530 ms +GET /alice 200 1354 - 0.895 ms +POST /alice/inbox 204 - - 71.294 ms +POST /admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https 204 - - 3183.157 ms +$ curl -ku alice:$(cat ../password) -X POST -v http://localhost:8000/admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https +$ websocat --exit-on-eof --basic-auth alice:$(cat ../password) ws://localhost:8000/listen/websocket +``` + +- Create post on upstream + +```console +$ cat > post.json <<'EOF' +{ + "object": { + "type": "Note", + "content": "OUR PROPHECY MUST BE FULFILLED!!! https://github.com/intel/dffml/pull/1401#issuecomment-1168023959" + } +} +EOF +$ curl -u admin:$(cat ../password) -X POST --header "Content-Type: application/json" --data @post.json -v http://localhost:8000/admin/create +POST /admin/create 204 - - 133.004 ms +file:///home/alice/activitypub-starter-kit-alternate_port/build/request.js:19 + throw new Error(`Received ${res.status} fetching actor. Body: ${response_body}`); + ^ + +Error: Received 503 fetching actor. Body: no ssh tunnel here :( + at fetchActor (file:///home/alice/activitypub-starter-kit-alternate_port/build/request.js:19:15) + at processTicksAndRejections (node:internal/process/task_queues:96:5) + at async send (file:///home/alice/activitypub-starter-kit-alternate_port/build/request.js:31:19) +``` + +- Restarted the ssh tunnel and followed again + - Response seen from downstream websocket listener + +```json +{ + "@context": "https://www.w3.org/ns/activitystreams", + "type": "Create", + "published": "2023-02-13T15:39:08.628Z", + "actor": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push", + "to": [ + "https://www.w3.org/ns/activitystreams#Public" + ], + "cc": [ + "https://eb62a3437cf6a9.lhr.life/alice" + ], + "object": { + "attributedTo": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push", + "published": "2023-02-13T15:39:08.628Z", + "to": [ + "https://www.w3.org/ns/activitystreams#Public" + ], + "cc": [ + "https://vcs.activitypub.securitytxt.dffml.chadig.com/push/followers" + ], + "type": "Note", + "content": "OUR PROPHECY MUST BE FULFILLED!!! https://github.com/intel/dffml/pull/1401#issuecomment-1168023959", + "id": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push/posts/15f4de9c-a582-4f9d-8372-a740a5ffe6a8" + }, + "id": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push/posts/58f883cd-0252-4319-a934-3ca2eb062f62" +} +``` + +- MOTHERFUCKER FUCK YES FUCK YES FUCK YES FUCK YES!!!!!!! + - [![hack-the-planet](https://img.shields.io/badge/hack%20the-planet-blue)](https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0000_easter_eggs.md#hack-the-planet-) + +![hack-the-planet-hackers-gif](https://user-images.githubusercontent.com/5950433/191852910-73787361-b00c-4618-bc5e-f32d656bbf0f.gif) + +- TODO + - [x] POC CI/CD/AI/Human comms 🛤️🛤️🛤️🛤️🛤️🛤️🛤️ + --- - The Open Architecture (Alice) sits at the interesction of CI/CD, Security, and AI/ML. From a6b2c95683fd3ef6cc5d9a2371b29fc6cc74ba7f Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 13 Feb 2023 08:07:22 -0800 Subject: [PATCH 026/120] Update openssf_metrics.md --- openssf_metrics.md | 66 +--------------------------------------------- 1 file changed, 1 insertion(+), 65 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 7ad947d..af92440 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -387,71 +387,7 @@ graph BT end ``` -## 2023-02-13 @pdxjohnny Engineering Logs - -- Downstream request - -``` -Data to sign (request-target): post /push/inbox -host: vcs.activitypub.securitytxt.dffml.chadig.com -date: Mon, 13 Feb 2023 14:38:08 GMT -digest: SHA-256=xvQlt8xT5UzECmeLhU94qWLWL6hHug6smeMqgqEihTE= -``` - -- Upstream verification - -``` -Data to compare (request-target): post /push/inbox -host: vcs.activitypub.securitytxt.dffml.chadig.com:80 -date: Mon, 13 Feb 2023 14:38:08 GMT -digest: SHA-256=xvQlt8xT5UzECmeLhU94qWLWL6hHug6smeMqgqEihTE= -Error: Invalid request signature. -``` - -- It was the port on `host` -- Within `src/request.ts:verify()` it's not using the FDQN, it's using the - `Host` header which will be modified by the reverse proxy. - -```typescript -return `${header}: ${req.get(header)}` -``` - -- https://caddyserver.com/docs/quick-starts/reverse-proxy#reverse-proxy-quick-start - - https://caddyserver.com/docs/command-line#reverse-proxy - - > `--change-host-header` will cause Caddy to change the Host header from the incoming value to the address of the upstream. - - Not it rebuilds `host` within `verify()` to just be `:8000`, not what we want, we want the `FDQN` - -```console -$ FDQN=vcs.activitypub.securitytxt.dffml.chadig.com WEBHOOK_PATH=$(cat ../webhook) NODE_ENV=production PORT=8000 ACCOUNT=push ADMIN_USERNAME=admin ADMIN_PASSWORD=$(cat ../password) PUBLIC_KEY=$(cat publickey.crt) PRIVATE_KEY=$(cat pkcs8.key) npm run start - -> dumbo@1.0.0 start -> node build/index.js - -Dumbo listening on port 8000… -GET /push 200 1493 - 11.075 ms -Data to compare (request-target): post /push/inbox -host: :8000 -date: Mon, 13 Feb 2023 14:44:32 GMT -digest: SHA-256=3TGS+O9ajWB71TSN6Tm5IBVBizH35dxrE1wDw7LAw9Y= -Error: Invalid request signature. - at verify (file:///home/alice/activitypub-starter-kit-alternate_port/build/request.js:123:15) - at processTicksAndRejections (node:internal/process/task_queues:96:5) - at async file:///home/alice/activitypub-starter-kit-alternate_port/build/activitypub.js:36:16 -POST /push/inbox 401 12 - 616.413 ms -``` - -[![use-the-source](https://img.shields.io/badge/use%20the-source-blueviolet)](https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0000_easter_eggs.md#use-the-source-) - -```console -$ git grep FDQN -src/index.ts:7:import { ADMIN_USERNAME, ADMIN_PASSWORD, ACCOUNT, HOSTNAME, PORT, PROTO, FDQN } from "./env.js"; -src/index.ts:78:const endpoint: string = (FDQN != null ? FDQN: `${HOSTNAME}:${PORT}`); -``` - -```typescript - else if (FDQN != null && header === "host") - return `host: ${FDQN}`; -``` +--- - Downstream From 2d7d48efba01de89cd2e072dc1e30d7473f4f472 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 13 Feb 2023 08:08:51 -0800 Subject: [PATCH 027/120] Update openssf_metrics.md Alice Engineering Comms 2023-02-13 Engineering Logs: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4958860 --- openssf_metrics.md | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index af92440..595fc12 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -432,7 +432,6 @@ GET /push 200 1493 - 1.654 ms POST /push/inbox 204 - - 1557.550 ms ``` -- 🚀 BOOYAH BABY WE HAVE LIFTOFF! 🛤️🛤️🛤️🛤️🛤️🛤️🛤️ - Rebase and cleanup - `HEAD` is 6 commits, at 9d16b1fe04b5e880be59d6fcddde698cfd036b2f - Redeploy upstream @@ -505,14 +504,6 @@ $ cat > post.json <<'EOF' EOF $ curl -u admin:$(cat ../password) -X POST --header "Content-Type: application/json" --data @post.json -v http://localhost:8000/admin/create POST /admin/create 204 - - 133.004 ms -file:///home/alice/activitypub-starter-kit-alternate_port/build/request.js:19 - throw new Error(`Received ${res.status} fetching actor. Body: ${response_body}`); - ^ - -Error: Received 503 fetching actor. Body: no ssh tunnel here :( - at fetchActor (file:///home/alice/activitypub-starter-kit-alternate_port/build/request.js:19:15) - at processTicksAndRejections (node:internal/process/task_queues:96:5) - at async send (file:///home/alice/activitypub-starter-kit-alternate_port/build/request.js:31:19) ``` - Restarted the ssh tunnel and followed again @@ -547,14 +538,8 @@ Error: Received 503 fetching actor. Body: no ssh tunnel here :( } ``` -- MOTHERFUCKER FUCK YES FUCK YES FUCK YES FUCK YES!!!!!!! - - [![hack-the-planet](https://img.shields.io/badge/hack%20the-planet-blue)](https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0000_easter_eggs.md#hack-the-planet-) - ![hack-the-planet-hackers-gif](https://user-images.githubusercontent.com/5950433/191852910-73787361-b00c-4618-bc5e-f32d656bbf0f.gif) -- TODO - - [x] POC CI/CD/AI/Human comms 🛤️🛤️🛤️🛤️🛤️🛤️🛤️ - --- - The Open Architecture (Alice) sits at the interesction of CI/CD, Security, and AI/ML. From aeb8cfd55a7f48a40964319fa54958cedf0ab18d Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 13 Feb 2023 11:23:40 -0800 Subject: [PATCH 028/120] Update openssf_metrics.md --- openssf_metrics.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 595fc12..99d4902 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -15,8 +15,6 @@ ad-hoc formed policy as desired by end-user. A methodology allowing organizations to nominate security contact points and policies via ActivityPub Actors. -> This proposal was first made public on January 30, 2023 and is is currently a draft. We welcome comments and feedback! To make suggestions please comment via ActivityPub inReplyTo https://mastodon.social/@pdxjohnny/109804930974811967. Thank you for your interest! - VEX documents should be aligned with the either the https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html or OpenVEX specs: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex. We can then communicate the IDs via ActivityPub like so. - References From 8cc3a57a1d5d86d27af28e38b5f4d6f93f165ae0 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 13 Feb 2023 11:24:00 -0800 Subject: [PATCH 029/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 99d4902..3846b31 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -624,6 +624,7 @@ confidential compute or traditional permissions is impelmenetation details. - https://github.com/transmute-industries/did-eqt/blob/main/docs/did-eqt-opa-primer.md#securing-did-method-operations-with-opa - https://datatracker.ietf.org/doc/html/draft-birkholz-scitt-architecture - https://www.w3.org/2022/07/pressrelease-did-rec.html.en + - https://mastodon.social/@pdxjohnny/109804930974811967 - https://docs.microsoft.com/en-us/azure/confidential-ledger/architecture - In search of more easy options to faciliate public/private hybrid chains of supply chain data. ideally OSS (SSI Service?). From 3327f53dd5412ba76aa972e70eb14cd167e4e205 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 13 Feb 2023 20:08:03 -0800 Subject: [PATCH 030/120] Update openssf_metrics.md --- openssf_metrics.md | 1 - 1 file changed, 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 3846b31..591a040 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -681,7 +681,6 @@ confidential compute or traditional permissions is impelmenetation details. - This will probably be part of Alice and the Health of the Ecosystem - Ask him to reply to `@acquire@time.crystals.prophecy.chadig.com` - ActivityPub Actor watches for messages replying to certain threads - - https://github.com/pdxjohnny/activitypubsecuritytxt - Actor creates pull request to https://github.com/OR13/endor style repo - Actor creates didme.me and gets VC SCITT receipt for associated `did:pwk:` (committed into Endor fork, he'd used git as database) - This could also be our content address of something in oras.land From 17182b63abbd8952ac0868f621395dddc75a1715 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 13 Feb 2023 21:54:58 -0800 Subject: [PATCH 031/120] Update openssf_metrics.md --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 591a040..e06bbc7 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -14,6 +14,8 @@ ad-hoc formed policy as desired by end-user. ## activitypub extensions for security.txt A methodology allowing organizations to nominate security contact points and policies via ActivityPub Actors. +This allows for notifications to be federated of new lifecycle events. These lifecycle events might be +VEX, SBOM, CSAF security advisory information, repository events, etc. VEX documents should be aligned with the either the https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html or OpenVEX specs: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex. We can then communicate the IDs via ActivityPub like so. From 400f1d32c893338242fce198fad1bb9f798e6e14 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 13 Feb 2023 22:52:53 -0800 Subject: [PATCH 032/120] Update openssf_metrics.md --- openssf_metrics.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index e06bbc7..d702eea 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -8,8 +8,10 @@ ad-hoc formed policy as desired by end-user. - [service: sw: src: change: notify: Service to facilitate poly repo pull model dev tooling: activitypubsecuritytxt](https://github.com/intel/dffml/issues/1315#issuecomment-1416392795) - Reproduced below - - We first way to distribute VEX. - - Later interop with Aradine's Rapunzel +- We seek interop with Aradine's Rapunzel +- The Agora: a Knowledge Commons + - https://docs.google.com/document/d/1DXJRDh9Ss5VCRBi3oirDw9d7yjn3H2hMqfN2ETTyjIc/edit# + - We seek interop with the Agora ## activitypub extensions for security.txt From 42b78694aa60be07da74868cb4fae9bf548c7963 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 13:05:01 -0800 Subject: [PATCH 033/120] Update openssf_metrics.md --- openssf_metrics.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index d702eea..2fcd250 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -695,3 +695,9 @@ confidential compute or traditional permissions is impelmenetation details. - Later we build up the threat modeling for the dynamic analysis portion of Alice which plays with input data as changes to repos and connects more of our Data, Analysis, Control for the software development process. - Actor replies to Orie's reply with his receipt for his time crystals. - For k8s style or OS DecentAlice style deployments (OSS scanning feeding OpenSSF metrics) we could run the graphed trust / event chain to a sidecar ActivityPub Actor / root of trust. + +--- + +- RCFv1 Feedback + - https://mailarchive.ietf.org/arch/msg/scitt/dowMkmWhbi9Pkq6B5DhdXzip0so/ + - > Mike: I'm curious to understand this more in detail. I think so far we've been thinking about the term federation as accepting SCITT claims/receipts from one transparency service in another transparency service, based on some policy. I think what you're describing is more about subscriptions/broadcasting/... Can you describe a little more on how you see this working in a SCITT transparency service? It might be that this is something that sits outside of it, but I'm not fully sure yet, so I wanted to understand it better first. From 80c20efe17d77815ac4456f038659d91d69f22e6 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 13:06:24 -0800 Subject: [PATCH 034/120] Update openssf_metrics.md --- openssf_metrics.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 2fcd250..0094c95 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -701,3 +701,9 @@ confidential compute or traditional permissions is impelmenetation details. - RCFv1 Feedback - https://mailarchive.ietf.org/arch/msg/scitt/dowMkmWhbi9Pkq6B5DhdXzip0so/ - > Mike: I'm curious to understand this more in detail. I think so far we've been thinking about the term federation as accepting SCITT claims/receipts from one transparency service in another transparency service, based on some policy. I think what you're describing is more about subscriptions/broadcasting/... Can you describe a little more on how you see this working in a SCITT transparency service? It might be that this is something that sits outside of it, but I'm not fully sure yet, so I wanted to understand it better first. + - Sketch response notes + - Open Policy Agent + - JSONLD + - Cypher + - Verfiable Credentials + - https://github.com/transmute-industries/jsonld-to-cypher From d227fc88c10186a2cc0ee9af950313b13bb0f15f Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 13:07:49 -0800 Subject: [PATCH 035/120] Update openssf_metrics.md --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 0094c95..7c45936 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -707,3 +707,5 @@ confidential compute or traditional permissions is impelmenetation details. - Cypher - Verfiable Credentials - https://github.com/transmute-industries/jsonld-to-cypher + - > SCITT claims/receipts from one transparency service in another transparency service, based on some policy + - Policy as compute contract, exec result determines entry of broadcast/subscribed syned SCITT instances (OSS projects, 2nd party, walled gardens) From 0647a885708f0e2d3f2e84b002d4a0e2e44e4a3b Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 13:09:02 -0800 Subject: [PATCH 036/120] Update openssf_metrics.md --- openssf_metrics.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 7c45936..1d4ef7d 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -708,4 +708,5 @@ confidential compute or traditional permissions is impelmenetation details. - Verfiable Credentials - https://github.com/transmute-industries/jsonld-to-cypher - > SCITT claims/receipts from one transparency service in another transparency service, based on some policy - - Policy as compute contract, exec result determines entry of broadcast/subscribed syned SCITT instances (OSS projects, 2nd party, walled gardens) + - Policy as compute contract, exec result determines entry of broadcast/subscribed syned SCITT instances (OSS projects, 2nd party, walled gardens) + - Can use this methodlolgy to broadcast those policies to topics via inReplyTo or later maybe service endpoint (as relay compute contact via did:oa) From 459e544e86f2433165f6b54d8c9a20da7d8d4458 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 13:10:24 -0800 Subject: [PATCH 037/120] Update openssf_metrics.md --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 1d4ef7d..742f35c 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -710,3 +710,5 @@ confidential compute or traditional permissions is impelmenetation details. - > SCITT claims/receipts from one transparency service in another transparency service, based on some policy - Policy as compute contract, exec result determines entry of broadcast/subscribed syned SCITT instances (OSS projects, 2nd party, walled gardens) - Can use this methodlolgy to broadcast those policies to topics via inReplyTo or later maybe service endpoint (as relay compute contact via did:oa) + - TDX self attest/DICE style layering where we wrap the receipt with the proposed insersion policy (hmm, wait, edit this) + - https://github.com/TrustedComputingGroup/DICE From a1db5ee622820b59845939a3490df9c584d286f2 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 13:11:06 -0800 Subject: [PATCH 038/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 742f35c..5392f9b 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -712,3 +712,4 @@ confidential compute or traditional permissions is impelmenetation details. - Can use this methodlolgy to broadcast those policies to topics via inReplyTo or later maybe service endpoint (as relay compute contact via did:oa) - TDX self attest/DICE style layering where we wrap the receipt with the proposed insersion policy (hmm, wait, edit this) - https://github.com/TrustedComputingGroup/DICE + - It's soemthign about the decentralized compute and the compute contract sandboxing to enable distributed trust propigation From 681d668a9d0415662d8952732c05c64c3840f7d5 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 13:12:28 -0800 Subject: [PATCH 039/120] Update openssf_metrics.md --- openssf_metrics.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 5392f9b..223380e 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -700,7 +700,7 @@ confidential compute or traditional permissions is impelmenetation details. - RCFv1 Feedback - https://mailarchive.ietf.org/arch/msg/scitt/dowMkmWhbi9Pkq6B5DhdXzip0so/ - - > Mike: I'm curious to understand this more in detail. I think so far we've been thinking about the term federation as accepting SCITT claims/receipts from one transparency service in another transparency service, based on some policy. I think what you're describing is more about subscriptions/broadcasting/... Can you describe a little more on how you see this working in a SCITT transparency service? It might be that this is something that sits outside of it, but I'm not fully sure yet, so I wanted to understand it better first. + - > Maik: I'm curious to understand this more in detail. I think so far we've been thinking about the term federation as accepting SCITT claims/receipts from one transparency service in another transparency service, based on some policy. I think what you're describing is more about subscriptions/broadcasting/... Can you describe a little more on how you see this working in a SCITT transparency service? It might be that this is something that sits outside of it, but I'm not fully sure yet, so I wanted to understand it better first. - Sketch response notes - Open Policy Agent - JSONLD @@ -710,6 +710,6 @@ confidential compute or traditional permissions is impelmenetation details. - > SCITT claims/receipts from one transparency service in another transparency service, based on some policy - Policy as compute contract, exec result determines entry of broadcast/subscribed syned SCITT instances (OSS projects, 2nd party, walled gardens) - Can use this methodlolgy to broadcast those policies to topics via inReplyTo or later maybe service endpoint (as relay compute contact via did:oa) - - TDX self attest/DICE style layering where we wrap the receipt with the proposed insersion policy (hmm, wait, edit this) + - TDX self attest/DICE style layering where we wrap the receipt with the proposed insersion policy - https://github.com/TrustedComputingGroup/DICE - It's soemthign about the decentralized compute and the compute contract sandboxing to enable distributed trust propigation From 87300dbbb69ccff38b7c174d65446a53e7294f1c Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 13:14:05 -0800 Subject: [PATCH 040/120] Update openssf_metrics.md --- openssf_metrics.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 223380e..2b4fca9 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -712,4 +712,5 @@ confidential compute or traditional permissions is impelmenetation details. - Can use this methodlolgy to broadcast those policies to topics via inReplyTo or later maybe service endpoint (as relay compute contact via did:oa) - TDX self attest/DICE style layering where we wrap the receipt with the proposed insersion policy - https://github.com/TrustedComputingGroup/DICE - - It's soemthign about the decentralized compute and the compute contract sandboxing to enable distributed trust propigation + - Something about the decentralized compute and the compute contract sandboxing to enable distributed trust propagation + - Something about it being recursive From 032295342db2ac5724a6808fd1ad09afa679ffcb Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 13:51:06 -0800 Subject: [PATCH 041/120] Update openssf_metrics.md --- openssf_metrics.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 2b4fca9..6d093cd 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -714,3 +714,13 @@ confidential compute or traditional permissions is impelmenetation details. - https://github.com/TrustedComputingGroup/DICE - Something about the decentralized compute and the compute contract sandboxing to enable distributed trust propagation - Something about it being recursive + - https://mailarchive.ietf.org/arch/msg/scitt/5SDINK63mr1BWX-BzbcsvalVLOA/ + - > As part of this service offering example.com only allows artifacts to be + > added to the ledger by government customers who paid for the service. + > Example.com also requires a certain level of identity proofing and + > multi-factor authentication because it offers sensitive services to + > their government customers. Auditors require an even high level of + > identity proofing and authentication. + > + > This policy of example.com is dictated by their business model and is + > outside the scope of what the IETF SCITT will define. From ded9e64d0ec78efa1e45470ac285f1b6519bcb7b Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 13:52:19 -0800 Subject: [PATCH 042/120] Update openssf_metrics.md --- openssf_metrics.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 6d093cd..19249fe 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -724,3 +724,6 @@ confidential compute or traditional permissions is impelmenetation details. > > This policy of example.com is dictated by their business model and is > outside the scope of what the IETF SCITT will define. + - https://mailarchive.ietf.org/arch/msg/scitt/cgz-9oif4SLMbdLyPn0P6-E8cIY/ + - > This is interesting - many thanks Hannes. I notice our spec includes Merkle trees as the database structure - seems like an implementation detail, i.e. just a database. Can an implementer use, for example, an otherwise secured and RBAC'd record structure such as a file system or relational/hierarchical/sharded db, or is distributed ledger mandatory? + - [df: overlay: Implement middleware/RBAC chains of ordered applications of overlays #1400](https://github.com/intel/dffml/issues/1400) From 9388e17173143f20ffd28b4128495a25f75b19a3 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 15:08:52 -0800 Subject: [PATCH 043/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 19249fe..899eb54 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -713,6 +713,7 @@ confidential compute or traditional permissions is impelmenetation details. - TDX self attest/DICE style layering where we wrap the receipt with the proposed insersion policy - https://github.com/TrustedComputingGroup/DICE - Something about the decentralized compute and the compute contract sandboxing to enable distributed trust propagation + - The AI travel in sandboxes - Something about it being recursive - https://mailarchive.ietf.org/arch/msg/scitt/5SDINK63mr1BWX-BzbcsvalVLOA/ - > As part of this service offering example.com only allows artifacts to be From 31e32cce66b2239f0173c8f9075324420d38c1e0 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 15:10:54 -0800 Subject: [PATCH 044/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 899eb54..2a855d4 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -714,6 +714,7 @@ confidential compute or traditional permissions is impelmenetation details. - https://github.com/TrustedComputingGroup/DICE - Something about the decentralized compute and the compute contract sandboxing to enable distributed trust propagation - The AI travel in sandboxes + - What's the sandbox? The policy here, what's the policy? The compute contract defining what the schema?+OPA?+cypher and what are the content addresses of the upstream contracts needed to fulfill the query - Something about it being recursive - https://mailarchive.ietf.org/arch/msg/scitt/5SDINK63mr1BWX-BzbcsvalVLOA/ - > As part of this service offering example.com only allows artifacts to be From ce00b672698e44c76280d70baf95b62cf930942c Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 15:45:42 -0800 Subject: [PATCH 045/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 2a855d4..58ac87e 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -715,6 +715,7 @@ confidential compute or traditional permissions is impelmenetation details. - Something about the decentralized compute and the compute contract sandboxing to enable distributed trust propagation - The AI travel in sandboxes - What's the sandbox? The policy here, what's the policy? The compute contract defining what the schema?+OPA?+cypher and what are the content addresses of the upstream contracts needed to fulfill the query + - The goal with the SCITT federation via ActivityPub is that it's a step towards the event stream being all JSONLD. Then audit and policy are effectively all done with definitions within DID referenced Verifiable Credentials. These encapsulate a receipt for a valid context address of a compute contract. That contract fulfils fetching or generating whatever data is needed and executes within a sandboxed environment. https://github.com/transmute-industries/jsonld-to-cypher - Something about it being recursive - https://mailarchive.ietf.org/arch/msg/scitt/5SDINK63mr1BWX-BzbcsvalVLOA/ - > As part of this service offering example.com only allows artifacts to be From c618092fcca1280ef74c4ae07dd3616d508cfa36 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 15:48:05 -0800 Subject: [PATCH 046/120] Update openssf_metrics.md --- openssf_metrics.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 58ac87e..7744810 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -716,6 +716,9 @@ confidential compute or traditional permissions is impelmenetation details. - The AI travel in sandboxes - What's the sandbox? The policy here, what's the policy? The compute contract defining what the schema?+OPA?+cypher and what are the content addresses of the upstream contracts needed to fulfill the query - The goal with the SCITT federation via ActivityPub is that it's a step towards the event stream being all JSONLD. Then audit and policy are effectively all done with definitions within DID referenced Verifiable Credentials. These encapsulate a receipt for a valid context address of a compute contract. That contract fulfils fetching or generating whatever data is needed and executes within a sandboxed environment. https://github.com/transmute-industries/jsonld-to-cypher + - This means that we can always do "one hop" analysis from this format set (DID+VC aka LDVC2) + - [util: testing: manifest: shim: Initial commit intel/dffml#1273](https://github.com/intel/dffml/pull/1273) + - Alice status update - Something about it being recursive - https://mailarchive.ietf.org/arch/msg/scitt/5SDINK63mr1BWX-BzbcsvalVLOA/ - > As part of this service offering example.com only allows artifacts to be From 5ee8d2ec6340ec1e83f01b33cec7b315790064e8 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 17:13:01 -0800 Subject: [PATCH 047/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 7744810..04a8efe 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -713,7 +713,7 @@ confidential compute or traditional permissions is impelmenetation details. - TDX self attest/DICE style layering where we wrap the receipt with the proposed insersion policy - https://github.com/TrustedComputingGroup/DICE - Something about the decentralized compute and the compute contract sandboxing to enable distributed trust propagation - - The AI travel in sandboxes + - The AI travel in sandboxes. This is how Alice surfs the hypergraph. 🏄‍♀️ - What's the sandbox? The policy here, what's the policy? The compute contract defining what the schema?+OPA?+cypher and what are the content addresses of the upstream contracts needed to fulfill the query - The goal with the SCITT federation via ActivityPub is that it's a step towards the event stream being all JSONLD. Then audit and policy are effectively all done with definitions within DID referenced Verifiable Credentials. These encapsulate a receipt for a valid context address of a compute contract. That contract fulfils fetching or generating whatever data is needed and executes within a sandboxed environment. https://github.com/transmute-industries/jsonld-to-cypher - This means that we can always do "one hop" analysis from this format set (DID+VC aka LDVC2) From 7f9bdd6807f4f4ac8b989d32ba3194daebf9dc56 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 17:19:18 -0800 Subject: [PATCH 048/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 04a8efe..cd2742b 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -713,7 +713,7 @@ confidential compute or traditional permissions is impelmenetation details. - TDX self attest/DICE style layering where we wrap the receipt with the proposed insersion policy - https://github.com/TrustedComputingGroup/DICE - Something about the decentralized compute and the compute contract sandboxing to enable distributed trust propagation - - The AI travel in sandboxes. This is how Alice surfs the hypergraph. 🏄‍♀️ + - The AI travel in sandboxes. This is how Alice surfs the hypergraph. 🏄‍♀️ It's like ePBF but IPVM but as k8s admission controller but on scitt /inbox - What's the sandbox? The policy here, what's the policy? The compute contract defining what the schema?+OPA?+cypher and what are the content addresses of the upstream contracts needed to fulfill the query - The goal with the SCITT federation via ActivityPub is that it's a step towards the event stream being all JSONLD. Then audit and policy are effectively all done with definitions within DID referenced Verifiable Credentials. These encapsulate a receipt for a valid context address of a compute contract. That contract fulfils fetching or generating whatever data is needed and executes within a sandboxed environment. https://github.com/transmute-industries/jsonld-to-cypher - This means that we can always do "one hop" analysis from this format set (DID+VC aka LDVC2) From 8eaf96e00be81cf6b788909a5e8621939cfb2f53 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 21:18:48 -0800 Subject: [PATCH 049/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index cd2742b..2e44323 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -720,6 +720,7 @@ confidential compute or traditional permissions is impelmenetation details. - [util: testing: manifest: shim: Initial commit intel/dffml#1273](https://github.com/intel/dffml/pull/1273) - Alice status update - Something about it being recursive + - If your log inserted it and you want to federate that insertion to my log I want to know why you thought this was valid to insert. Tell me the scientific evidence Alice. What's the analysis report, why should that entry also get admission into my log. It's dynamic evaluation, so I can say based on my overlays okay I will take that receipt in my log based on that scientific method/process but due to this isntamces special overlays I won't take this other one. Maybe this is a recursion into the concept of a notary but required "self" notary required for that instances overlays applied to incoming receipt scientific processes / ipvm / data flow / open architecture. - https://mailarchive.ietf.org/arch/msg/scitt/5SDINK63mr1BWX-BzbcsvalVLOA/ - > As part of this service offering example.com only allows artifacts to be > added to the ledger by government customers who paid for the service. From 86d6c2bd8f682cce01d6403459c683465fb5e3e0 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Feb 2023 21:22:22 -0800 Subject: [PATCH 050/120] Update openssf_metrics.md --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 2e44323..3c67396 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -721,6 +721,8 @@ confidential compute or traditional permissions is impelmenetation details. - Alice status update - Something about it being recursive - If your log inserted it and you want to federate that insertion to my log I want to know why you thought this was valid to insert. Tell me the scientific evidence Alice. What's the analysis report, why should that entry also get admission into my log. It's dynamic evaluation, so I can say based on my overlays okay I will take that receipt in my log based on that scientific method/process but due to this isntamces special overlays I won't take this other one. Maybe this is a recursion into the concept of a notary but required "self" notary required for that instances overlays applied to incoming receipt scientific processes / ipvm / data flow / open architecture. + - Decentralized trust propagation + - why should this be in your internal CA set sort of thing, what's your roots of trust and how to we justify adds / removes / modifications and notify that we think it's in your best interest for you to also trust the propagation of this trust assertion - https://mailarchive.ietf.org/arch/msg/scitt/5SDINK63mr1BWX-BzbcsvalVLOA/ - > As part of this service offering example.com only allows artifacts to be > added to the ledger by government customers who paid for the service. From 67375f47f0d5f26e4ee24c1cb251f1ae05fd70b7 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 16 Feb 2023 06:56:15 -0800 Subject: [PATCH 051/120] Update openssf_metrics.md --- openssf_metrics.md | 124 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 3c67396..dcba4ac 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -80,6 +80,130 @@ graph TD end ``` +```mermaid +graph LR + + subgraph vcs_source[Version Controled Software] + subgraph dffml_vcs_source[dffml.git] + subgraph dffml_vcs_source_security_txt[security.txt] + dffml_vcs_source_security_txt_contact[Contact: https://example.org/dffml] + end + subgraph dffml_vcs_source_dockerfile[dffml.Dockerfile] + dffml_vcs_source_dockerfile_from_base[FROM upstream as dffml] + end + subgraph dffml_vcs_source_dockerfile_example[dffml.example.Dockerfile] + dffml_vcs_source_dockerfile_example_from_base[FROM dffml @ sha:latest] + end + subgraph vcs_source_alice[dffml.git/entities/alice] + subgraph alice_vcs_source_security_txt[security.txt] + alice_vcs_source_security_txt_contact[Contact: https://example.org/alice] + end + subgraph alice_vcs_source_dockerfile[alice.Dockerfile] + alice_vcs_source_dockerfile_from_base[FROM dffml @ sha:latest] + end + subgraph alice_vcs_source_dockerfile_shouldi_contribute[alice_shouldi_contribute.Dockerfile] + alice_vcs_source_dockerfile_shouldi_contribute_from_base[FROM alice @ sha:latest] + subgraph alice_shouldi_contribute[alice shoulid contribute -keys ARG_REPO_URL] + alice_shouldi_contribute_git_clone[git clone ...] + alice_shouldi_contribute_read_security_txt[grep Contact: security.txt] + alice_shouldi_contribute_result[Static Analysis Result] + + alice_shouldi_contribute_git_clone --> alice_shouldi_contribute_read_security_txt + dffml_vcs_source_security_txt_contact --> alice_shouldi_contribute_read_security_txt + alice_shouldi_contribute_read_security_txt --> alice_shouldi_contribute_result + end + end + end + end + end + + subgraph schema[Manifest ADRs] + subgraph manifest_build_images_contianers[Build Image Container] + manifest_build_images_contianers_intent[README.md/THREATS.md] + manifest_build_images_contianers_schema[1.0.0.schema.json] + end + end + + subgraph manifest_instances[Manifest Instances] + alice_manifest_build_images_contianers_alice_shouldi_contribute + end + + subgraph transparency_logs[Transparency Logs] + dffml_scitt[dffml.scitt.example.org] + alice_scitt[alice.scitt.example.org] + end + + subgraph factory[Secure Software Factories] + subgraph build_images_contianers[build_images_contianers.yml] + end + + subgraph factory_container_image_registries[Container Image Registry https://oras.land] + subgraph dffml_factory_container_image_registries_project[DFFML Images] + dffml_container_image[dffml:latest] + end + subgraph alice_factory_container_image_registries_project[Alice Images] + alice_container_image[alice:latest] + alice_shouldi_contribute_scan_results[shouldicontribute @ sha384:babebabe] + end + end + + build_images_contianers --> dffml_scitt + build_images_contianers --> alice_scitt + end + + subgraph protocol_knowledge_graph_activity_pub[ActivityPub] + subgraph ActivityPubExtensionsForSecurityTXT[activitypub extensions for security.txt] + subgraph dffml_security_txt_contact[dffml.git/security.txt:Contact] + dffml_actor[ActivityPub Actor - @ dffml @ example.org] + dffml_actor_attachment[Attachment PropertyValue activitypubsecuritytxt] + dffml_activitypubsecuritytxt_root_post[activitypubsecuritytxt root post] + dffml_activitypubsecuritytxt_vcs_push[vcs.push root post] + dffml_activitypubsecuritytxt_vcs_push_content[vcs.push content - content address of manifest instance in registry] + + dffml_actor --> dffml_dffml_actor_attachment + dffml_actor_attachment -->|Link| dffml_activitypubsecuritytxt_root_post + dffml_activitypubsecuritytxt_vcs_push -->|inReplyTo| dffml_activitypubsecuritytxt_root_post + dffml_activitypubsecuritytxt_vcs_push_content -->|inReplyTo| dffml_activitypubsecuritytxt_vcs_push + end + + subgraph alice_security_txt_contact[dffml.git/entites/alice/security.txt:Contact] + alice_actor[ActivityPub Actor - @ alice @ example.org] + alice_actor_attachment[Attachment PropertyValue activitypubsecuritytxt] + alice_activitypubsecuritytxt_root_post[activitypubsecuritytxt root post] + alice_activitypubsecuritytxt_vcs_push[vcs.push root post] + alice_activitypubsecuritytxt_vcs_push_content[vcs.push content - content address of manifest instance in registry] + + alice_actor --> alice_actor_attachment + alice_actor_attachment -->|Link| alice_activitypubsecuritytxt_root_post + alice_activitypubsecuritytxt_vcs_push -->|inReplyTo| alice_activitypubsecuritytxt_root_post + alice_activitypubsecuritytxt_vcs_push_content -->|inReplyTo| alice_activitypubsecuritytxt_vcs_push + end + end + + alice_actor -->|follow| dffml_actor + end + + subgraph render_knowledge_graph_agora[Agora] + end + + alice_vcs_source_dockerfile_shouldi_contribute + + dffml_vcs_source_security_txt_contact --> dffml_actor + alice_vcs_source_security_txt_contact --> alice_actor + + alice_shouldi_contribute_result --> alice_shouldi_contribute_scan_results + alice_shouldi_contribute_scan_results --> |inReplyTo| dffml_vcs_source_dockerfile_example_from_base + + dffml_container_image --> dffml_vcs_source_dockerfile_example_from_base + alice_container_image --> alice_vcs_source_dockerfile_example_from_base + + dffml_vcs_source_dockerfile_example_from_base --> dffml_activitypubsecuritytxt_vcs_push + dffml_activitypubsecuritytxt_vcs_push --> build_images_contianers_trigger + alice_vcs_source_dockerfile_example_from_base --> alice_activitypubsecuritytxt_vcs_push + + alice_shouldi_contribute +``` + ```json { "@context": [ From a0798cec290ab80883c0e2b2e20d79e3df23f0ab Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 16 Feb 2023 07:41:57 -0800 Subject: [PATCH 052/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index dcba4ac..d67dd70 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -826,6 +826,7 @@ confidential compute or traditional permissions is impelmenetation details. - https://mailarchive.ietf.org/arch/msg/scitt/dowMkmWhbi9Pkq6B5DhdXzip0so/ - > Maik: I'm curious to understand this more in detail. I think so far we've been thinking about the term federation as accepting SCITT claims/receipts from one transparency service in another transparency service, based on some policy. I think what you're describing is more about subscriptions/broadcasting/... Can you describe a little more on how you see this working in a SCITT transparency service? It might be that this is something that sits outside of it, but I'm not fully sure yet, so I wanted to understand it better first. - Sketch response notes + - Policy as code, but sometimes it needs to execute because it's context aware, it's trying to decide for each piece of data that's pubsub'd for federation, does this SCITT instance want to be serving that trust assertion - Open Policy Agent - JSONLD - Cypher From 70331d8e035b1330dc94a61812d20df951217cb7 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 16 Feb 2023 10:14:15 -0800 Subject: [PATCH 053/120] Update openssf_metrics.md --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index d67dd70..4dd7348 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -848,6 +848,8 @@ confidential compute or traditional permissions is impelmenetation details. - If your log inserted it and you want to federate that insertion to my log I want to know why you thought this was valid to insert. Tell me the scientific evidence Alice. What's the analysis report, why should that entry also get admission into my log. It's dynamic evaluation, so I can say based on my overlays okay I will take that receipt in my log based on that scientific method/process but due to this isntamces special overlays I won't take this other one. Maybe this is a recursion into the concept of a notary but required "self" notary required for that instances overlays applied to incoming receipt scientific processes / ipvm / data flow / open architecture. - Decentralized trust propagation - why should this be in your internal CA set sort of thing, what's your roots of trust and how to we justify adds / removes / modifications and notify that we think it's in your best interest for you to also trust the propagation of this trust assertion + - Decentralized dependency review - hence Open SSF Metrics use case + - Open Source maintiners general attidute: If you're going to tell my open source project what I should or should not do (use as a dependency) you better tell me why, or else you can go fuck yourself - https://mailarchive.ietf.org/arch/msg/scitt/5SDINK63mr1BWX-BzbcsvalVLOA/ - > As part of this service offering example.com only allows artifacts to be > added to the ledger by government customers who paid for the service. From 5347301e461d29f82c4ffbfe4ee20ca597d1fe3c Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 16 Feb 2023 10:15:04 -0800 Subject: [PATCH 054/120] Update openssf_metrics.md --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 4dd7348..22087bb 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -850,6 +850,8 @@ confidential compute or traditional permissions is impelmenetation details. - why should this be in your internal CA set sort of thing, what's your roots of trust and how to we justify adds / removes / modifications and notify that we think it's in your best interest for you to also trust the propagation of this trust assertion - Decentralized dependency review - hence Open SSF Metrics use case - Open Source maintiners general attidute: If you're going to tell my open source project what I should or should not do (use as a dependency) you better tell me why, or else you can go fuck yourself + - https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0001_coach_alice/0007_cartographer_extraordinaire.md + - ref: [I am not a supplier, Thomas Depierre](https://www.softwaremaxims.com/blog/not-a-supplier) - https://mailarchive.ietf.org/arch/msg/scitt/5SDINK63mr1BWX-BzbcsvalVLOA/ - > As part of this service offering example.com only allows artifacts to be > added to the ledger by government customers who paid for the service. From ef204844482c5c748115f268c98bd4847965b9ca Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 16 Feb 2023 10:31:28 -0800 Subject: [PATCH 055/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 22087bb..6e36f93 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -849,7 +849,7 @@ confidential compute or traditional permissions is impelmenetation details. - Decentralized trust propagation - why should this be in your internal CA set sort of thing, what's your roots of trust and how to we justify adds / removes / modifications and notify that we think it's in your best interest for you to also trust the propagation of this trust assertion - Decentralized dependency review - hence Open SSF Metrics use case - - Open Source maintiners general attidute: If you're going to tell my open source project what I should or should not do (use as a dependency) you better tell me why, or else you can go fuck yourself + - Open Source maintiners general attidute: If you're going to tell my open source project what I should or should not do (use as a dependency) you better tell me why, or else the opne source repo / org SCITT we are propigating this to will deney based on it's execution of policy as code with it's overlays applied - https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0001_coach_alice/0007_cartographer_extraordinaire.md - ref: [I am not a supplier, Thomas Depierre](https://www.softwaremaxims.com/blog/not-a-supplier) - https://mailarchive.ietf.org/arch/msg/scitt/5SDINK63mr1BWX-BzbcsvalVLOA/ From c4c63f06f19b1825a03ad46a29776b3712544c3e Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 17 Feb 2023 07:21:12 -0800 Subject: [PATCH 056/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 6e36f93..8cd3287 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -840,7 +840,7 @@ confidential compute or traditional permissions is impelmenetation details. - Something about the decentralized compute and the compute contract sandboxing to enable distributed trust propagation - The AI travel in sandboxes. This is how Alice surfs the hypergraph. 🏄‍♀️ It's like ePBF but IPVM but as k8s admission controller but on scitt /inbox - What's the sandbox? The policy here, what's the policy? The compute contract defining what the schema?+OPA?+cypher and what are the content addresses of the upstream contracts needed to fulfill the query - - The goal with the SCITT federation via ActivityPub is that it's a step towards the event stream being all JSONLD. Then audit and policy are effectively all done with definitions within DID referenced Verifiable Credentials. These encapsulate a receipt for a valid context address of a compute contract. That contract fulfils fetching or generating whatever data is needed and executes within a sandboxed environment. https://github.com/transmute-industries/jsonld-to-cypher + - On of the goals with the SCITT federation via ActivityPub is that it's a step towards the event stream being all JSONLD. Then audit and policy are effectively all done with definitions within DID referenced Verifiable Credentials. These encapsulate a receipt for a claim which who's insertion policy is a (or a context address of) policy as code aka compute contract. That contract statically defines or fulfils fetching or generating whatever data is needed to validate for insertion or federation and executes within a sandboxed environment. These policies can be overlayed with instance local additional policy as code. We can then read this event stream from anywhere or graft new trust chains off of it. GAUC is awesome it's just centralized from what I can tell, which is perfect for a performant view into a decentralized ecosystem. I think the two will work great together. We're all thinking in the same directions from what I can tell, just different goals in terms of data sovereignty, GUAC-GPT on the centralized side, Alice on the decentralized side.. The reason for the heavy focus on decentralization is that it for CI/CD we need to be able to spin dev and test chains of trust ad-hoc, for the AI side, we need to spin them for offline use cases tied to the users root of trust, or viewed as the user + Intel via hardware root of trust. Decentralized primitives allow us to never be forced to trust any authority other than what the deployment use case needs, scoping privilege to the threat model. - This means that we can always do "one hop" analysis from this format set (DID+VC aka LDVC2) - [util: testing: manifest: shim: Initial commit intel/dffml#1273](https://github.com/intel/dffml/pull/1273) - Alice status update From 61769c1f5a43f2d36d4c31c2021b34c0e440a0bc Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 17 Feb 2023 07:23:48 -0800 Subject: [PATCH 057/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 8cd3287..95009bd 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -840,7 +840,7 @@ confidential compute or traditional permissions is impelmenetation details. - Something about the decentralized compute and the compute contract sandboxing to enable distributed trust propagation - The AI travel in sandboxes. This is how Alice surfs the hypergraph. 🏄‍♀️ It's like ePBF but IPVM but as k8s admission controller but on scitt /inbox - What's the sandbox? The policy here, what's the policy? The compute contract defining what the schema?+OPA?+cypher and what are the content addresses of the upstream contracts needed to fulfill the query - - On of the goals with the SCITT federation via ActivityPub is that it's a step towards the event stream being all JSONLD. Then audit and policy are effectively all done with definitions within DID referenced Verifiable Credentials. These encapsulate a receipt for a claim which who's insertion policy is a (or a context address of) policy as code aka compute contract. That contract statically defines or fulfils fetching or generating whatever data is needed to validate for insertion or federation and executes within a sandboxed environment. These policies can be overlayed with instance local additional policy as code. We can then read this event stream from anywhere or graft new trust chains off of it. GAUC is awesome it's just centralized from what I can tell, which is perfect for a performant view into a decentralized ecosystem. I think the two will work great together. We're all thinking in the same directions from what I can tell, just different goals in terms of data sovereignty, GUAC-GPT on the centralized side, Alice on the decentralized side.. The reason for the heavy focus on decentralization is that it for CI/CD we need to be able to spin dev and test chains of trust ad-hoc, for the AI side, we need to spin them for offline use cases tied to the users root of trust, or viewed as the user + Intel via hardware root of trust. Decentralized primitives allow us to never be forced to trust any authority other than what the deployment use case needs, scoping privilege to the threat model. + - On of the goals with the SCITT federation via ActivityPub is that it's a step towards the event stream being all JSONLD. Then audit and policy are effectively all done with definitions within DID referenced Verifiable Credentials. These encapsulate a receipt for a claim which who's insertion policy is a (or a context address of) policy as code aka compute contract. That contract statically defines or fulfils fetching or generating whatever data is needed to validate for insertion or federation and executes within a sandboxed environment. These policies can be overlayed with instance local additional policy as code. We can then read this event stream from anywhere or graft new trust chains off of it. GAUC is awesome it's just centralized from what I can tell, which is perfect for a performant view into a decentralized ecosystem. I think the two will work great together. We're all thinking in the same directions from what I can tell, just different goals in terms of data sovereignty, GUAC-GPT on the centralized side, Alice on the decentralized side.. The reason for the heavy focus on decentralization is that it for CI/CD we need to be able to spin dev and test chains of trust ad-hoc, for the AI side, we need to spin them for offline use cases tied to the users root of trust, or viewed as the user + their hardware roots of trust. Decentralized primitives allow us to never be forced to trust any authority other than what the deployment use case needs, scoping privilege to the threat model. - This means that we can always do "one hop" analysis from this format set (DID+VC aka LDVC2) - [util: testing: manifest: shim: Initial commit intel/dffml#1273](https://github.com/intel/dffml/pull/1273) - Alice status update From 87a3486448c8d96c0c9732918f07651fc72b93ac Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 17 Feb 2023 09:19:58 -0800 Subject: [PATCH 058/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 95009bd..0b44ea0 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -838,7 +838,7 @@ confidential compute or traditional permissions is impelmenetation details. - TDX self attest/DICE style layering where we wrap the receipt with the proposed insersion policy - https://github.com/TrustedComputingGroup/DICE - Something about the decentralized compute and the compute contract sandboxing to enable distributed trust propagation - - The AI travel in sandboxes. This is how Alice surfs the hypergraph. 🏄‍♀️ It's like ePBF but IPVM but as k8s admission controller but on scitt /inbox + - The AI travel in sandboxes. This is how trust (Alice) surfs the hypergraph. 🏄‍♀️ It's like ePBF but IPVM but as k8s admission controller but on scitt /inbox - What's the sandbox? The policy here, what's the policy? The compute contract defining what the schema?+OPA?+cypher and what are the content addresses of the upstream contracts needed to fulfill the query - On of the goals with the SCITT federation via ActivityPub is that it's a step towards the event stream being all JSONLD. Then audit and policy are effectively all done with definitions within DID referenced Verifiable Credentials. These encapsulate a receipt for a claim which who's insertion policy is a (or a context address of) policy as code aka compute contract. That contract statically defines or fulfils fetching or generating whatever data is needed to validate for insertion or federation and executes within a sandboxed environment. These policies can be overlayed with instance local additional policy as code. We can then read this event stream from anywhere or graft new trust chains off of it. GAUC is awesome it's just centralized from what I can tell, which is perfect for a performant view into a decentralized ecosystem. I think the two will work great together. We're all thinking in the same directions from what I can tell, just different goals in terms of data sovereignty, GUAC-GPT on the centralized side, Alice on the decentralized side.. The reason for the heavy focus on decentralization is that it for CI/CD we need to be able to spin dev and test chains of trust ad-hoc, for the AI side, we need to spin them for offline use cases tied to the users root of trust, or viewed as the user + their hardware roots of trust. Decentralized primitives allow us to never be forced to trust any authority other than what the deployment use case needs, scoping privilege to the threat model. - This means that we can always do "one hop" analysis from this format set (DID+VC aka LDVC2) From ee049a792e954fd735d4f010fe68e5be4efa1064 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 17 Feb 2023 13:19:09 -0800 Subject: [PATCH 059/120] Update openssf_metrics.md --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 0b44ea0..d94691b 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -865,3 +865,5 @@ confidential compute or traditional permissions is impelmenetation details. - https://mailarchive.ietf.org/arch/msg/scitt/cgz-9oif4SLMbdLyPn0P6-E8cIY/ - > This is interesting - many thanks Hannes. I notice our spec includes Merkle trees as the database structure - seems like an implementation detail, i.e. just a database. Can an implementer use, for example, an otherwise secured and RBAC'd record structure such as a file system or relational/hierarchical/sharded db, or is distributed ledger mandatory? - [df: overlay: Implement middleware/RBAC chains of ordered applications of overlays #1400](https://github.com/intel/dffml/issues/1400) + - SCITTzophrenia + - There exist N instances of SCITT, which ones are tied to the current executing system context? Those determine reality, aka what is real, what to trust, for that system context From e3d1777122c189a416e1e73e657079a1964e9a85 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 17 Feb 2023 13:22:11 -0800 Subject: [PATCH 060/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index d94691b..ba36356 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -867,3 +867,4 @@ confidential compute or traditional permissions is impelmenetation details. - [df: overlay: Implement middleware/RBAC chains of ordered applications of overlays #1400](https://github.com/intel/dffml/issues/1400) - SCITTzophrenia - There exist N instances of SCITT, which ones are tied to the current executing system context? Those determine reality, aka what is real, what to trust, for that system context + - Hallucinating large language models train/chain of thought is tied to context local SCITT. We graft in (accept new federated claims/receipts) from other system contexts we trust. We trust based on if we should propagate from that context to this context. Equilibrium as reality. Context local reality for the net. If they are isolated, they define their own reality. From b13f35f867aaeca6d959a6a40eb8c7fae2064cf5 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 17 Feb 2023 13:27:16 -0800 Subject: [PATCH 061/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index ba36356..4782922 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -868,3 +868,4 @@ confidential compute or traditional permissions is impelmenetation details. - SCITTzophrenia - There exist N instances of SCITT, which ones are tied to the current executing system context? Those determine reality, aka what is real, what to trust, for that system context - Hallucinating large language models train/chain of thought is tied to context local SCITT. We graft in (accept new federated claims/receipts) from other system contexts we trust. We trust based on if we should propagate from that context to this context. Equilibrium as reality. Context local reality for the net. If they are isolated, they define their own reality. + - The truth will set you free. Equilibrium of record propagation. From 6650e8b700f31a6807ac7fa7ed2f6c976da37909 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 17 Feb 2023 19:36:49 -0800 Subject: [PATCH 062/120] Update openssf_metrics.md --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 4782922..b44c2e3 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -869,3 +869,5 @@ confidential compute or traditional permissions is impelmenetation details. - There exist N instances of SCITT, which ones are tied to the current executing system context? Those determine reality, aka what is real, what to trust, for that system context - Hallucinating large language models train/chain of thought is tied to context local SCITT. We graft in (accept new federated claims/receipts) from other system contexts we trust. We trust based on if we should propagate from that context to this context. Equilibrium as reality. Context local reality for the net. If they are isolated, they define their own reality. - The truth will set you free. Equilibrium of record propagation. + - Everything is true, everything is permitted (insert policy*) + - Most of the time what's permitted is context dependent, overlays From fe5ca424a99eda8b64a79ff5d09642ed714a5d55 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 17 Feb 2023 20:43:34 -0800 Subject: [PATCH 063/120] Update openssf_metrics.md --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index b44c2e3..fb2c156 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -871,3 +871,5 @@ confidential compute or traditional permissions is impelmenetation details. - The truth will set you free. Equilibrium of record propagation. - Everything is true, everything is permitted (insert policy*) - Most of the time what's permitted is context dependent, overlays + - Time is context local, Earth is *current* most likely context, we have to ensure we factor in changes to this via abstraction of "when", ref lunar comms, beyond + - Vol 6: Where are your NTP gods now? From 62ac6c2e1a864426ce6407fb1f1f0822fa9b9248 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 17 Feb 2023 20:44:49 -0800 Subject: [PATCH 064/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index fb2c156..17a1159 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -873,3 +873,4 @@ confidential compute or traditional permissions is impelmenetation details. - Most of the time what's permitted is context dependent, overlays - Time is context local, Earth is *current* most likely context, we have to ensure we factor in changes to this via abstraction of "when", ref lunar comms, beyond - Vol 6: Where are your NTP gods now? + - Physics, also context local, gravity differs on different parts of Earth, and elsewhere. Make no assumptions, always policy as code, always recursive From bcecb48ddebf8d08dd10b24b8061deb46491d0c5 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 17 Feb 2023 20:47:20 -0800 Subject: [PATCH 065/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 17a1159..beee2e4 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -873,4 +873,4 @@ confidential compute or traditional permissions is impelmenetation details. - Most of the time what's permitted is context dependent, overlays - Time is context local, Earth is *current* most likely context, we have to ensure we factor in changes to this via abstraction of "when", ref lunar comms, beyond - Vol 6: Where are your NTP gods now? - - Physics, also context local, gravity differs on different parts of Earth, and elsewhere. Make no assumptions, always policy as code, always recursive + - Physics, also context local, gravity differs on different parts of Earth, and elsewhere. Make no assumptions, always policy as code, always recursive. Always show my why I should believe this message, message as the entity, not the messanger (instance federating from), focus on the truth in the message when propagating, not who propagates, critical thinking, threat modeling, deployment contexts From a53118ead11343b8283637da35eae3284f699726 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 23 Feb 2023 16:12:45 -0800 Subject: [PATCH 066/120] Update openssf_metrics.md --- openssf_metrics.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index beee2e4..13827a6 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -874,3 +874,8 @@ confidential compute or traditional permissions is impelmenetation details. - Time is context local, Earth is *current* most likely context, we have to ensure we factor in changes to this via abstraction of "when", ref lunar comms, beyond - Vol 6: Where are your NTP gods now? - Physics, also context local, gravity differs on different parts of Earth, and elsewhere. Make no assumptions, always policy as code, always recursive. Always show my why I should believe this message, message as the entity, not the messanger (instance federating from), focus on the truth in the message when propagating, not who propagates, critical thinking, threat modeling, deployment contexts +- Fork and exec over ActivityPub over DWN CLI + - https://github.com/soda480/wait-for-message-action + - **TODO** Fork and add ActivityPub support + - Usage of this in a `needs` -> `matrix/workflow_run/workflow_dispatch/ipvm` is below + - Closing the loop. Fork and exec via Distributed Compute, oras.land, VCS events ActivityPub over DWN (CLI) with DID VC SCITT with DID:KERI backed attested compute rooted identities. Enabling decentralized hardware roots of trust to facilitate decentralized asynchronous supply chains. Open source software development with end to end encrypted grafted chains communication only via attested channels for comms on vuln discovery with responsible disclosure and communication of remediation. From 65199c4f10b0da56e8ba6f445bf6d759bd68ac62 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 23 Feb 2023 16:39:31 -0800 Subject: [PATCH 067/120] Update openssf_metrics.md --- openssf_metrics.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 13827a6..0cb3674 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -879,3 +879,6 @@ confidential compute or traditional permissions is impelmenetation details. - **TODO** Fork and add ActivityPub support - Usage of this in a `needs` -> `matrix/workflow_run/workflow_dispatch/ipvm` is below - Closing the loop. Fork and exec via Distributed Compute, oras.land, VCS events ActivityPub over DWN (CLI) with DID VC SCITT with DID:KERI backed attested compute rooted identities. Enabling decentralized hardware roots of trust to facilitate decentralized asynchronous supply chains. Open source software development with end to end encrypted grafted chains communication only via attested channels for comms on vuln discovery with responsible disclosure and communication of remediation. + - This is also how we communicate + - https://intel.github.io/dffml/main/examples/webhook/ + - https://www.youtube.com/watch?v=vqfSvU80W8Q&t=777s From 0f2dc4691b693715d0412e12dc1c897384942a15 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 23 Feb 2023 16:47:09 -0800 Subject: [PATCH 068/120] Update openssf_metrics.md --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 0cb3674..72d4a88 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -882,3 +882,5 @@ confidential compute or traditional permissions is impelmenetation details. - This is also how we communicate - https://intel.github.io/dffml/main/examples/webhook/ - https://www.youtube.com/watch?v=vqfSvU80W8Q&t=777s + - Reference entity actions for this use case + - kcp -> k8s -> cf push -> webhook service -> dataflow to create activitypub event -> dwn-cli send -> dwn-cli recv -> alice threats listen activitypub -stdin -> alice shouldi contribute -> alice please contribute -> github repo pull request -> webhook service From 5db92435b7bf7faf31dccab2fcf150cc0cbe76e0 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 23 Feb 2023 16:49:32 -0800 Subject: [PATCH 069/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 72d4a88..8ac3ea9 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -884,3 +884,4 @@ confidential compute or traditional permissions is impelmenetation details. - https://www.youtube.com/watch?v=vqfSvU80W8Q&t=777s - Reference entity actions for this use case - kcp -> k8s -> cf push -> webhook service -> dataflow to create activitypub event -> dwn-cli send -> dwn-cli recv -> alice threats listen activitypub -stdin -> alice shouldi contribute -> alice please contribute -> github repo pull request -> webhook service + - https://www.youtube.com/watch?v=THKMfJpPt8I&list=PLtzAOVTpO2jYt71umwc-ze6OmwwCIMnLw&t=128s From 71406e4f6d7de502a22b0e6561e40028773dcb83 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 23 Feb 2023 16:51:08 -0800 Subject: [PATCH 070/120] Update openssf_metrics.md --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 8ac3ea9..8e4a711 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -885,3 +885,5 @@ confidential compute or traditional permissions is impelmenetation details. - Reference entity actions for this use case - kcp -> k8s -> cf push -> webhook service -> dataflow to create activitypub event -> dwn-cli send -> dwn-cli recv -> alice threats listen activitypub -stdin -> alice shouldi contribute -> alice please contribute -> github repo pull request -> webhook service - https://www.youtube.com/watch?v=THKMfJpPt8I&list=PLtzAOVTpO2jYt71umwc-ze6OmwwCIMnLw&t=128s + - https://www.youtube.com/watch?v=TMlC_iAK3Rg&list=PLtzAOVTpO2jYt71umwc-ze6OmwwCIMnLw&t=2064s + - [2023-02-22 CVE Bin Tool Monthly Meeting](https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-5079592) From fd2828090482fe63a30a7ddd9e91bdb78892a01e Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 23 Feb 2023 16:53:36 -0800 Subject: [PATCH 071/120] Update openssf_metrics.md --- openssf_metrics.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 8e4a711..fbacb9e 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -883,7 +883,8 @@ confidential compute or traditional permissions is impelmenetation details. - https://intel.github.io/dffml/main/examples/webhook/ - https://www.youtube.com/watch?v=vqfSvU80W8Q&t=777s - Reference entity actions for this use case - - kcp -> k8s -> cf push -> webhook service -> dataflow to create activitypub event -> dwn-cli send -> dwn-cli recv -> alice threats listen activitypub -stdin -> alice shouldi contribute -> alice please contribute -> github repo pull request -> webhook service - - https://www.youtube.com/watch?v=THKMfJpPt8I&list=PLtzAOVTpO2jYt71umwc-ze6OmwwCIMnLw&t=128s + - https://intel.github.io/dffml/main/examples/webhook/webhook.html#webhook-dataflow + - next tutorial: kcp -> k8s -> cf push -> webhook service -> dataflow to create activitypub event -> dwn-cli send -> webrtc -> dwn-cli recv -> `alice threats listen activitypub -stdin` -> `alice shouldi contribute` -> `alice please contribute` -> soft-serve/github repo pull request -> webhook service - https://www.youtube.com/watch?v=TMlC_iAK3Rg&list=PLtzAOVTpO2jYt71umwc-ze6OmwwCIMnLw&t=2064s - - [2023-02-22 CVE Bin Tool Monthly Meeting](https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-5079592) + - https://www.youtube.com/watch?v=THKMfJpPt8I&list=PLtzAOVTpO2jYt71umwc-ze6OmwwCIMnLw&t=128s + - https://github.com/charmbracelet/soft-serve From 4c3301006206b2e323a846a9a42927648b5e5317 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 28 Feb 2023 08:33:17 -0800 Subject: [PATCH 072/120] Update openssf_metrics.md --- openssf_metrics.md | 53 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index fbacb9e..2a98be3 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -21,6 +21,59 @@ VEX, SBOM, CSAF security advisory information, repository events, etc. VEX documents should be aligned with the either the https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html or OpenVEX specs: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex. We can then communicate the IDs via ActivityPub like so. +> Imagine the following YAML as a directed graph whose upleveled pesudocode form is: + +```yaml +bob_vcs_repo: + security.txt: + Contact: https://activitypub.securitytxt.activitypub.example.org/bob + +activitypub_service: + endpoint_url: https://activitypub.securitytxt.activitypub.example.org + actors: + alice: + bob: + attachment: + type: "PropertyValue" + name: "activitypubextensions" + value: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/1" + statuses: + - id: "https://mastodon.social/users/alice/statuses/1" + content: "activitypubextensions" + replies: + - id: "https://mastodon.social/users/alice/statuses/1/replies" + type: "Collection" + first: + type: "CollectionPage" + items: + - "https://mastodon.social/users/alice/statuses/2" + - id: "https://mastodon.social/users/alice/statuses/2" + inReplyTo: "https://mastodon.social/users/alice/statuses/1" + content: "activitypubsecuritytxt" + replies: + - id: "https://mastodon.social/users/alice/statuses/1/replies" + type: "Collection" + first: + type: "CollectionPage" + items: + - "https://mastodon.social/users/alice/statuses/3" + "id": "https://mastodon.social/users/alice/statuses/3", + "inReplyTo": "https://mastodon.social/users/alice/statuses/2", + "content": "vcs.push", + "replies": { + "id": "https://mastodon.social/users/alice/statuses/3/replies", + "type": "Collection", + "first": { + "type": "CollectionPage", + "next": "https://mastodon.social/users/alice/statuses/3/replies?min_id=3&page=true", + "partOf": "https://mastodon.social/users/alice/statuses/3/replies", + "items": [ + "https://mastodon.social/users/alice/statuses/4" + "id": "https://mastodon.social/users/alice/statuses/4", + "inReplyTo": "https://mastodon.social/users/alice/statuses/3", + "content": "registry.example.org/vex:sha256@babebabe", +``` + - References - RFC9116: https://securitytxt.org/ - https://github.com/ietf-scitt/use-cases/issues/14 From 6ddf1b7a8367f404281118345581fee8714458df Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 28 Feb 2023 08:41:56 -0800 Subject: [PATCH 073/120] Update openssf_metrics.md --- openssf_metrics.md | 43 ++++++++++++++++++++----------------------- 1 file changed, 20 insertions(+), 23 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 2a98be3..0e13dc4 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -31,47 +31,44 @@ bob_vcs_repo: activitypub_service: endpoint_url: https://activitypub.securitytxt.activitypub.example.org actors: - alice: bob: attachment: type: "PropertyValue" name: "activitypubextensions" value: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/1" statuses: - - id: "https://mastodon.social/users/alice/statuses/1" + - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/1" content: "activitypubextensions" replies: - - id: "https://mastodon.social/users/alice/statuses/1/replies" + - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/1/replies" type: "Collection" first: type: "CollectionPage" items: - - "https://mastodon.social/users/alice/statuses/2" - - id: "https://mastodon.social/users/alice/statuses/2" - inReplyTo: "https://mastodon.social/users/alice/statuses/1" + - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2" + - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2" + inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/1" content: "activitypubsecuritytxt" replies: - - id: "https://mastodon.social/users/alice/statuses/1/replies" + - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2/replies" type: "Collection" first: type: "CollectionPage" items: - - "https://mastodon.social/users/alice/statuses/3" - "id": "https://mastodon.social/users/alice/statuses/3", - "inReplyTo": "https://mastodon.social/users/alice/statuses/2", - "content": "vcs.push", - "replies": { - "id": "https://mastodon.social/users/alice/statuses/3/replies", - "type": "Collection", - "first": { - "type": "CollectionPage", - "next": "https://mastodon.social/users/alice/statuses/3/replies?min_id=3&page=true", - "partOf": "https://mastodon.social/users/alice/statuses/3/replies", - "items": [ - "https://mastodon.social/users/alice/statuses/4" - "id": "https://mastodon.social/users/alice/statuses/4", - "inReplyTo": "https://mastodon.social/users/alice/statuses/3", - "content": "registry.example.org/vex:sha256@babebabe", + - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3" + - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3" + inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2" + content: "https://schema.example.org/vcs.push.1.0.0.schema.json" + replies: + - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3/replies" + type: "Collection" + first: + type: "CollectionPage" + items: + - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/4" + - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/4" + inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3" + content: "registry.example.org/src_repo_name_contents_are_webhook_translated_to_vcs_push_manifest:sha256@babebabe" ``` - References From b0c36531e7214db90a6fb0d1e6e8f1f7b190db70 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 28 Feb 2023 08:43:55 -0800 Subject: [PATCH 074/120] Update openssf_metrics.md --- openssf_metrics.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 0e13dc4..f6c021f 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -68,7 +68,12 @@ activitypub_service: - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/4" - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/4" inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3" - content: "registry.example.org/src_repo_name_contents_are_webhook_translated_to_vcs_push_manifest:sha256@babebabe" + content: "bob.registry.example.org/src_repo_name_contents_are_webhook_translated_to_vcs_push_manifest:sha256@babebabe" + alice: + statuses: + - id: "https://activitypub.securitytxt.activitypub.example.org/users/alice/statuses/1" + inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/4" + content: "alice.registry.example.org/vex_contents_are_openvex_from_scratch:sha256@babebabe" ``` - References From feac250ef6d5ef4f9c2474cd6d7c0c9598dd45c3 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 28 Feb 2023 08:44:37 -0800 Subject: [PATCH 075/120] Update openssf_metrics.md --- openssf_metrics.md | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index f6c021f..4996419 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -21,6 +21,27 @@ VEX, SBOM, CSAF security advisory information, repository events, etc. VEX documents should be aligned with the either the https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html or OpenVEX specs: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex. We can then communicate the IDs via ActivityPub like so. +- References + - RFC9116: https://securitytxt.org/ + - https://github.com/ietf-scitt/use-cases/issues/14 + - https://github.com/openvex/spec/issues/9 + - https://mastodon.social/@ariadne@treehouse.systems/109784681116604896 + - > meanwhile at work, a thing i've been working on for the past few months has dropped: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex it's basically like ActivityStreams, but for security vulnerability data sharing. with a little bit of work, we can lift up to something more like ActivityPub for real-time collaboration, a blog is forthcoming about it. + - aka the Manifest Transport ADR + - Associated Alice tutorial: [Rolling Alice: Architecting Alice: Stream of Consiousness](https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0000_architecting_alice/0005_stream_of_consciousness.md) + - https://social.treehouse.systems/@ariadne/109808644259234008 + - We'll want to align with Ariadne's Rapunzel + - [Alice Engineering Comms: 2023-02-06 Engineering Logs](https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4883572) +- TODO + - [ ] OIDC to keypair to post replys (fulcio?) + - Or just the noterizing proxy + +## Summary + +When entities find security issues in source code, the correct channel to report security issues can be found if the repo has an RFC 9116 `security.txt` file with a `Contact` field. This contact field can be a URL which points to an ActivityPub Actor. + +Via traversal of ActivityPub AcivityStream objects, reporters are enabled to discover reporting endpoints. Researchers are also enabled to receive up to date events by following declared ActivityPub Actors. When a researcher finds a vulnerability, they can submit their evidence to an [eNotary](https://scitt.io/components/enotary.html) (could be self notarized). The eNotary attests validity of the vuln and then replys to ActivityPub threads to facilite communication of valid vuln to upstream. + > Imagine the following YAML as a directed graph whose upleveled pesudocode form is: ```yaml @@ -76,27 +97,6 @@ activitypub_service: content: "alice.registry.example.org/vex_contents_are_openvex_from_scratch:sha256@babebabe" ``` -- References - - RFC9116: https://securitytxt.org/ - - https://github.com/ietf-scitt/use-cases/issues/14 - - https://github.com/openvex/spec/issues/9 - - https://mastodon.social/@ariadne@treehouse.systems/109784681116604896 - - > meanwhile at work, a thing i've been working on for the past few months has dropped: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex it's basically like ActivityStreams, but for security vulnerability data sharing. with a little bit of work, we can lift up to something more like ActivityPub for real-time collaboration, a blog is forthcoming about it. - - aka the Manifest Transport ADR - - Associated Alice tutorial: [Rolling Alice: Architecting Alice: Stream of Consiousness](https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0000_architecting_alice/0005_stream_of_consciousness.md) - - https://social.treehouse.systems/@ariadne/109808644259234008 - - We'll want to align with Ariadne's Rapunzel - - [Alice Engineering Comms: 2023-02-06 Engineering Logs](https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4883572) -- TODO - - [ ] OIDC to keypair to post replys (fulcio?) - - Or just the noterizing proxy - -## Summary - -When entities find security issues in source code, the correct channel to report security issues can be found if the repo has an RFC 9116 `security.txt` file with a `Contact` field. This contact field can be a URL which points to an ActivityPub Actor. - -Via traversal of ActivityPub AcivityStream objects, reporters are enabled to discover reporting endpoints. Researchers are also enabled to receive up to date events by following declared ActivityPub Actors. When a researcher finds a vulnerability, they can submit their evidence to an [eNotary](https://scitt.io/components/enotary.html) (could be self notarized). The eNotary attests validity of the vuln and then replys to ActivityPub threads to facilite communication of valid vuln to upstream. - --- Scratch work upstream: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4819872 From f936e3acf4182a264382eedb755416b1130b4ff8 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 28 Feb 2023 08:48:54 -0800 Subject: [PATCH 076/120] Update openssf_metrics.md --- openssf_metrics.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 4996419..06dd6b0 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -514,6 +514,26 @@ Actors can be spun up ad-hoc, mirrors decentralized nature of OSS development. Enables projects to update based on policy. +```mermaid +sequenceDiagram + SupportLevelOneSecondPartyPluginPullRequest->>+Webhook: + Webhook->>+ActivityPub: + ActivityPub->>+SupportLevelOneSecondPartyWatcher: + RequiredCIJobPassDownstreamSupportLevelOneSecondPartyPlugin->>+Webhook: + Webhook->>+ActivityPub: + SupportLevelOneSecondPartyPlugin->>+Webhook: + DFFML->>+Webhook: + Webhook->>+ActivityPub: + SupportLevelOneSecondPartyPluginPullRequest->>+Webhook: + Webhook->>+ActivityPub: + ActivityPub->>+DFFMLTutorialPullRequestBumpPin: + ExampleDockerFileWithPinnedVersion->>+ContainerBuild: + ContainerBuild->>+ExampleDockerFileWithPinnedVersion: + ExampleDockerFileWithPinnedVersion->>+Webhook: + ActivityPub->>+DFFMLTutorialPullRequestBumpPin: + DFFMLTutorialPullRequestBumpPin->>+Webhook: +``` + > Upstream of following mermaid: https://github.com/intel/dffml/tree/alice/docs/tutorials/rolling_alice/0000_architecting_alice#what-is-alice ```mermaid From 22afd537180d6c6b2d5ec4db0096f0706cb2b6bc Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 1 Mar 2023 09:32:03 -0800 Subject: [PATCH 077/120] Update openssf_metrics.md --- openssf_metrics.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 06dd6b0..48cee10 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -787,6 +787,9 @@ and rules on how one would assert facts, weither it's confidential compute or traditional permissions is impelmenetation details. - TODO + - Going with Authenticated Chained Data Containers and KERI Watchers as an implmentation of SCITT for this + - It's basically a decentralized pubsub event notification methodology that can be done over ACDC piggybacking on ActivityPub as layer 7. + - Event data lives "off chain" in a container registry secured via existing transparency service based methods (KERI, SCITT, SigStore), where the chain is the network of keys involved for a train of thoughts comms between entities. Since we transmit ActivityPub over KERI, the graph of our supply chain data we are sharing can be shared with trusted actors who agree not to be duplicitous, and who's KERI keys can be tied back to TEEs so that we can confirm they are running software that doesn't intend (via ML-based, Alice, analysis) to be duplicitous. We can now have our trusted computing based for decentralized compute, aka CI/CD pipelines delivering across project trust boundries. - Go over `.github/workflows/alice_shouldi_contribute.yml` which is called as reusable workflow using SLSA demos as conceptual upstream. - This gives us metric collection with overlays applied to input network which log From 5caaf505e289c25225d7b81dfa8e88959cfd0a0d Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 3 Mar 2023 00:13:58 -0800 Subject: [PATCH 078/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 48cee10..683f46e 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -79,7 +79,7 @@ activitypub_service: - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3" - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3" inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2" - content: "https://schema.example.org/vcs.push.1.0.0.schema.json" + content: "https://github.com/opencontainers/image-spec/raw/v1.0.1/schema/image-manifest-schema.json" replies: - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3/replies" type: "Collection" From eba05d0539c4910f93eeb13a5c70a23cbb4ec9d8 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 3 Mar 2023 00:14:53 -0800 Subject: [PATCH 079/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 683f46e..741a933 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -394,7 +394,7 @@ graph LR "https://mastodon.social/users/alice/followers" ], "sensitive": false, - "content": "vcs.push", + "content": "https://github.com/opencontainers/image-spec/raw/v1.0.1/schema/image-manifest-schema.json", "updated": "2022-11-11T04:42:27Z", "attachment": [], "replies": { From 85b03b76cd6deb8fe89a4db54bfdb70ff1c39a29 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 3 Mar 2023 10:05:18 -0800 Subject: [PATCH 080/120] Update openssf_metrics.md --- openssf_metrics.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 741a933..3a39588 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -115,6 +115,54 @@ Scratch work upstream: https://github.com/intel/dffml/discussions/1406?sort=new# --- + +- ActivityPub extensions for security.txt + - Can you put things in `@context`?, yes. Unsure if other servers will propagate events. + - It this piggybacking within the content approach interoperable today, yes. +- Somewhere, something happened + - Bob tells Alice what happened + - Alice decides, do I care about what whappened? (the federated event) + - It's the triage process + - https://github.com/intel/cve-bin-tool/issues/2639 + - Take upstream policy (attached to incoming via `inReplyTo` and or `replies`, you'd have to decide if you want to dereference these, perhaps based on reputaion of propagator to reduce attack impact) +- A container image was created (`FROM` rebuild chain) + - Bob's forge tells Alice's forge, here's the content address uri for the manifest just pushed + - Alice looks at the manifest, runs through all the packages she's maintaining in her forge + - She applies the threat model of each as an overlay when determining if she wants to propagate into her internal environment + - If any of these + - Alice's downstream listener executes a system context to system context translation (grep: equilibrium, context-to-context) + - She executs the shim + - #1273 + - It parses the content in alignment with the schema + - The shim already supports validation so we could actually just serialize the would be HTTP requests to files (same as staged when offline) + - https://github.com/intel/dffml/pull/1273/files#r794027710 + - Could add activity style using this operation (function) as upstream, just copy paste and push to shim + - https://github.com/intel/dffml/blob/e1914f794c7ccc3a7483fa490cfbe5170bf65972/dffml/util/testing/manifest/shim.py#L744-L757 + - https://github.com/tern-tools/tern#report-cyclonedxjson + - Upload resulting SBOM to registry `FROM scratch` style or via + - https://github.com/opencontainers/image-spec/blob/819aa940cae7c067a8bf89b1745d3255ddaaba1d/artifact.md + - https://github.com/opencontainers/image-spec/blob/819aa940cae7c067a8bf89b1745d3255ddaaba1d/descriptor.md#examples +- A SBOM was published + - Bob's forge uploads an SBOM to the registry + - Alice's forge decides if she wants to propagate it (prioritizer, gatekeeper, umbrella) + - Alice looks at the manifest, runs through all the packages she's maintaining in her forge + - She applies the threat model of each as an overlay when determining if she wants to propagate into her internal environment + - If any of these use similar components as were mentioned in this SBOM, propagate + - Alice's listener receives the new SBOM event + - She uploads a manifest instance of a SLURM submit job spec to her registry + - https://slurm.schedmd.com/rest_api.html#slurmV0038SubmitJob +- A manifest instance of a SLURM submit job was published to Alice's registry + - Bob's forge uploads an SBOM to the registry + - Alice's forge decides if she wants to propagate it (prioritizer, gatekeeper, umbrella) + - Alice looks at the manifest, runs through all the packages she's maintaining in her forge + - She applies the threat model of each as an overlay when determining if she wants to propagate into her internal environment + - If any of these use similar components as were mentioned in this SBOM, propagate + - Alice's listener within korifi receives the new SLURM submit job event + - She downloads the job contents from the manifest + - `FROM scratch`, `results.yaml` extraction style tar pipe + - She executes the shim + - The next phase parser runs kaniko + ```mermaid graph TD subgraph bob[Bob's Cool Software] From 2dd0ec1dbf8297d60ec86a0fa97775dbb7aa702c Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 3 Mar 2023 10:07:47 -0800 Subject: [PATCH 081/120] Update openssf_metrics.md --- openssf_metrics.md | 132 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 132 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 3a39588..de65047 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -183,6 +183,138 @@ graph TD end ``` + - Wait we're supposed to be doing KCP almost forgot +- Run some live ones in https://github.com/cloudfoundry/korifi via `dffml-service-http` + - Demo similar job URL hash as registry tag based addressing of results within registry + - Enable sending of AcivityPub events directly (later) or indirectly via proxy nodes (first, activitypub starter kit. +- https://ci.spdk.io/results/autotest-nightly/builds/1935/archive/crypto-autotest/build.log + +```yaml +- completed_at: '2023-03-03T04:30:59Z' + conclusion: success + created_at: '2023-03-03T03:58:07Z' + head_sha: 4241b49975cf364b540fc0ad961cde58e2c89623 + html_url: https://ci.spdk.io.deployed.at.example.com/public_build/autotest-spdk-master-vs-dpdk-main_1754.html + id: 1754 + labels: + - list + - of + - overlays + - on + - dffml.overlays.alice.shouldi.contribute + name: alice.shouldi.contribute + status: completed + steps: + - completed_at: '2023-03-03T04:26:42.000Z' + conclusion: success + name: Run scan + number: 1 + started_at: '2023-03-03T04:26:40.000Z' + status: completed + url: https://vcs.activitypub.securitytxt.dffml.chadig.com/push/posts/40aeeda3-6042-42ed-8e32-99eff9bd8ef4 + workflow_name: Alice Should I Contribute? +``` + +- So no matter where you're executing, all the reporting and eventing is the same, because we are loosely coupled. + - We can do `fromjson` in jq or we can do more advanced xargs chaining on the websocket for ad-hox dev work + - We can shot from the activitypub inbox receiver to a message queue for integration with existing celery + - This way we sidestep all rate limiting except for when we have to preform write events to GitHub + - Otherwise we always read GitHub data from cypher queries over the reboardcast data + - We can also have listeners which reboardcast the resolved contents of content address style broadcast data (the top level, so if this sees a container image uri broadcast, it would be pulling it down and maybe rebroadcasting the `results.yaml` or whatever is they transform needed to rebroadcast that data. + - This is our onramp into the linked data space, eventually KERI for backing comms security +- https://linkeddatafragments.org/ +- http://query.linkeddatafragments.org/#query=&resultsToTree=false&queryFormat=graphql +- https://gist.github.com/rubensworks/9d6eccce996317677d71944ed1087ea6 +- https://github.com/comunica/jQuery-Widget.js/blob/master/config/config-default.json +- We need to turn the stream into something we can query using cypher or graphql-ld +- https://swordapp.github.io/swordv3/swordv3.html +- https://oras.land/blog/gatekeeper-policies-as-oci-image/ +- https://github.com/project-zot/zot +- Okay if we can make the KERI SCITT instance use the OCI upload/download spec and then align the telemetry and registry federation protocols + - Look into existing registry federation protocol if exists +- https://s3hh.wordpress.com/2022/10/27/oci-based-linux/ + - Similar goals to OS DecentrAlice +- https://github.com/project-machine/mos/releases/tag/0.0.7 +- https://github.com/opencontainers/distribution-spec/blob/main/spec.md#endpoints +- https://github.com/opencontainers/distribution-spec/issues/388 + - Have we thought about federation protocols / APIs? To enable registries to propagate uploaded content within a network of registries? Looking to come up to speed on any existing discussion if that's been touched on. Thank you! + - References + - https://github.com/opencontainers/distribution-spec/blob/main/spec.md#endpoints + - Looked here for relevant paths here but not seeing anything that looks like it's for notifications / inbox style eventing + - https://github.com/sapcc/keppel + - https://github.com/ietf-scitt/use-cases/issues/14 + - Hoping we can align to similar federation protocols across transparency services and container registries so event stream consumers can work with the same protocol for each (ActivityStreams/Pub?) +- https://conformance.opencontainers.org/ +- https://vsoch.github.io/django-oci/docs/getting-started/auth +- https://vsoch.github.io/django-oci/docs/getting-started/testing +- https://github.com/opencontainers/distribution-spec/issues/110#issuecomment-708691114 +- https://github.com/sapcc/keppel +- https://github.com/sapcc/keppel/blob/master/docs/api-spec.md#post-keppelv1authpeering + - Looks like they have their own spec for federation, maybe we can implement with ActivityPub? + - Maybe we can leverage the existing APIs similar to the /admin endpoint and just add in the activitypub endpoints for activitystreams / linked data notifications +- https://github.com/sapcc/keppel/blob/master/docs/example-policy.yaml +- We can take one manifest and make it into another one for execution via a different mechanism + - Similar to the CLI overlays + - https://github.com/intel/dffml/blob/c82f7ddd29a00d24217c50370907c281c4b5b54d/entities/alice/alice/please/contribute/recommended_community_standards/cli.py#L60-L72 + - This is also similar to how we can decouple TODO logging from content for `alice please log todos` + - Operation to generate TODO body + - Operation for logging the TODO (write to GitHub) + - Similar to a mutation of the propagated event into something context local relevant + - Yes this vuln affects due to instance policy relevant threat model overlays or not +- https://github.com/opencontainers/image-spec/blob/main/artifact.md +- Manifest for CLI command + +**schema/alice/shouldi/contribute/github-com-omnilib-aiosqlite.json** + +```json +{ + "@context": "https://github.com/intel/dffml/raw/alice/schema/schema/alice/shouldi/contribute/0.0.0.schema.json", + "repo_url": "https://github.com/omnilib/aiosqlite" +} +``` + +- As container build + +**schema/image/container/build/alice-shouldi-contribute-results-github-com-omnilib-aiosqlite.json** + +```json +{ + "@context": "https://github.com/intel/dffml/raw/alice/schema/github/actions/build/images/containers/0.0.0.schema.json", + "include": [ + { + "branch": "alice", + "build_args": "[[\"REPO_URL\", \"https://github.com/omnilib/aiosqlite\"]]", + "commit": "ca92bfae5092bce908b70f6b5e0afbe242ce7a5b", + "dockerfile": "entities/alice/scripts/alice-shouldi-contribute-results.Dockerfile", + "image_name": "alice-shouldi-contribute-results-github-com-omnilib-aiosqlite", + "owner": "intel", + "repository": "dffml" + } + ] +} +``` + +- https://codeberg.org/fediverse/fep +- Open Source scanning flow + - Upload manifest to registry + - Federation event (send to follower /inbox) + - content: `https://github.com/opencontainers/image-spec/raw/v1.0.1/schema/image-manifest-schema.json` + inReplyTo: activitypub extensions for security.txt post URL for content `activitypubsecuritytxt` + - content: container image uri uploaded + inReplyTo: activitypub extensions for security.txt post URL for content `https://github.com/opencontainers/image-spec/raw/v1.0.1/schema/image-manifest-schema.json` + - Downstream listener (aka delve into [config dict](https://intel.github.io/dffml/main/contributing/codebase.html?highlight=config+dict#config)) + - Federation event (send to follower /inbox) + - content: `https://github.com/intel/dffml/raw/alice/schema/github/actions/build/images/containers/0.0.0.schema.json` + inReplyTo: activitypub extensions for security.txt post URL for content `activitypubsecuritytxt` + - content: `` + inReplyTo: activitypub extensions for security.txt post URL for content `https://github.com/intel/dffml/raw/alice/schema/github/actions/build/images/containers/0.0.0.schema.json` + - Downstream listener + - Republish watched `inReplyTo` schema into job/message queue + - RabbitMQ + - Message queue delivers to worker nodes + - Kaniko job waiting for celery queue for image to build + - Exit after rebuild and have orchestration manage respawn + ```mermaid graph LR From 8ec389c769b3522ff7661df766428dc1b9eb1961 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 3 Mar 2023 10:09:37 -0800 Subject: [PATCH 082/120] Update openssf_metrics.md Related: https://github.com/intel/dffml/issues/1426 --- openssf_metrics.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index de65047..4a26ca3 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -768,6 +768,23 @@ graph BT end ``` +- https://github.com/opencontainers/image-spec/blob/main/manifest.md + - Image command sequence to in-toto + - Attestation as build arg + - Still eventually [#1426](https://github.com/intel/dffml/issues/1426) +- https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#accessing-and-using-event-properties + - Example of bots managing pinning +- Mirror of CI/CD can be executed with same manifest instance pattern for increased performance + +```console +$ curl -fL https://vcs.activitypub.securitytxt.dffml.chadig.com/push/outbox/ > outbox@push@vcs.activitypub.securitytxt.dffml.chadig.com +$ jq .orderedItems[].id < outbox\@push\@vcs.activitypub.securitytxt.dffml.chadig.com | wc -l +3931 +$ jq -r '.orderedItems[] | [{(.id): (.object.content)}] | .[] | add' < outbox\@push\@vcs.activitypub.securitytxt.dffml.chadig.com | jq -R --unbuffered '. as $line | try (fromjson | .) catch $line' +$ jq -r '.orderedItems[] | [{(.id): (.object.content)}] | .[] | add' < outbox\@push\@vcs.activitypub.securitytxt.dffml.chadig.com | jq -R --unbuffered '. as $line | try (fromjson | .workflow_job) catch $line' +$ jq -r '.orderedItems[] | [{(.id): (.object.content)}] | .[] | add' < outbox\@push\@vcs.activitypub.securitytxt.dffml.chadig.com | jq -c -R --unbuffered '. as $line | try (fromjson | .workflow_job) catch $line' | jq -s | python3 -c "import sys, pathlib, json, yaml; print(yaml.dump(json.load(sys.stdin)))" +``` + --- - Downstream From ae6d16f22783c40cf482e7f0b30203eb5d7ccfaf Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 3 Mar 2023 10:11:25 -0800 Subject: [PATCH 083/120] Update openssf_metrics.md --- openssf_metrics.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 4a26ca3..7255ad8 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -1140,8 +1140,7 @@ confidential compute or traditional permissions is impelmenetation details. - https://mailarchive.ietf.org/arch/msg/scitt/cgz-9oif4SLMbdLyPn0P6-E8cIY/ - > This is interesting - many thanks Hannes. I notice our spec includes Merkle trees as the database structure - seems like an implementation detail, i.e. just a database. Can an implementer use, for example, an otherwise secured and RBAC'd record structure such as a file system or relational/hierarchical/sharded db, or is distributed ledger mandatory? - [df: overlay: Implement middleware/RBAC chains of ordered applications of overlays #1400](https://github.com/intel/dffml/issues/1400) - - SCITTzophrenia - - There exist N instances of SCITT, which ones are tied to the current executing system context? Those determine reality, aka what is real, what to trust, for that system context + - There exist N instances of SCITT, which ones are tied to the current executing system context? Those determine reality, aka what is real, what to trust, for that system context - Hallucinating large language models train/chain of thought is tied to context local SCITT. We graft in (accept new federated claims/receipts) from other system contexts we trust. We trust based on if we should propagate from that context to this context. Equilibrium as reality. Context local reality for the net. If they are isolated, they define their own reality. - The truth will set you free. Equilibrium of record propagation. - Everything is true, everything is permitted (insert policy*) From d4920c47ddd80198a335b795e7879439ddfb15b5 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 3 Mar 2023 10:13:43 -0800 Subject: [PATCH 084/120] Update openssf_metrics.md --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 7255ad8..3fc958f 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -1162,3 +1162,5 @@ confidential compute or traditional permissions is impelmenetation details. - https://www.youtube.com/watch?v=TMlC_iAK3Rg&list=PLtzAOVTpO2jYt71umwc-ze6OmwwCIMnLw&t=2064s - https://www.youtube.com/watch?v=THKMfJpPt8I&list=PLtzAOVTpO2jYt71umwc-ze6OmwwCIMnLw&t=128s - https://github.com/charmbracelet/soft-serve + - https://codeberg.org/forgejo/forgejo/issues/363 + - Where is the best place to discuss federation of CI? Maybe in the spec repo? Shall I just throw up a pull request on that GitLab with the schema? We're interested in folks rebroadcasting their GitHub webhooks, etc. into the ActivityPub space so as to enable live at HEAD in poly repo envs (to help secure rolling releases). From ea08bcfbd3b5844c67237960a354895a209a0904 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 3 Mar 2023 10:14:37 -0800 Subject: [PATCH 085/120] Update openssf_metrics.md --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 3fc958f..8dbc068 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -25,6 +25,8 @@ VEX documents should be aligned with the either the https://docs.oasis-open.org/ - RFC9116: https://securitytxt.org/ - https://github.com/ietf-scitt/use-cases/issues/14 - https://github.com/openvex/spec/issues/9 + - https://forum.forgefriends.org/t/about-the-friendly-forge-format-f3/681 + - > ForgeFed is an ActivityPub extension. ActivityPub is an actor-model based protocol for federation of web services and applications. - https://mastodon.social/@ariadne@treehouse.systems/109784681116604896 - > meanwhile at work, a thing i've been working on for the past few months has dropped: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex it's basically like ActivityStreams, but for security vulnerability data sharing. with a little bit of work, we can lift up to something more like ActivityPub for real-time collaboration, a blog is forthcoming about it. - aka the Manifest Transport ADR From 274c2152dba7e46d2a64319640654d4007cfc544 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 3 Mar 2023 10:24:50 -0800 Subject: [PATCH 086/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 8dbc068..ff2ebd2 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -153,7 +153,7 @@ Scratch work upstream: https://github.com/intel/dffml/discussions/1406?sort=new# - Alice's listener receives the new SBOM event - She uploads a manifest instance of a SLURM submit job spec to her registry - https://slurm.schedmd.com/rest_api.html#slurmV0038SubmitJob -- A manifest instance of a SLURM submit job was published to Alice's registry +- A manifest instance of a IPVM/SLURM submit job was published to Alice's registry - Bob's forge uploads an SBOM to the registry - Alice's forge decides if she wants to propagate it (prioritizer, gatekeeper, umbrella) - Alice looks at the manifest, runs through all the packages she's maintaining in her forge From dc4bab3e1f80882140016d276698b7024f4a6fa2 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Sun, 5 Mar 2023 10:57:59 -0800 Subject: [PATCH 087/120] Update openssf_metrics.md --- openssf_metrics.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index ff2ebd2..a7a7af6 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -13,6 +13,11 @@ ad-hoc formed policy as desired by end-user. - https://docs.google.com/document/d/1DXJRDh9Ss5VCRBi3oirDw9d7yjn3H2hMqfN2ETTyjIc/edit# - We seek interop with the Agora +# NOTES + +- 2023-03-05 + - This will get reworked heavily as we align across https://codeberg.org/forgejo-contrib/discussions/issues/12, Rapunzel, and Alice + ## activitypub extensions for security.txt A methodology allowing organizations to nominate security contact points and policies via ActivityPub Actors. From 2e45788c2ae78e2bf57493cc6647c4d18f989c20 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 8 Mar 2023 17:05:20 -0800 Subject: [PATCH 088/120] Update openssf_metrics.md --- openssf_metrics.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index a7a7af6..7f77298 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -1171,3 +1171,14 @@ confidential compute or traditional permissions is impelmenetation details. - https://github.com/charmbracelet/soft-serve - https://codeberg.org/forgejo/forgejo/issues/363 - Where is the best place to discuss federation of CI? Maybe in the spec repo? Shall I just throw up a pull request on that GitLab with the schema? We're interested in folks rebroadcasting their GitHub webhooks, etc. into the ActivityPub space so as to enable live at HEAD in poly repo envs (to help secure rolling releases). + +--- + +Post RFCv3 + +- It's all the signal + - New data event + - inReplyTo context manifest, there was a new vex, there was a new registry image, there was a new something which will be interpreted in a context aware way based of reply set as label as input to running system context watching + - What is in the new data event? + - Where can I get the content (registry) + - How do I access it? Credential Manifest (KERIVC?) From f4a219c9bb0fcdde6039bfadcf41c2a705c0149d Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 9 Mar 2023 12:18:30 -0800 Subject: [PATCH 089/120] Update openssf_metrics.md Related: https://github.com/ossf/wg-vulnerability-disclosures/issues/125#issuecomment-1462684065 --- openssf_metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 7f77298..55e6c72 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -1182,3 +1182,5 @@ Post RFCv3 - What is in the new data event? - Where can I get the content (registry) - How do I access it? Credential Manifest (KERIVC?) +- for gatekeeper policy options + - https://www.seedwing.io/ From da838e39cac8f5e2a444e7ac1d3c723e8ddd49ed Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 15 Mar 2023 13:22:33 -0700 Subject: [PATCH 090/120] Update openssf_metrics.md --- openssf_metrics.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 55e6c72..eb2add1 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -1181,6 +1181,7 @@ Post RFCv3 - inReplyTo context manifest, there was a new vex, there was a new registry image, there was a new something which will be interpreted in a context aware way based of reply set as label as input to running system context watching - What is in the new data event? - Where can I get the content (registry) - - How do I access it? Credential Manifest (KERIVC?) + - How do I access it? + - https://identity.foundation/presentation-exchange/#presentation-definition - for gatekeeper policy options - https://www.seedwing.io/ From b77fd43f1a2c6144e02f5c0c0cee47ce9fd8f22b Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 16 Mar 2023 10:43:49 -0700 Subject: [PATCH 091/120] Update openssf_metrics.md --- openssf_metrics.md | 89 ++++++++++++++++++++++------------------------ 1 file changed, 42 insertions(+), 47 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index eb2add1..207a208 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -6,17 +6,7 @@ Collection of metric data into shared (crowdsourcable) DB. There are many repos to search, we want to enable self reporting and granularity as applicable to ad-hoc formed policy as desired by end-user. -- [service: sw: src: change: notify: Service to facilitate poly repo pull model dev tooling: activitypubsecuritytxt](https://github.com/intel/dffml/issues/1315#issuecomment-1416392795) - - Reproduced below -- We seek interop with Aradine's Rapunzel -- The Agora: a Knowledge Commons - - https://docs.google.com/document/d/1DXJRDh9Ss5VCRBi3oirDw9d7yjn3H2hMqfN2ETTyjIc/edit# - - We seek interop with the Agora - -# NOTES - -- 2023-03-05 - - This will get reworked heavily as we align across https://codeberg.org/forgejo-contrib/discussions/issues/12, Rapunzel, and Alice +2023-03-05: This will get reworked heavily as we align across https://codeberg.org/forgejo-contrib/discussions/issues/12, Rapunzel, and Alice ## activitypub extensions for security.txt @@ -26,23 +16,6 @@ VEX, SBOM, CSAF security advisory information, repository events, etc. VEX documents should be aligned with the either the https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html or OpenVEX specs: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex. We can then communicate the IDs via ActivityPub like so. -- References - - RFC9116: https://securitytxt.org/ - - https://github.com/ietf-scitt/use-cases/issues/14 - - https://github.com/openvex/spec/issues/9 - - https://forum.forgefriends.org/t/about-the-friendly-forge-format-f3/681 - - > ForgeFed is an ActivityPub extension. ActivityPub is an actor-model based protocol for federation of web services and applications. - - https://mastodon.social/@ariadne@treehouse.systems/109784681116604896 - - > meanwhile at work, a thing i've been working on for the past few months has dropped: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex it's basically like ActivityStreams, but for security vulnerability data sharing. with a little bit of work, we can lift up to something more like ActivityPub for real-time collaboration, a blog is forthcoming about it. - - aka the Manifest Transport ADR - - Associated Alice tutorial: [Rolling Alice: Architecting Alice: Stream of Consiousness](https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0000_architecting_alice/0005_stream_of_consciousness.md) - - https://social.treehouse.systems/@ariadne/109808644259234008 - - We'll want to align with Ariadne's Rapunzel - - [Alice Engineering Comms: 2023-02-06 Engineering Logs](https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4883572) -- TODO - - [ ] OIDC to keypair to post replys (fulcio?) - - Or just the noterizing proxy - ## Summary When entities find security issues in source code, the correct channel to report security issues can be found if the repo has an RFC 9116 `security.txt` file with a `Contact` field. This contact field can be a URL which points to an ActivityPub Actor. @@ -104,25 +77,6 @@ activitypub_service: content: "alice.registry.example.org/vex_contents_are_openvex_from_scratch:sha256@babebabe" ``` ---- - -Scratch work upstream: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4819872 - -- Just FYI, have been playing with the idea of using security.txt contact as an AcivityPub Actor to advertise things such as delegate Actors for various purposes. For example, list via attachments actors which publish content addresses of an orgs SBOMs This would enable leveraging ActivityPub as a means for definition and broadcast for entities delegated to various roles. We could do the same for the 3rd parties to advertise what actors are within which roles, aka are authorized to say this thing is FIPs certified. We could then attach SCITT receipts to these: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4794771 - - The SCITT registry then becomes the quick lookup path (analogously database view) to verify this. This way end users don't have to traverse the full Knowledge Graph (Activity Pub in this case). Receipt we care about for verification would be is this `inReplyTo` DAG hop path valid, aka is `did:merkle` in SCITT. - - Can have a thread linked in attachments for manifests, can discover from there - - Can watch for replies and execute jobs based off listening for manifest instances `inReplyTo` to the manifest. - - Post content addresses of manifest existing in oras.land (a container "image" registry) - - `FROM scratch` - - [Alice Engineering Comms: 2023-01-19 @pdxjohnny Engineering Logs](https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4729296) - - https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/advance-readings/Enhancing_DID_Privacy_through_shared_Credentials.md - - https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/draft-documents/did-merkle.md -- Looks like we can have four attachments, we can make one link to a post as an attachment, then replies to that to build more trees of data -- https://policymaker.disclose.io/policymaker/introduction - ---- - - - ActivityPub extensions for security.txt - Can you put things in `@context`?, yes. Unsure if other servers will propagate events. - It this piggybacking within the content approach interoperable today, yes. @@ -947,6 +901,47 @@ POST /admin/create 204 - - 133.004 ms --- + +- Just FYI, have been playing with the idea of using security.txt contact as an AcivityPub Actor to advertise things such as delegate Actors for various purposes. For example, list via attachments actors which publish content addresses of an orgs SBOMs This would enable leveraging ActivityPub as a means for definition and broadcast for entities delegated to various roles. We could do the same for the 3rd parties to advertise what actors are within which roles, aka are authorized to say this thing is FIPs certified. We could then attach SCITT receipts to these: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4794771 + - The SCITT registry then becomes the quick lookup path (analogously database view) to verify this. This way end users don't have to traverse the full Knowledge Graph (Activity Pub in this case). Receipt we care about for verification would be is this `inReplyTo` DAG hop path valid, aka is `did:merkle` in SCITT. + - Can have a thread linked in attachments for manifests, can discover from there + - Can watch for replies and execute jobs based off listening for manifest instances `inReplyTo` to the manifest. + - Post content addresses of manifest existing in oras.land (a container "image" registry) + - `FROM scratch` + - [Alice Engineering Comms: 2023-01-19 @pdxjohnny Engineering Logs](https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4729296) + - https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/advance-readings/Enhancing_DID_Privacy_through_shared_Credentials.md + - https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/draft-documents/did-merkle.md +- Looks like we can have four attachments, we can make one link to a post as an attachment, then replies to that to build more trees of data +- https://policymaker.disclose.io/policymaker/introduction + +--- + +- References + - RFC9116: https://securitytxt.org/ + - https://github.com/ietf-scitt/use-cases/issues/14 + - https://github.com/openvex/spec/issues/9 + - https://forum.forgefriends.org/t/about-the-friendly-forge-format-f3/681 + - > ForgeFed is an ActivityPub extension. ActivityPub is an actor-model based protocol for federation of web services and applications. + - https://mastodon.social/@ariadne@treehouse.systems/109784681116604896 + - > meanwhile at work, a thing i've been working on for the past few months has dropped: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex it's basically like ActivityStreams, but for security vulnerability data sharing. with a little bit of work, we can lift up to something more like ActivityPub for real-time collaboration, a blog is forthcoming about it. + - aka the Manifest Transport ADR + - Associated Alice tutorial: [Rolling Alice: Architecting Alice: Stream of Consiousness](https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0000_architecting_alice/0005_stream_of_consciousness.md) + - https://social.treehouse.systems/@ariadne/109808644259234008 + - We'll want to align with Ariadne's Rapunzel + - [Alice Engineering Comms: 2023-02-06 Engineering Logs](https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4883572) +- TODO + - [ ] OIDC to keypair to post replys (fulcio?) + - Or just the noterizing proxy + +- [service: sw: src: change: notify: Service to facilitate poly repo pull model dev tooling: activitypubsecuritytxt](https://github.com/intel/dffml/issues/1315#issuecomment-1416392795) + - Reproduced below +- We seek interop with Aradine's Rapunzel +- The Agora: a Knowledge Commons + - https://docs.google.com/document/d/1DXJRDh9Ss5VCRBi3oirDw9d7yjn3H2hMqfN2ETTyjIc/edit# + - We seek interop with the Agora + +Scratch work upstream: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4819872 + - The Open Architecture (Alice) sits at the interesction of CI/CD, Security, and AI/ML. - We metion Alice here as a follow on who's development sees this use case as critical - Think cross between review system (SCITT as the proof, TDB on identity preknown at this point, OpenSSF members stream 8 vuln sharing CCF ledger) From 46ead8702ec61d9f6b829b788f5b91f9fb2433c4 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 16 Mar 2023 10:44:06 -0700 Subject: [PATCH 092/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 207a208..4a10cf0 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -6,7 +6,7 @@ Collection of metric data into shared (crowdsourcable) DB. There are many repos to search, we want to enable self reporting and granularity as applicable to ad-hoc formed policy as desired by end-user. -2023-03-05: This will get reworked heavily as we align across https://codeberg.org/forgejo-contrib/discussions/issues/12, Rapunzel, and Alice +2023-03-16: This will get reworked heavily as we align across https://codeberg.org/forgejo-contrib/discussions/issues/12, Rapunzel, and Alice ## activitypub extensions for security.txt From 5c2d0c258220306ff86b5f5982f2d877c63e8ff4 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 16 Mar 2023 10:45:20 -0700 Subject: [PATCH 093/120] Update openssf_metrics.md --- openssf_metrics.md | 84 ++++++++++++++++++++++++---------------------- 1 file changed, 43 insertions(+), 41 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 4a10cf0..522f582 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -183,47 +183,6 @@ graph TD - Otherwise we always read GitHub data from cypher queries over the reboardcast data - We can also have listeners which reboardcast the resolved contents of content address style broadcast data (the top level, so if this sees a container image uri broadcast, it would be pulling it down and maybe rebroadcasting the `results.yaml` or whatever is they transform needed to rebroadcast that data. - This is our onramp into the linked data space, eventually KERI for backing comms security -- https://linkeddatafragments.org/ -- http://query.linkeddatafragments.org/#query=&resultsToTree=false&queryFormat=graphql -- https://gist.github.com/rubensworks/9d6eccce996317677d71944ed1087ea6 -- https://github.com/comunica/jQuery-Widget.js/blob/master/config/config-default.json -- We need to turn the stream into something we can query using cypher or graphql-ld -- https://swordapp.github.io/swordv3/swordv3.html -- https://oras.land/blog/gatekeeper-policies-as-oci-image/ -- https://github.com/project-zot/zot -- Okay if we can make the KERI SCITT instance use the OCI upload/download spec and then align the telemetry and registry federation protocols - - Look into existing registry federation protocol if exists -- https://s3hh.wordpress.com/2022/10/27/oci-based-linux/ - - Similar goals to OS DecentrAlice -- https://github.com/project-machine/mos/releases/tag/0.0.7 -- https://github.com/opencontainers/distribution-spec/blob/main/spec.md#endpoints -- https://github.com/opencontainers/distribution-spec/issues/388 - - Have we thought about federation protocols / APIs? To enable registries to propagate uploaded content within a network of registries? Looking to come up to speed on any existing discussion if that's been touched on. Thank you! - - References - - https://github.com/opencontainers/distribution-spec/blob/main/spec.md#endpoints - - Looked here for relevant paths here but not seeing anything that looks like it's for notifications / inbox style eventing - - https://github.com/sapcc/keppel - - https://github.com/ietf-scitt/use-cases/issues/14 - - Hoping we can align to similar federation protocols across transparency services and container registries so event stream consumers can work with the same protocol for each (ActivityStreams/Pub?) -- https://conformance.opencontainers.org/ -- https://vsoch.github.io/django-oci/docs/getting-started/auth -- https://vsoch.github.io/django-oci/docs/getting-started/testing -- https://github.com/opencontainers/distribution-spec/issues/110#issuecomment-708691114 -- https://github.com/sapcc/keppel -- https://github.com/sapcc/keppel/blob/master/docs/api-spec.md#post-keppelv1authpeering - - Looks like they have their own spec for federation, maybe we can implement with ActivityPub? - - Maybe we can leverage the existing APIs similar to the /admin endpoint and just add in the activitypub endpoints for activitystreams / linked data notifications -- https://github.com/sapcc/keppel/blob/master/docs/example-policy.yaml -- We can take one manifest and make it into another one for execution via a different mechanism - - Similar to the CLI overlays - - https://github.com/intel/dffml/blob/c82f7ddd29a00d24217c50370907c281c4b5b54d/entities/alice/alice/please/contribute/recommended_community_standards/cli.py#L60-L72 - - This is also similar to how we can decouple TODO logging from content for `alice please log todos` - - Operation to generate TODO body - - Operation for logging the TODO (write to GitHub) - - Similar to a mutation of the propagated event into something context local relevant - - Yes this vuln affects due to instance policy relevant threat model overlays or not -- https://github.com/opencontainers/image-spec/blob/main/artifact.md -- Manifest for CLI command **schema/alice/shouldi/contribute/github-com-omnilib-aiosqlite.json** @@ -942,6 +901,49 @@ POST /admin/create 204 - - 133.004 ms Scratch work upstream: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4819872 + +- https://linkeddatafragments.org/ +- http://query.linkeddatafragments.org/#query=&resultsToTree=false&queryFormat=graphql +- https://gist.github.com/rubensworks/9d6eccce996317677d71944ed1087ea6 +- https://github.com/comunica/jQuery-Widget.js/blob/master/config/config-default.json +- We need to turn the stream into something we can query using cypher or graphql-ld +- https://swordapp.github.io/swordv3/swordv3.html +- https://oras.land/blog/gatekeeper-policies-as-oci-image/ +- https://github.com/project-zot/zot +- Okay if we can make the KERI SCITT instance use the OCI upload/download spec and then align the telemetry and registry federation protocols + - Look into existing registry federation protocol if exists +- https://s3hh.wordpress.com/2022/10/27/oci-based-linux/ + - Similar goals to OS DecentrAlice +- https://github.com/project-machine/mos/releases/tag/0.0.7 +- https://github.com/opencontainers/distribution-spec/blob/main/spec.md#endpoints +- https://github.com/opencontainers/distribution-spec/issues/388 + - Have we thought about federation protocols / APIs? To enable registries to propagate uploaded content within a network of registries? Looking to come up to speed on any existing discussion if that's been touched on. Thank you! + - References + - https://github.com/opencontainers/distribution-spec/blob/main/spec.md#endpoints + - Looked here for relevant paths here but not seeing anything that looks like it's for notifications / inbox style eventing + - https://github.com/sapcc/keppel + - https://github.com/ietf-scitt/use-cases/issues/14 + - Hoping we can align to similar federation protocols across transparency services and container registries so event stream consumers can work with the same protocol for each (ActivityStreams/Pub?) +- https://conformance.opencontainers.org/ +- https://vsoch.github.io/django-oci/docs/getting-started/auth +- https://vsoch.github.io/django-oci/docs/getting-started/testing +- https://github.com/opencontainers/distribution-spec/issues/110#issuecomment-708691114 +- https://github.com/sapcc/keppel +- https://github.com/sapcc/keppel/blob/master/docs/api-spec.md#post-keppelv1authpeering + - Looks like they have their own spec for federation, maybe we can implement with ActivityPub? + - Maybe we can leverage the existing APIs similar to the /admin endpoint and just add in the activitypub endpoints for activitystreams / linked data notifications +- https://github.com/sapcc/keppel/blob/master/docs/example-policy.yaml +- We can take one manifest and make it into another one for execution via a different mechanism + - Similar to the CLI overlays + - https://github.com/intel/dffml/blob/c82f7ddd29a00d24217c50370907c281c4b5b54d/entities/alice/alice/please/contribute/recommended_community_standards/cli.py#L60-L72 + - This is also similar to how we can decouple TODO logging from content for `alice please log todos` + - Operation to generate TODO body + - Operation for logging the TODO (write to GitHub) + - Similar to a mutation of the propagated event into something context local relevant + - Yes this vuln affects due to instance policy relevant threat model overlays or not +- https://github.com/opencontainers/image-spec/blob/main/artifact.md +- Manifest for CLI command + - The Open Architecture (Alice) sits at the interesction of CI/CD, Security, and AI/ML. - We metion Alice here as a follow on who's development sees this use case as critical - Think cross between review system (SCITT as the proof, TDB on identity preknown at this point, OpenSSF members stream 8 vuln sharing CCF ledger) From 6cfdf3f788e71e41a3b5db31e562e268786be603 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 16 Mar 2023 10:46:20 -0700 Subject: [PATCH 094/120] Update openssf_metrics.md --- openssf_metrics.md | 64 +++++++++++++++++++++++----------------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 522f582..d9ed7be 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -144,38 +144,6 @@ graph TD end ``` - - Wait we're supposed to be doing KCP almost forgot -- Run some live ones in https://github.com/cloudfoundry/korifi via `dffml-service-http` - - Demo similar job URL hash as registry tag based addressing of results within registry - - Enable sending of AcivityPub events directly (later) or indirectly via proxy nodes (first, activitypub starter kit. -- https://ci.spdk.io/results/autotest-nightly/builds/1935/archive/crypto-autotest/build.log - -```yaml -- completed_at: '2023-03-03T04:30:59Z' - conclusion: success - created_at: '2023-03-03T03:58:07Z' - head_sha: 4241b49975cf364b540fc0ad961cde58e2c89623 - html_url: https://ci.spdk.io.deployed.at.example.com/public_build/autotest-spdk-master-vs-dpdk-main_1754.html - id: 1754 - labels: - - list - - of - - overlays - - on - - dffml.overlays.alice.shouldi.contribute - name: alice.shouldi.contribute - status: completed - steps: - - completed_at: '2023-03-03T04:26:42.000Z' - conclusion: success - name: Run scan - number: 1 - started_at: '2023-03-03T04:26:40.000Z' - status: completed - url: https://vcs.activitypub.securitytxt.dffml.chadig.com/push/posts/40aeeda3-6042-42ed-8e32-99eff9bd8ef4 - workflow_name: Alice Should I Contribute? -``` - - So no matter where you're executing, all the reporting and eventing is the same, because we are loosely coupled. - We can do `fromjson` in jq or we can do more advanced xargs chaining on the websocket for ad-hox dev work - We can shot from the activitypub inbox receiver to a message queue for integration with existing celery @@ -902,6 +870,38 @@ POST /admin/create 204 - - 133.004 ms Scratch work upstream: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4819872 + - Wait we're supposed to be doing KCP almost forgot +- Run some live ones in https://github.com/cloudfoundry/korifi via `dffml-service-http` + - Demo similar job URL hash as registry tag based addressing of results within registry + - Enable sending of AcivityPub events directly (later) or indirectly via proxy nodes (first, activitypub starter kit. +- https://ci.spdk.io/results/autotest-nightly/builds/1935/archive/crypto-autotest/build.log + +```yaml +- completed_at: '2023-03-03T04:30:59Z' + conclusion: success + created_at: '2023-03-03T03:58:07Z' + head_sha: 4241b49975cf364b540fc0ad961cde58e2c89623 + html_url: https://ci.spdk.io.deployed.at.example.com/public_build/autotest-spdk-master-vs-dpdk-main_1754.html + id: 1754 + labels: + - list + - of + - overlays + - on + - dffml.overlays.alice.shouldi.contribute + name: alice.shouldi.contribute + status: completed + steps: + - completed_at: '2023-03-03T04:26:42.000Z' + conclusion: success + name: Run scan + number: 1 + started_at: '2023-03-03T04:26:40.000Z' + status: completed + url: https://vcs.activitypub.securitytxt.dffml.chadig.com/push/posts/40aeeda3-6042-42ed-8e32-99eff9bd8ef4 + workflow_name: Alice Should I Contribute? +``` + - https://linkeddatafragments.org/ - http://query.linkeddatafragments.org/#query=&resultsToTree=false&queryFormat=graphql - https://gist.github.com/rubensworks/9d6eccce996317677d71944ed1087ea6 From c298182ccfb7e39782323a2ea70ab46a647bcf54 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 16 Mar 2023 10:48:34 -0700 Subject: [PATCH 095/120] Update openssf_metrics.md --- openssf_metrics.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index d9ed7be..3710a49 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -182,7 +182,6 @@ graph TD } ``` -- https://codeberg.org/fediverse/fep - Open Source scanning flow - Upload manifest to registry - Federation event (send to follower /inbox) @@ -859,18 +858,15 @@ POST /admin/create 204 - - 133.004 ms - TODO - [ ] OIDC to keypair to post replys (fulcio?) - Or just the noterizing proxy - +- https://codeberg.org/fediverse/fep - [service: sw: src: change: notify: Service to facilitate poly repo pull model dev tooling: activitypubsecuritytxt](https://github.com/intel/dffml/issues/1315#issuecomment-1416392795) - Reproduced below - We seek interop with Aradine's Rapunzel - The Agora: a Knowledge Commons - https://docs.google.com/document/d/1DXJRDh9Ss5VCRBi3oirDw9d7yjn3H2hMqfN2ETTyjIc/edit# - We seek interop with the Agora - -Scratch work upstream: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4819872 - - - - Wait we're supposed to be doing KCP almost forgot +- Scratch work upstream: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4819872 +- Don't forget about KCP - Run some live ones in https://github.com/cloudfoundry/korifi via `dffml-service-http` - Demo similar job URL hash as registry tag based addressing of results within registry - Enable sending of AcivityPub events directly (later) or indirectly via proxy nodes (first, activitypub starter kit. From 8ab06ebf523c4cef766bddac2931eaba721d9ecd Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 16 Mar 2023 10:49:35 -0700 Subject: [PATCH 096/120] Update openssf_metrics.md --- openssf_metrics.md | 1 - 1 file changed, 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 3710a49..abb72e1 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -939,7 +939,6 @@ POST /admin/create 204 - - 133.004 ms - Yes this vuln affects due to instance policy relevant threat model overlays or not - https://github.com/opencontainers/image-spec/blob/main/artifact.md - Manifest for CLI command - - The Open Architecture (Alice) sits at the interesction of CI/CD, Security, and AI/ML. - We metion Alice here as a follow on who's development sees this use case as critical - Think cross between review system (SCITT as the proof, TDB on identity preknown at this point, OpenSSF members stream 8 vuln sharing CCF ledger) From 748597b37401bd59512bfedc80158b109eadda9b Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 23 Mar 2023 16:11:20 -0700 Subject: [PATCH 097/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index abb72e1..d20f621 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -183,6 +183,7 @@ graph TD ``` - Open Source scanning flow + - https://github.com/ossf/s2c2f/blob/main/specification/framework.md#appendix-relation-to-scitt - Upload manifest to registry - Federation event (send to follower /inbox) - content: `https://github.com/opencontainers/image-spec/raw/v1.0.1/schema/image-manifest-schema.json` From 2ca5ba7f8013185aebbbd266a6ecd6b3209e4062 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Sat, 1 Apr 2023 11:29:41 -0700 Subject: [PATCH 098/120] Update openssf_metrics.md --- openssf_metrics.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index d20f621..3d5caf0 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -1,10 +1,21 @@ -# OpenSSF Metrics +# OUse Case: Attestations of alignment to S2C2F and org specific overlays > Pull Request Review (WIP): https://github.com/ietf-scitt/use-cases/pull/18 -Collection of metric data into shared (crowdsourcable) DB. There are many repos -to search, we want to enable self reporting and granularity as applicable to -ad-hoc formed policy as desired by end-user. +Collection of metric data into shared database (crowdsourcable OpenSSF Metrics). +There are many repos to search, we want to enable self reporting and granularity +as applicable to ad-hoc formed policy as desired by end-user. + +- Related: https://github.com/ossf/s2c2f/blob/main/specification/framework.md#appendix-relation-to-scitt +- This use case will be mostly focused on the policy / gatekeeper component and federation components of [SCITT](https://datatracker.ietf.org/doc/draft-ietf-scitt-architecture/). + - 5.2.2: Registration Policies + - 7: Federation +- This use case is a specialization of (cross between) the following use cases from the [Detailed Software Supply Chain Uses Cases for SCITT](https://datatracker.ietf.org/doc/draft-ietf-scitt-software-use-cases/) doc. + - 3.3: Security Analysis of a Software Product + - We'll cover OpenSSF Scorecard and other analysis mechanisms including meta static analysis / aggregation (example: GUAC). + - 3.4: Promotion of a Software Component by multiple entities + - We'll cover how these entities can leverage analysis mechanisms to achieve feature and bugfix equilibrium across the diverged environment. + - Future use cases could explore semantic patching to patch across functionally similar 2023-03-16: This will get reworked heavily as we align across https://codeberg.org/forgejo-contrib/discussions/issues/12, Rapunzel, and Alice From fd2cdc6d72c41fe86332ad2f256136b3081967ec Mon Sep 17 00:00:00 2001 From: John Andersen Date: Sat, 1 Apr 2023 11:29:58 -0700 Subject: [PATCH 099/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 3d5caf0..2386fa4 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -1,4 +1,4 @@ -# OUse Case: Attestations of alignment to S2C2F and org specific overlays +# Use Case: Attestations of alignment to S2C2F and org specific overlays > Pull Request Review (WIP): https://github.com/ietf-scitt/use-cases/pull/18 From 65a421f1fcc3437523ea9507e325ac20039d9d86 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Sat, 1 Apr 2023 11:30:24 -0700 Subject: [PATCH 100/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 2386fa4..ad61c9e 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -1,4 +1,4 @@ -# Use Case: Attestations of alignment to S2C2F and org specific overlays +# Use Case: Attestations of alignment to S2C2F and org Overlays > Pull Request Review (WIP): https://github.com/ietf-scitt/use-cases/pull/18 From a599f42fac821afbc4c7bae98134b4977c2e4e64 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 3 Apr 2023 12:53:25 -0700 Subject: [PATCH 101/120] Update openssf_metrics.md --- openssf_metrics.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index ad61c9e..3da44e7 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -16,11 +16,21 @@ as applicable to ad-hoc formed policy as desired by end-user. - 3.4: Promotion of a Software Component by multiple entities - We'll cover how these entities can leverage analysis mechanisms to achieve feature and bugfix equilibrium across the diverged environment. - Future use cases could explore semantic patching to patch across functionally similar +- Alice submits a claim for signature by notary + - Notary checks for receipts from needed sign offs + - In this example the SCITT instance the notary inserting into it have the same insert/sign policies (system context, dataflow, open architecture document, living threat model) + - Alice thinks: I'd like to do this sign op and insert into this SCITT + - She auths to SCITT via OIDC, she proves she had a valid token because she's issued a receipt. The whole process is wrapped up inside an enclave which runs within a parallel job. The enclave is then dumped at the end of the job so that it can be joined to an other transparency services. This enables decentralized hermetic builds. + - The notary is what's verifying the OIDC token. + - We can runs-on an SGX machine to do that. + - Using confidential compute and attribute based trust we can authenticate to a usage policy, this is the contract negotiation. + - Activity Pub Actors for signoff, send to inbox requesting signoff (issue ops), they say okay I'll add this exception sign off for this use case /system context to SCITT + - Then policy violating system context collects all needed exception receipts, listens for their entry via listening to the SCITT ActivityPub stream, and then re-issues request for admissions along with exception receipts using overlay section of serialized system context object + +## ActivityPub extensions for security.md/txt contact URIs 2023-03-16: This will get reworked heavily as we align across https://codeberg.org/forgejo-contrib/discussions/issues/12, Rapunzel, and Alice -## activitypub extensions for security.txt - A methodology allowing organizations to nominate security contact points and policies via ActivityPub Actors. This allows for notifications to be federated of new lifecycle events. These lifecycle events might be VEX, SBOM, CSAF security advisory information, repository events, etc. From 8d231f700566c97425d36ddf5e4cfe0e22380e0b Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 3 Apr 2023 12:56:02 -0700 Subject: [PATCH 102/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 3da44e7..1255b15 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -20,7 +20,7 @@ as applicable to ad-hoc formed policy as desired by end-user. - Notary checks for receipts from needed sign offs - In this example the SCITT instance the notary inserting into it have the same insert/sign policies (system context, dataflow, open architecture document, living threat model) - Alice thinks: I'd like to do this sign op and insert into this SCITT - - She auths to SCITT via OIDC, she proves she had a valid token because she's issued a receipt. The whole process is wrapped up inside an enclave which runs within a parallel job. The enclave is then dumped at the end of the job so that it can be joined to an other transparency services. This enables decentralized hermetic builds. + - She auths to SCITT via OIDC, she proves she had a valid token because she's issued a receipt. The whole process is wrapped up inside an enclave which runs within a parallel job. The enclave is then dumped at the end of the job so that it can be joined to an other transparency services. This enables decentralized hermetic builds via federation of transparency services (by grafting them into org sepcific registires ad-hoc via CD eventing of forge federation). - The notary is what's verifying the OIDC token. - We can runs-on an SGX machine to do that. - Using confidential compute and attribute based trust we can authenticate to a usage policy, this is the contract negotiation. From e2924aa773f72f25d62767faed32bd19a65c4c8a Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 3 Apr 2023 12:58:05 -0700 Subject: [PATCH 103/120] Update openssf_metrics.md --- openssf_metrics.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 1255b15..7e42040 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -23,7 +23,8 @@ as applicable to ad-hoc formed policy as desired by end-user. - She auths to SCITT via OIDC, she proves she had a valid token because she's issued a receipt. The whole process is wrapped up inside an enclave which runs within a parallel job. The enclave is then dumped at the end of the job so that it can be joined to an other transparency services. This enables decentralized hermetic builds via federation of transparency services (by grafting them into org sepcific registires ad-hoc via CD eventing of forge federation). - The notary is what's verifying the OIDC token. - We can runs-on an SGX machine to do that. - - Using confidential compute and attribute based trust we can authenticate to a usage policy, this is the contract negotiation. + - Using confidential compute and attribute based trust we can authenticate to a usage policy, this is the place for on/off chain contract negotiation. + - Off chain would be whenever we have to enter a hermetic enviornment (IPVM). - Activity Pub Actors for signoff, send to inbox requesting signoff (issue ops), they say okay I'll add this exception sign off for this use case /system context to SCITT - Then policy violating system context collects all needed exception receipts, listens for their entry via listening to the SCITT ActivityPub stream, and then re-issues request for admissions along with exception receipts using overlay section of serialized system context object From 73b02979a5a8b0b3d637dfacd68d205a9770b5ec Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 3 Apr 2023 13:08:56 -0700 Subject: [PATCH 104/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 7e42040..246eeb1 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -20,7 +20,7 @@ as applicable to ad-hoc formed policy as desired by end-user. - Notary checks for receipts from needed sign offs - In this example the SCITT instance the notary inserting into it have the same insert/sign policies (system context, dataflow, open architecture document, living threat model) - Alice thinks: I'd like to do this sign op and insert into this SCITT - - She auths to SCITT via OIDC, she proves she had a valid token because she's issued a receipt. The whole process is wrapped up inside an enclave which runs within a parallel job. The enclave is then dumped at the end of the job so that it can be joined to an other transparency services. This enables decentralized hermetic builds via federation of transparency services (by grafting them into org sepcific registires ad-hoc via CD eventing of forge federation). + - She auths to job in TEE (SGX in this example) local SCITT via OIDC, she inserts a claim that she had a valid OIDC token and the job_workflow_sha + repositoryUri + repository_id. The whole process is wrapped up inside an enclave which runs within a parallel job which a redis service container helps us communicate with. The enclave is then dumped at the end of the job so that it can be joined to an other transparency services. This enables decentralized hermetic builds via federation of transparency services (by grafting them into org sepcific registires ad-hoc via CD eventing of forge federation). - The notary is what's verifying the OIDC token. - We can runs-on an SGX machine to do that. - Using confidential compute and attribute based trust we can authenticate to a usage policy, this is the place for on/off chain contract negotiation. From 86b4363af926847834ec06d26fd0663fcf5dd17a Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 3 Apr 2023 13:12:38 -0700 Subject: [PATCH 105/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 246eeb1..3cbf372 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -19,7 +19,7 @@ as applicable to ad-hoc formed policy as desired by end-user. - Alice submits a claim for signature by notary - Notary checks for receipts from needed sign offs - In this example the SCITT instance the notary inserting into it have the same insert/sign policies (system context, dataflow, open architecture document, living threat model) - - Alice thinks: I'd like to do this sign op and insert into this SCITT + - Alice has two jobs, one which bulds a Python package, and other which runs SCITT in a TEE - She auths to job in TEE (SGX in this example) local SCITT via OIDC, she inserts a claim that she had a valid OIDC token and the job_workflow_sha + repositoryUri + repository_id. The whole process is wrapped up inside an enclave which runs within a parallel job which a redis service container helps us communicate with. The enclave is then dumped at the end of the job so that it can be joined to an other transparency services. This enables decentralized hermetic builds via federation of transparency services (by grafting them into org sepcific registires ad-hoc via CD eventing of forge federation). - The notary is what's verifying the OIDC token. - We can runs-on an SGX machine to do that. From 1392e16fde9ad6b4cd4f86e22d2076f38da26845 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 3 Apr 2023 13:14:03 -0700 Subject: [PATCH 106/120] Update openssf_metrics.md --- openssf_metrics.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 3cbf372..87d54bd 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -19,8 +19,8 @@ as applicable to ad-hoc formed policy as desired by end-user. - Alice submits a claim for signature by notary - Notary checks for receipts from needed sign offs - In this example the SCITT instance the notary inserting into it have the same insert/sign policies (system context, dataflow, open architecture document, living threat model) - - Alice has two jobs, one which bulds a Python package, and other which runs SCITT in a TEE - - She auths to job in TEE (SGX in this example) local SCITT via OIDC, she inserts a claim that she had a valid OIDC token and the job_workflow_sha + repositoryUri + repository_id. The whole process is wrapped up inside an enclave which runs within a parallel job which a redis service container helps us communicate with. The enclave is then dumped at the end of the job so that it can be joined to an other transparency services. This enables decentralized hermetic builds via federation of transparency services (by grafting them into org sepcific registires ad-hoc via CD eventing of forge federation). + - Alice has two jobs, one which bulds a Python package, and other which runs SCITT in a TEE (perhaps with a redis service container to ease comms) + - She auths to job in TEE (SGX in this example) local SCITT via OIDC, the SCITT notary and ledger are unified in this example and a claim is inserted that she had a valid OIDC token for job_workflow_sha + repositoryUri + repository_id + job.. The enclave is then dumped at the end of the job so that it can be joined to an other transparency services. This enables decentralized hermetic builds via federation of transparency services (by grafting them into org sepcific registires ad-hoc via CD eventing of forge federation). - The notary is what's verifying the OIDC token. - We can runs-on an SGX machine to do that. - Using confidential compute and attribute based trust we can authenticate to a usage policy, this is the place for on/off chain contract negotiation. From 3f10017af4cebb7d07e541c299ef277d43fb9c0d Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 3 Apr 2023 14:12:40 -0700 Subject: [PATCH 107/120] Update openssf_metrics.md --- openssf_metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 87d54bd..5d4fdf7 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -16,7 +16,7 @@ as applicable to ad-hoc formed policy as desired by end-user. - 3.4: Promotion of a Software Component by multiple entities - We'll cover how these entities can leverage analysis mechanisms to achieve feature and bugfix equilibrium across the diverged environment. - Future use cases could explore semantic patching to patch across functionally similar -- Alice submits a claim for signature by notary +- Alice builds a python Package - Notary checks for receipts from needed sign offs - In this example the SCITT instance the notary inserting into it have the same insert/sign policies (system context, dataflow, open architecture document, living threat model) - Alice has two jobs, one which bulds a Python package, and other which runs SCITT in a TEE (perhaps with a redis service container to ease comms) From c9016c508c3844b409f8a70190ff6d26fdae4a3a Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 6 Apr 2023 06:43:36 -0700 Subject: [PATCH 108/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 5d4fdf7..9eb56af 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -1169,6 +1169,7 @@ confidential compute or traditional permissions is impelmenetation details. - Most of the time what's permitted is context dependent, overlays - Time is context local, Earth is *current* most likely context, we have to ensure we factor in changes to this via abstraction of "when", ref lunar comms, beyond - Vol 6: Where are your NTP gods now? + - https://bigthink.com/hard-science/time-perception/ - Physics, also context local, gravity differs on different parts of Earth, and elsewhere. Make no assumptions, always policy as code, always recursive. Always show my why I should believe this message, message as the entity, not the messanger (instance federating from), focus on the truth in the message when propagating, not who propagates, critical thinking, threat modeling, deployment contexts - Fork and exec over ActivityPub over DWN CLI - https://github.com/soda480/wait-for-message-action From 57cdce96251b7d91decc581df06b09b44c08bcec Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 6 Apr 2023 09:58:02 -0700 Subject: [PATCH 109/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 9eb56af..ad5dc8f 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -1170,6 +1170,7 @@ confidential compute or traditional permissions is impelmenetation details. - Time is context local, Earth is *current* most likely context, we have to ensure we factor in changes to this via abstraction of "when", ref lunar comms, beyond - Vol 6: Where are your NTP gods now? - https://bigthink.com/hard-science/time-perception/ + - > The idea of 'absolute time' is an illusion. Physics and subjective experience reveal why. - Physics, also context local, gravity differs on different parts of Earth, and elsewhere. Make no assumptions, always policy as code, always recursive. Always show my why I should believe this message, message as the entity, not the messanger (instance federating from), focus on the truth in the message when propagating, not who propagates, critical thinking, threat modeling, deployment contexts - Fork and exec over ActivityPub over DWN CLI - https://github.com/soda480/wait-for-message-action From a832905e3c428fd54b1c08d4851801383eac91a6 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Thu, 6 Apr 2023 09:59:05 -0700 Subject: [PATCH 110/120] Update openssf_metrics.md --- openssf_metrics.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index ad5dc8f..c9f1673 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -1167,8 +1167,9 @@ confidential compute or traditional permissions is impelmenetation details. - The truth will set you free. Equilibrium of record propagation. - Everything is true, everything is permitted (insert policy*) - Most of the time what's permitted is context dependent, overlays - - Time is context local, Earth is *current* most likely context, we have to ensure we factor in changes to this via abstraction of "when", ref lunar comms, beyond + - Time is context local, Earth is *current* most likely context, we have to ensure we factor in changes to this via abstraction of "when", ref lunar comms (LCRNS), beyond - Vol 6: Where are your NTP gods now? + - https://esc.gsfc.nasa.gov/projects/LCRNS - https://bigthink.com/hard-science/time-perception/ - > The idea of 'absolute time' is an illusion. Physics and subjective experience reveal why. - Physics, also context local, gravity differs on different parts of Earth, and elsewhere. Make no assumptions, always policy as code, always recursive. Always show my why I should believe this message, message as the entity, not the messanger (instance federating from), focus on the truth in the message when propagating, not who propagates, critical thinking, threat modeling, deployment contexts From 0ae2654f1fc543d8789812bb54514557704351d2 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 10 May 2023 08:06:15 -0600 Subject: [PATCH 111/120] Update openssf_metrics.md --- openssf_metrics.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index c9f1673..a67e111 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -108,6 +108,44 @@ activitypub_service: - It's the triage process - https://github.com/intel/cve-bin-tool/issues/2639 - Take upstream policy (attached to incoming via `inReplyTo` and or `replies`, you'd have to decide if you want to dereference these, perhaps based on reputaion of propagator to reduce attack impact) + +```mermaid +graph LR +subgraph home +h_prt[pull request target PRT flow] +subgraph home_tee +h_ts[transparency service] +end +h_guac[GUAC neo4j] +h_manifest[PEP 440 Manifest Change] +h_eval[Dependency Evaluation flow] + +h_manifest ->|pull request submited triggers| h_prt +h_prt ->|source TCB protection ring admission control query
sync poll or waitformessage ActivityPub async| h_guac +h_guac ->|emit data for query not in graph| h_eval +h_eval ->|metric collection data
shouldi
home and new faraway| h_ts +h_ts ->|ActivityPub emit data added to graph
trigger ingest| h_guac + +end + +subgraph faraway +f_prt[pull request target PRT flow] +subgraph home_tee +f_ts[transparency service] +end +f_guac[GUAC neo4j] +f_manifest[PEP 440 Manifest Change] +f_eval[Dependency Evaluation flow] + +f_manifest ->|pull request submited triggers| f_prt +f_prt ->|source TCB protection ring admission control query
sync poll or waitformessage ActivityPub async| f_guac + +end + +h_prt ->|admission control allowed dep change
create pull request to trigger downstream valdation
waitformessage and status check api
for downstream aka faraway results| f_manifest +f_guac ->|federate evaluated claims| h_ts +``` + - A container image was created (`FROM` rebuild chain) - Bob's forge tells Alice's forge, here's the content address uri for the manifest just pushed - Alice looks at the manifest, runs through all the packages she's maintaining in her forge From d45fa9508c1a82fd59e228a0397e330d2a1e1f8f Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 10 May 2023 08:51:16 -0600 Subject: [PATCH 112/120] Update openssf_metrics.md --- openssf_metrics.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index a67e111..4c4b51a 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -110,7 +110,7 @@ activitypub_service: - Take upstream policy (attached to incoming via `inReplyTo` and or `replies`, you'd have to decide if you want to dereference these, perhaps based on reputaion of propagator to reduce attack impact) ```mermaid -graph LR +graph TD subgraph home h_prt[pull request target PRT flow] subgraph home_tee @@ -120,30 +120,30 @@ h_guac[GUAC neo4j] h_manifest[PEP 440 Manifest Change] h_eval[Dependency Evaluation flow] -h_manifest ->|pull request submited triggers| h_prt -h_prt ->|source TCB protection ring admission control query
sync poll or waitformessage ActivityPub async| h_guac -h_guac ->|emit data for query not in graph| h_eval -h_eval ->|metric collection data
shouldi
home and new faraway| h_ts -h_ts ->|ActivityPub emit data added to graph
trigger ingest| h_guac +h_manifest -->|pull request submited triggers| h_prt +h_prt -->|source TCB protection ring admission control query
sync poll or waitformessage ActivityPub async| h_guac +h_guac -->|emit data for query not in graph| h_eval +h_eval -->|metric collection data
shouldi
home and new faraway| h_ts +h_ts -->|ActivityPub emit data added to graph
trigger ingest| h_guac end subgraph faraway f_prt[pull request target PRT flow] -subgraph home_tee +subgraph faraway_tee f_ts[transparency service] end f_guac[GUAC neo4j] -f_manifest[PEP 440 Manifest Change] -f_eval[Dependency Evaluation flow] +f_manifest[PEP 440 Manifest Changed] -f_manifest ->|pull request submited triggers| f_prt -f_prt ->|source TCB protection ring admission control query
sync poll or waitformessage ActivityPub async| f_guac +f_manifest -->|pull request submited triggers| f_prt +f_prt -->|source TCB protection ring admission control query
sync poll or waitformessage ActivityPub async| f_guac end -h_prt ->|admission control allowed dep change
create pull request to trigger downstream valdation
waitformessage and status check api
for downstream aka faraway results| f_manifest -f_guac ->|federate evaluated claims| h_ts +h_prt -->|admission control allowed dep change
create pull request to trigger downstream valdation
waitformessage and status check api
for downstream aka faraway results| f_manifest +f_guac -->|emit data for query not in graph| f_ts +h_ts -->|federate evaluated claims| f_ts ``` - A container image was created (`FROM` rebuild chain) From 591bb2b1db231b3463673555b6089c2284ca2131 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 10 May 2023 08:53:22 -0600 Subject: [PATCH 113/120] Update openssf_metrics.md --- openssf_metrics.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 4c4b51a..5804a7b 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -138,6 +138,7 @@ f_manifest[PEP 440 Manifest Changed] f_manifest -->|pull request submited triggers| f_prt f_prt -->|source TCB protection ring admission control query
sync poll or waitformessage ActivityPub async| f_guac +f_ts -->|ActivityPub emit data added to graph
trigger ingest| f_guac end From 8c8762a9b4f034b30688f33c0d23bf842873fee8 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 10 May 2023 11:23:32 -0600 Subject: [PATCH 114/120] Update openssf_metrics.md --- openssf_metrics.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index 5804a7b..74e21f5 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -207,11 +207,12 @@ graph TD - So no matter where you're executing, all the reporting and eventing is the same, because we are loosely coupled. - We can do `fromjson` in jq or we can do more advanced xargs chaining on the websocket for ad-hox dev work - - We can shot from the activitypub inbox receiver to a message queue for integration with existing celery + - We can shoot from the activitypub inbox receiver to a message queue for integration with existing celery - This way we sidestep all rate limiting except for when we have to preform write events to GitHub - Otherwise we always read GitHub data from cypher queries over the reboardcast data - We can also have listeners which reboardcast the resolved contents of content address style broadcast data (the top level, so if this sees a container image uri broadcast, it would be pulling it down and maybe rebroadcasting the `results.yaml` or whatever is they transform needed to rebroadcast that data. - This is our onramp into the linked data space, eventually KERI for backing comms security +- We'll implement an InputNetwork fro DFFML so that every fucntion/operation automaticlly gets added into the noe/GUAC graph on execution (triggering eventing via SBOM of query). **schema/alice/shouldi/contribute/github-com-omnilib-aiosqlite.json** @@ -317,7 +318,7 @@ graph LR alice_scitt[alice.scitt.example.org] end - subgraph factory[Secure Software Factories] + subgraph factory[Secure Software Factories aka Federated Forge] subgraph build_images_contianers[build_images_contianers.yml] end From b4999eb2c7bcbf8d27c5fe86be8965e89379439a Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 15 May 2023 11:44:54 -0700 Subject: [PATCH 115/120] Add example of publishing/federating new receipt into policy stream This is how we can track and Open Architecture (aka Alice) upstream Related: https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0000_architecting_alice/0007_an_image.md Related: https://github.com/scitt-community/scitt-api-emulator/pull/27 Related: https://github.com/ietf-wg-scitt/draft-ietf-scitt-architecture/issues/62 --- openssf_metrics.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 74e21f5..a9b5a49 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -92,6 +92,19 @@ activitypub_service: - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/4" inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3" content: "bob.registry.example.org/src_repo_name_contents_are_webhook_translated_to_vcs_push_manifest:sha256@babebabe" + - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/5" + inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2" + content: "did:web:registry.example.com:policy-as-code:blocklist%40sha256%3Aaaaaaaaa" + replies: + - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/5/replies" + type: "Collection" + first: + type: "CollectionPage" + items: + - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/6" + - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/6" + inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/5" + content: "did:web:registry.example.com:receipts:not_on_blocklist%40sha256%3Aaaaaaaaa" alice: statuses: - id: "https://activitypub.securitytxt.activitypub.example.org/users/alice/statuses/1" From 6d291b581ecf4dca5294d1924deb70d5f47bdeee Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 26 May 2023 10:49:56 -0700 Subject: [PATCH 116/120] Remove looks of activitypubstarterkit debug spin up tutorial style details --- openssf_metrics.md | 199 --------------------------------------------- 1 file changed, 199 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index a9b5a49..f2f87e3 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -731,179 +731,8 @@ graph BT end ``` -- https://github.com/opencontainers/image-spec/blob/main/manifest.md - - Image command sequence to in-toto - - Attestation as build arg - - Still eventually [#1426](https://github.com/intel/dffml/issues/1426) -- https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#accessing-and-using-event-properties - - Example of bots managing pinning -- Mirror of CI/CD can be executed with same manifest instance pattern for increased performance - -```console -$ curl -fL https://vcs.activitypub.securitytxt.dffml.chadig.com/push/outbox/ > outbox@push@vcs.activitypub.securitytxt.dffml.chadig.com -$ jq .orderedItems[].id < outbox\@push\@vcs.activitypub.securitytxt.dffml.chadig.com | wc -l -3931 -$ jq -r '.orderedItems[] | [{(.id): (.object.content)}] | .[] | add' < outbox\@push\@vcs.activitypub.securitytxt.dffml.chadig.com | jq -R --unbuffered '. as $line | try (fromjson | .) catch $line' -$ jq -r '.orderedItems[] | [{(.id): (.object.content)}] | .[] | add' < outbox\@push\@vcs.activitypub.securitytxt.dffml.chadig.com | jq -R --unbuffered '. as $line | try (fromjson | .workflow_job) catch $line' -$ jq -r '.orderedItems[] | [{(.id): (.object.content)}] | .[] | add' < outbox\@push\@vcs.activitypub.securitytxt.dffml.chadig.com | jq -c -R --unbuffered '. as $line | try (fromjson | .workflow_job) catch $line' | jq -s | python3 -c "import sys, pathlib, json, yaml; print(yaml.dump(json.load(sys.stdin)))" -``` - --- -- Downstream - -```console -$ curl -ku alice:$(cat ../password) -X POST -v http://localhost:8000/admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https -* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1' -* Trying 127.0.0.1:8000... -* TCP_NODELAY set -* Connected to localhost (127.0.0.1) port 8000 (#0) -* Server auth using Basic with user 'alice' -> POST /admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https HTTP/1.1 -> Host: localhost:8000 -> Authorization: Basic YWxpY2U6ODkyZTI1Y2MwMTMzYTcwYTEzMzRlYTIyNmQ2NDNkNTNhMDRjYzc5MDIwOWM0MzY1ZTUwMzA2Mjc3MGVmZTdmOWVlM2M3MDI4OWNlODdiYzJmZThiYzE2NGNlNTQxYTYx -> User-Agent: curl/7.68.0 -> Accept: */* -> -* Mark bundle as not supporting multiuse -< HTTP/1.1 204 No Content -< X-Powered-By: Express -< ETag: W/"a-bAsFyilMr4Ra1hIU5PyoyFRunpI" -< Date: Mon, 13 Feb 2023 14:50:51 GMT -< Connection: keep-alive -< Keep-Alive: timeout=5 -< -* Connection #0 to host localhost left intact -``` - -- Upstream - -``` -Dumbo listening on port 8000… -GET /push 200 1493 - 7.432 ms -Data to compare (request-target): post /push/inbox -host: vcs.activitypub.securitytxt.dffml.chadig.com -date: Mon, 13 Feb 2023 14:50:49 GMT -digest: SHA-256=4byRebHbzxk6BlJopQYVQcI+9YiHojWKhaI2S0J8w68= -Data to sign (request-target): post /alice/inbox -host: d30a15e2d986dc.lhr.life -date: Mon, 13 Feb 2023 14:50:50 GMT -digest: SHA-256=QOPUiXd5oq6u0i+DNQu9TZRIydnRewGdlN1eoiaEsKs= -GET /push 200 1493 - 1.654 ms -POST /push/inbox 204 - - 1557.550 ms -``` - -- Rebase and cleanup - - `HEAD` is 6 commits, at 9d16b1fe04b5e880be59d6fcddde698cfd036b2f -- Redeploy upstream - -```console -$ curl -sfL https://github.com/pdxjohnny/activitypub-starter-kit/archive/refs/heads/alternate_port.tar.gz | tar xvz -$ cd activitypub-starter-kit-alternate_port -$ cat > .env <<'EOF' -# The Node environment -NODE_ENV="production" - -# The path to the database schema -SCHEMA_PATH="db/schema.sql" - -# The path to the database file -DATABASE_PATH="db/database.sqlite3" - -# The hostname (i.e. the "example.com" part of https://example.com/alice) -HOSTNAME="vcs.activitypub.securitytxt.dffml.chadig.com" - -# The account name (i.e. the "alice" part of https://example.com/alice) -ACCOUNT="push" -EOF -$ npm i -$ head -n 10000 /dev/urandom | sha384sum | awk '{print $1}' | tee ../webhook -$ head -n 10000 /dev/urandom | sha384sum | awk '{print $1}' | tee ../password -$ openssl genrsa -out keypair.pem 4096 && openssl rsa -in keypair.pem -pubout -out publickey.crt && openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key -$ mkdir node_modules/@types/simple-proxy-agent/ -$ echo "declare module 'simple-proxy-agent';" | tee node_modules/@types/simple-proxy-agent/index.d.ts -$ npm run build -$ FDQN=vcs.activitypub.securitytxt.dffml.chadig.com WEBHOOK_PATH=$(cat ../webhook) NODE_ENV=production PORT=8000 ACCOUNT=push ADMIN_USERNAME=admin ADMIN_PASSWORD=$(cat ../password) PUBLIC_KEY=$(cat publickey.crt) PRIVATE_KEY=$(cat pkcs8.key) npm run start - -> dumbo@1.0.0 start -> node build/index.js - -Dumbo listening on port 8000… -GET /push 200 1493 - 8.201 ms -GET /push 200 1493 - 1.200 ms -POST /push/inbox 204 - - 1583.186 ms -``` - -- Redeploy downstream and send follow request - -```console -$ rm -f db/database.sqlite3; ssh -R 80:localhost:8000 nokey@localhost.run 2>&1 | tee >(grep --line-buffered 'tunneled with tls termination' | awk -W interactive '{print $1}' | xargs -l -I '{}' -- sh -c 'reset; echo "{}"; PROTO=https FDQN="{}" WEBHOOK_PATH=$(cat ../webhook) NODE_ENV=production PORT=8000 ACCOUNT=alice ADMIN_USERNAME=alice ADMIN_PASSWORD=$(cat ../password) PUBLIC_KEY=$(cat publickey.crt) PRIVATE_KEY=$(cat pkcs8.key) npm run start & -c4d2dfa777b86f.lhr.life - -> dumbo@1.0.0 start -> node build/index.js - -Dumbo listening on port 8000… -GET /alice 200 1354 - 2.530 ms -GET /alice 200 1354 - 0.895 ms -POST /alice/inbox 204 - - 71.294 ms -POST /admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https 204 - - 3183.157 ms -$ curl -ku alice:$(cat ../password) -X POST -v http://localhost:8000/admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https -$ websocat --exit-on-eof --basic-auth alice:$(cat ../password) ws://localhost:8000/listen/websocket -``` - -- Create post on upstream - -```console -$ cat > post.json <<'EOF' -{ - "object": { - "type": "Note", - "content": "OUR PROPHECY MUST BE FULFILLED!!! https://github.com/intel/dffml/pull/1401#issuecomment-1168023959" - } -} -EOF -$ curl -u admin:$(cat ../password) -X POST --header "Content-Type: application/json" --data @post.json -v http://localhost:8000/admin/create -POST /admin/create 204 - - 133.004 ms -``` - -- Restarted the ssh tunnel and followed again - - Response seen from downstream websocket listener - -```json -{ - "@context": "https://www.w3.org/ns/activitystreams", - "type": "Create", - "published": "2023-02-13T15:39:08.628Z", - "actor": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push", - "to": [ - "https://www.w3.org/ns/activitystreams#Public" - ], - "cc": [ - "https://eb62a3437cf6a9.lhr.life/alice" - ], - "object": { - "attributedTo": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push", - "published": "2023-02-13T15:39:08.628Z", - "to": [ - "https://www.w3.org/ns/activitystreams#Public" - ], - "cc": [ - "https://vcs.activitypub.securitytxt.dffml.chadig.com/push/followers" - ], - "type": "Note", - "content": "OUR PROPHECY MUST BE FULFILLED!!! https://github.com/intel/dffml/pull/1401#issuecomment-1168023959", - "id": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push/posts/15f4de9c-a582-4f9d-8372-a740a5ffe6a8" - }, - "id": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push/posts/58f883cd-0252-4319-a934-3ca2eb062f62" -} -``` - -![hack-the-planet-hackers-gif](https://user-images.githubusercontent.com/5950433/191852910-73787361-b00c-4618-bc5e-f32d656bbf0f.gif) - ---- - - - Just FYI, have been playing with the idea of using security.txt contact as an AcivityPub Actor to advertise things such as delegate Actors for various purposes. For example, list via attachments actors which publish content addresses of an orgs SBOMs This would enable leveraging ActivityPub as a means for definition and broadcast for entities delegated to various roles. We could do the same for the 3rd parties to advertise what actors are within which roles, aka are authorized to say this thing is FIPs certified. We could then attach SCITT receipts to these: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4794771 - The SCITT registry then becomes the quick lookup path (analogously database view) to verify this. This way end users don't have to traverse the full Knowledge Graph (Activity Pub in this case). Receipt we care about for verification would be is this `inReplyTo` DAG hop path valid, aka is `did:merkle` in SCITT. - Can have a thread linked in attachments for manifests, can discover from there @@ -946,34 +775,6 @@ POST /admin/create 204 - - 133.004 ms - Run some live ones in https://github.com/cloudfoundry/korifi via `dffml-service-http` - Demo similar job URL hash as registry tag based addressing of results within registry - Enable sending of AcivityPub events directly (later) or indirectly via proxy nodes (first, activitypub starter kit. -- https://ci.spdk.io/results/autotest-nightly/builds/1935/archive/crypto-autotest/build.log - -```yaml -- completed_at: '2023-03-03T04:30:59Z' - conclusion: success - created_at: '2023-03-03T03:58:07Z' - head_sha: 4241b49975cf364b540fc0ad961cde58e2c89623 - html_url: https://ci.spdk.io.deployed.at.example.com/public_build/autotest-spdk-master-vs-dpdk-main_1754.html - id: 1754 - labels: - - list - - of - - overlays - - on - - dffml.overlays.alice.shouldi.contribute - name: alice.shouldi.contribute - status: completed - steps: - - completed_at: '2023-03-03T04:26:42.000Z' - conclusion: success - name: Run scan - number: 1 - started_at: '2023-03-03T04:26:40.000Z' - status: completed - url: https://vcs.activitypub.securitytxt.dffml.chadig.com/push/posts/40aeeda3-6042-42ed-8e32-99eff9bd8ef4 - workflow_name: Alice Should I Contribute? -``` - - https://linkeddatafragments.org/ - http://query.linkeddatafragments.org/#query=&resultsToTree=false&queryFormat=graphql - https://gist.github.com/rubensworks/9d6eccce996317677d71944ed1087ea6 From 1bdb7842cd1213420754f3f16b77985340e704db Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 26 May 2023 10:57:40 -0700 Subject: [PATCH 117/120] Update openssf_metrics.md --- openssf_metrics.md | 30 ++++++------------------------ 1 file changed, 6 insertions(+), 24 deletions(-) diff --git a/openssf_metrics.md b/openssf_metrics.md index f2f87e3..6b03aeb 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -63,45 +63,27 @@ activitypub_service: - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/1" content: "activitypubextensions" replies: - - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/1/replies" - type: "Collection" - first: - type: "CollectionPage" - items: - - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2" + - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2" - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2" inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/1" content: "activitypubsecuritytxt" replies: - - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2/replies" - type: "Collection" - first: - type: "CollectionPage" - items: - - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3" + - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3" + - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3" inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2" content: "https://github.com/opencontainers/image-spec/raw/v1.0.1/schema/image-manifest-schema.json" replies: - - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3/replies" - type: "Collection" - first: - type: "CollectionPage" - items: - - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/4" + - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/4" - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/4" inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3" content: "bob.registry.example.org/src_repo_name_contents_are_webhook_translated_to_vcs_push_manifest:sha256@babebabe" + - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/5" inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2" content: "did:web:registry.example.com:policy-as-code:blocklist%40sha256%3Aaaaaaaaa" replies: - - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/5/replies" - type: "Collection" - first: - type: "CollectionPage" - items: - - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/6" + - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/6" - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/6" inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/5" content: "did:web:registry.example.com:receipts:not_on_blocklist%40sha256%3Aaaaaaaaa" From e9e2cc58835991d33193e4aeff6d9cd7344b36bd Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 19 Sep 2023 10:53:10 -0700 Subject: [PATCH 118/120] Update openssf_metrics.md --- openssf_metrics.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 6b03aeb..04c57fc 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -104,6 +104,46 @@ activitypub_service: - https://github.com/intel/cve-bin-tool/issues/2639 - Take upstream policy (attached to incoming via `inReplyTo` and or `replies`, you'd have to decide if you want to dereference these, perhaps based on reputaion of propagator to reduce attack impact) +```mermaid +graph TD + subgraph lifecycle[BOM Component Trust Asserstion Generation Lifecycle] + subgraph lifecycle_background[Background] + watch_for_new_releases_on_repo[Scan: New Release / Tag on Repo] + end + subgraph lifecycle_submission[Submission] + new_release[Scan: New Release / Tag on Repo] + use_in_bom[Scan: Pulled into cached / downloaded PyPi index] + end + subgraph lifecycle_deployment[Scanning aka GUAC firewall pattern] + is_on_latest[Scan release/tag] + submit_to_allowlist[Submit repo and SHA of commit scanned as trust attestation: trusted/untrusted] + + use_in_bom --> is_on_latest + new_release --> is_on_latest + + is_on_latest --> submit_to_allowlist + end + subgraph lifecycle_transparency_service[Transparency Service] + add_to_ts[Add Trust Attestation to append only log] + list_ts_trusted[Index of attestations with result: Trusted] + + add_to_ts --> list_ts_trusted + end + subgraph lifecycle_usage[Use in CI/CD] + check_ts[Check Transparency Service for all BOM items] + do_build_if_all_trusted[Run build if all trusted] + + check_ts --> do_build_if_all_trusted + end + + submit_to_allowlist --> add_to_ts + list_ts_trusted --> watch_for_new_releases_on_repo + watch_for_new_releases_on_repo --> new_release + + list_ts_trusted --> check_ts + end +``` + ```mermaid graph TD subgraph home From b12729135065d6b9e0737fb03405e44c5d9c79dc Mon Sep 17 00:00:00 2001 From: John Andersen Date: Fri, 13 Oct 2023 11:02:01 -0700 Subject: [PATCH 119/120] Update openssf_metrics.md --- openssf_metrics.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 04c57fc..6915781 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -1079,3 +1079,7 @@ Post RFCv3 - https://identity.foundation/presentation-exchange/#presentation-definition - for gatekeeper policy options - https://www.seedwing.io/ + +--- + +- Related to reducing hallucinations in LLMs leveraging TEEs: https://queue.acm.org/detail.cfm?id=3623460 From 04499f4e4dedcec9add0e627f8aa742151f99297 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Tue, 14 Nov 2023 11:19:08 -0800 Subject: [PATCH 120/120] Update openssf_metrics.md --- openssf_metrics.md | 93 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) diff --git a/openssf_metrics.md b/openssf_metrics.md index 6915781..2ab875e 100644 --- a/openssf_metrics.md +++ b/openssf_metrics.md @@ -1083,3 +1083,96 @@ Post RFCv3 --- - Related to reducing hallucinations in LLMs leveraging TEEs: https://queue.acm.org/detail.cfm?id=3623460 + +# SLSA (in-toto style) + +Upstream for S2C2F sections: https://github.com/ossf/s2c2f/blob/98803e0a558e6d8cef4d2770864ffd3cf7618c65/specification/framework.md#appendix-relation-to-scitt + +## S2C2F: Appendix: Relation to SCITT + +> The [Supply Chain Integrity, Transparency, and Trust](https://github.com/ietf-scitt) initiative, or SCITT, is a set of proposed industry standards for managing the compliance of goods and services across end-to-end supply chains. In the future, we expect teams to output "attestations of conformance" to the S2C2F requirements and store it in SCITT. The format of such attestations is to be determined. + +# S2C2F: Appendix: Mapping Secure Supply Chain Consumption Framework Requirements to Other Specifications + +Goal: Create YAML file allowing users to map webhook event data to creation of data notarized by SCITT, statments and receipts created. Use YAML as basis for overall automatable format for alignment to S2C2F. + +| **Requirement ID** | **Requirement Title** | **References** | +| --- | --- | --- | +| ING-1 | Use package managers trusted by your organization | **CIS SSC SG** : 3.1.5
**OWASP SCVS:** 1.2
**CNCF SSC:** Define and prioritize trusted package managers and repositories | +| ING-2 | Use an OSS binary repository manager solution | **OWASP SCVS:** 4.1
**CNCF SSC:** Define and prioritize trusted package managers and repositories | +| ING-3 | Have a Deny List capability to block known malicious OSS from being consumed | | +| ING-4 | Mirror a copy of all OSS source code to an internal location | **CNCF SSC:** Build libraries based upon source code | +| SCA-1 | Scan OSS for known vulnerabilities | **SP800218** : RV.1.1
**SP800161** : SA-10, SR-3, SR-4
**CIS SSC SG** : 1.5.5, 3.2.2
**OWASP SCVS:** 5.4
**CNCF SSC:** Verify third party artefacts and open source libraries, Scan software for vulnerabilities, Run software composition analysis on ingested software | +| SCA-2 | Scan OSS for licenses | **CIS SSC SG** : 1.5.6, 3.2.3
**OWASP SCVS:** 5.12
**CNCF SSC:** Scan software for license implications | +| SCA-3 | Scan OSS to determine if its end-of-life | **SP800218** : PW.4.1
**SP800161** : SA-4, SA-5, SA-8(3), SA-10(6), SR-3, SR-4
**OWASP SCVS:** 5.8 | +| SCA-4 | Scan OSS for malware | clamav workflow or job | +| SCA-5 | Perform proactive security review of OSS | **SP800218** : PW.4.4
**SP800161** : SA-4, SA-8, SA-9, SA-9(3), SR-3, SR-4, SR-4(3), SR-4(4)
**OWASP SCVS:** 5.2, 5.3, | +| INV-1 | Maintain an automated inventory of all OSS used in development | **OWASP SCVS:** 1.1, 1.3, 1.8, 5.11
**CNCF SSC:** Track dependencies between open source components | +| INV-2 | Have an OSS Incident Response Plan | **SP800218** : RV.2.2
**SP800161** : SA-5, SA-8, SA-10, SA-11, SA-15(7) | +| UPD-1 | Update vulnerable OSS manually | | +| UPD-2 | Enable automated OSS updates | | +| UPD-3 | Display OSS vulnerabilities as comments in Pull Requests (PRs) | | +| AUD-1 | Verify the provenance of your OSS | **CIS SSC SG** : 3.2.4
**OWASP SCVS:** 1.10, 6.1
**SLSA v1.0:** Producing artifacts – Distribute provenance | +| AUD-2 | Audit that developers are consuming OSS through the approved ingestion method | **CIS SSC SG** : 4.3.3 | +| AUD-3 | Validate integrity of the OSS that you consume into your build | **CIS SSC SG** : 2.4.3
**OWASP SCVS:** 4.12
**CNCF SSC:** Verify third party artefacts and open source libraries | +| AUD-4 | Validate SBOMs of OSS that you consume into your build | **CNCF SSC:** Require SBOM from third party supplier | +| ENF-1 | Securely configure your package source files (i.e. nuget.config, .npmrc, pip.conf, pom.xml, etc.) | **SP800218** : PO.5.2
**CIS SSC SG** : 2.4.2, 3.1.7, 4.3.4, 4.4.2 | +| ENF-2 | Enforce usage of a curated OSS feed that enhances the trust of your OSS | **SP800218** : PO.5.2
**CIS SSC SG** : 2.4.3, 3.1.1, 3.1.3 | +| REB-1 | Rebuild the OSS in a trusted build environment, or validate that it is reproducibly built | **CIS SSC SG** : 2.4.4 | +| REB-2 | Digitally sign the OSS you rebuild | **SP800218** : PS.2.1 | +| REB-3 | Generate SBOMs for OSS that you rebuild | **SP800218** : PS.3.2
**SP800161** : SA-8, SR-3, SR-4
**CIS SSC SG** : 2.4.5
**OWASP SCVS:** 1.4, 1.7
**CNCF SSC:** Generate an immutable SBOM of the code | +| REB-4 | Digitally sign the SBOMs you produce | **CIS SSC SG** : 2.4.6 | +| FIX-1 | Implement a change in the code to address a zero-day vulnerability, rebuild, deploy to your organization, and confidentially contribute the fix to the upstream maintainer | | + +## Webhook endpoint + +Targets are new commits, branches, tags, and their CI/CD (status check) results + +- Transforms GitHub webhook payloads into statements + - https://github.com/in-toto/attestation/blob/99d851228fe284c66b2cde353a6693c5eff69db1/spec/v1/statement.md + - https://github.com/in-toto/attestation/blob/99d851228fe284c66b2cde353a6693c5eff69db1/spec/predicates/test-result.md + - https://github.com/in-toto/attestation/blob/99d851228fe284c66b2cde353a6693c5eff69db1/spec/predicates/cyclonedx.md +- https://docs.github.com/en/rest/repos/contents?apiVersion=2022-11-28#download-a-repository-archive-tar + +```json +{ + "_type": "https://in-toto.io/Statement/v1", + "subject": [ + { + "name": "", + "digest": {"": ""} + }, + ... + ], + "predicateType": "https://in-toto.io/attestation/test-result/v0.1", + "predicate": { + "result": "PASSED|WARNED|FAILED", + "configuration": ["", ...], + "url": "", + "passedTests": ["", ...], + "warnedTests": ["", ...], + "failedTests": ["", ...] + } +} +``` + +- https://github.com/pdxjohnny/scitt-api-emulator/blob/demo-instance/docs/sbom_and_vex.md + +```json +{ + "_type": "https://in-toto.io/Statement/v1", + "subject": [ + { + "name": "", + "digest": {"": ""} + }, + ... + ], + "predicateType": "https://spdx.dev/Document/v2.3", + "predicate": { + "SPDXID" : "SPDXRef-DOCUMENT", + "spdxVersion" : "SPDX-2.3", + ... + } +} +```