Note! This workstream achieved the desirable outcome and it is now archived. Followup conversations will take place in SIG Software Supply Chain
The Supply Chain Maturity Model workstream was proposed on August 25, 2022 and continued until January 2023.
The workstream produced a Supply Chain Maturity Guide which is included this repository.
The below details are maintained for historical purposes.
The workstream will cover CICD beyond build and deploy.
The workstream seeks to define industry standards for Supply Chain Maturity that augment SLSA. Where SLSA covers the supply chain from code through artifact, maturity covers the artifact lifecycle, including deployments, rollouts, testing, rollbacks, and more.
The workstream seeks to define an industry standard to augment SLSA.
Proposed names so far include:
- Code Health Project Score ("CHiPS") (but it conflicts with CHIPS Alliance under the Linux Foundation)
- Guide for Understanding Application Concerns ("GUAC") (but it conflicts with the GUAC project from Google/Kusari/Purdue/Citi))
For current goals, see our roadmap.
Current members:
- David Bendory, Google
- Justin Abrahms, eBay/CDF
- Ankit D Mohapatra, Berkshire Grey
- Parth Patel, Kusari
- Kara de la Marck, CDF
- David Espejo, VMware
- <your-name-here!>
Membership to this workstream is open and self-declared.
New members are invited to:
- Join the #wg-supply-chain-maturity on CDF Slack and introduce yourself.
- Regularly join the workstream meetings
- Join our Google Group at https://groups.google.com/g/cdf-scm -- for access to shared documents.
This workstream slack channel is no longer active.
Please join the main SIG slack discussion instead.
This workstream no longer meets.
Historic meeting notes are available here.