-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider adding (and tracking) packages from the Civil Infrastructure Platform (CIP) #39
Comments
On a similarly inspired note, ELISA might have some detectable critical projects as well - right now it sounds like it's Yocto (not unlike #36 and this same issue): I wonder if there's an opportunity to run a dependency crawler across orgs working on safety/critical applications to detect high intensity software components for consideration. |
The
cip-core
project emits a package list comprising the minimal (core) CIP system. Several pieces of software in the list might already be in OpenSSF's critical projects list, but it'd be interested to assess the merits of using CIP's package list as a transitive criteria for addition, not unlike the rationale for #26, perhaps.The list in question: https://gitlab.com/cip-project/cip-core/cip-pkglist/-/blob/master/pkglist_buster.yml.
It's possible there are newer or evergreen versions in other places, and that someone is actually creating an SPDX or similar SBOM version of this. It's possible we might also want to look into the tooling and any differential inputs to create the
deby
layers for the different boards listed in https://gitlab.com/cip-project/cip-core/deby, possibly related to #36.(Note: I'm conscious this list overlaps significantly with the Debian base system. In addition to any software that might be missed, I'm asking a broader question of whether criteria for inclusion in other lists with software deemed critical by different sectors, groups and verticals might be helpful for updating the OpenSSF list.)
The text was updated successfully, but these errors were encountered: