Hello git mailing list! The purpose of this email is to inform you of the coordinated security effort for git, and hopefully source some contacts for questions and follow up. An overview of the effort is as follows. It is broken up into three work packages. It would be great to have at least one contact/maintainer for each work package. Work Package 1: git source code review and threat modeling: This will be done by the team at x41-dsec with a Gitlab team. Work Package 2: Supply chain security / CI infrastructure review with Chainguard and Gitlab team. Work Package 3: A new setup of CodeQL for git with Xavier and his team from Github. Please let me know if you have any questions. Thank you in advance! We are aiming to start the week of June 13th 2022. - Amir Amir Montazery Managing Director Open Source Technology Improvement Fund https://ostif.org/ https://calendly.com/ostif ---------- Forwarded message --------- From: Amir Montazery <amir@xxxxxxxxx> Date: Wed, May 25, 2022 at 1:38 PM Subject: Re: Syncing up team members for the comprehensive security review of Git To: Xavier René-Corail <xcorail@xxxxxxxxxx>, Markus Vervier <markus.vervier@xxxxxxxxxxx>, Eric Sesterhenn <eric.sesterhenn@xxxxxxxxxxx> Cc: Dennis Appelt <dappelt@xxxxxxxxxx>, Derek Zimmer <derek@xxxxxxxxx>, Joern Schneeweisz <jschneeweisz@xxxxxxxxxx>, Eddie Zaneski <eddiezane@xxxxxxxxxxxxxx>, Adolfo Veytia <puerco@xxxxxxxxxxxxxx>, Tracy Miranda <tracy@xxxxxxxxxxxxxx>, Ethan Strike <estrike@xxxxxxxxxx> Adding +Markus Vervier and +Eric Sesterhenn to the thread. Sorry, I got my threads mixed up. On Wed, May 25, 2022 at 12:38 PM Xavier René-Corail <xcorail@xxxxxxxxxx> wrote: > > Hey Amir, > > Sorry for the late reply, busy times here. I am trying to find the best persons on our side an will let you know ASAP. > > -- > Cheers > Xavier > > > On Tue, May 24, 2022 at 1:18 PM Amir Montazery <amir@xxxxxxxxx> wrote: >> >> Hello all, >> >> Please see the following doc. The next steps are as follows: >> >> Confirm information is accurate. >> Confirm who else, in anyone, should be engaged as part of this effort. >> Schedule intro meetings. >> >> Please let us know your thoughts and feedback! Thank you in advance! >> >> Link to doc: https://docs.google.com/document/d/1kRLVuvOFkXS1Jt_voDLBVZVQMpgfXUOCJQpnNXDZhQo >> >> >> On Tue, May 24, 2022 at 3:00 PM Amir Montazery <amir@xxxxxxxxx> wrote: >>> >>> Wonderful. Thank you everyone! We are finalizing a doc that will help guide the work and keep everyone informed. Once that is shared, we can confirm the info is accurate and move forward with scheduling a sync. >>> >>> Thank you, >>> Amir >>> >>> On Mon, May 16, 2022 at 6:56 AM Dennis Appelt <dappelt@xxxxxxxxxx> wrote: >>>> >>>> Hi Derek - sounds good. Looking forward to learning more about the effort. >>>> >>>> On Fri, May 13, 2022 at 6:13 PM Derek Zimmer <derek@xxxxxxxxx> wrote: >>>>> >>>>> Nice to meet you Dennis! >>>>> >>>>> The supply chain side is Eddie, Tracy, and Adolfo. I believe they are all going to Kubecon so it will be sometime after that. >>>>> >>>>> Derek Zimmer >>>>> Executive Director >>>>> Open Source Technology Improvement Fund >>>>> >>>>> >>>>> On Thu, May 12, 2022 at 8:16 AM Joern Schneeweisz <jschneeweisz@xxxxxxxxxx> wrote: >>>>>> >>>>>> Hi all, >>>>>> >>>>>> sorry for just replying to a subset here, but I didn't want to spam everyone with scheduling questions. >>>>>> >>>>>> Regarding: >>>>>> >>>>>> > -Supply chain security / CI infrastructure review with Chainguard and Joern from Gitlab (if he so chooses to assist). >>>>>> >>>>>> My colleague Dennis (in cc:) is interested in joining this effort as he did quite some research in the supply chain field. >>>>>> For our scheduling and to decide how we can join the review we'd need to know the timeline for the supply chain and CI infra review. >>>>>> >>>>>> Thanks and looking forward to collaborate >>>>>> >>>>>> joern >>>>>> >>>>>> >>>>>> >>>>>> On Wed, May 11, 2022 at 6:54 PM Derek Zimmer <derek@xxxxxxxxx> wrote: >>>>>>> >>>>>>> Hello everyone, >>>>>>> >>>>>>> We've had all of our initial meetings with the stakeholders on this project and I'm here to fill us all in on communication channels and responsibilities. If I've missed anyone that is participating from any of the orgs involved, please add them to this email so that we can all get on the same page and have all of the required contacts. >>>>>>> >>>>>>> Because of the wide scope of this project there will be some overlap between the work of the teams, and it is crucial that we ensure that everyone has access to the information that they need to make this work as fruitful as possible. >>>>>>> >>>>>>> We have three main work packages that we are executing: >>>>>>> -Git source code review and threat modeling: This will be done by the team at x41-dsec with Joern from Gitlab. >>>>>>> -Supply chain security / CI infrastructure review with Chainguard and Joern from Gitlab (if he so chooses to assist). >>>>>>> -A new setup of CodeQL for git with Xavier and his team from Github. >>>>>>> >>>>>>> Because Git is an enormous project with hundreds of contributors, we've been directed by the maintainers to refer questions to the mailing list. If we get no response or need some specific responses or access, OSTIF can reach out to the maintainers directly to find the people required (if the mailing list fails to produce results). The mailing list is at git@xxxxxxxxxxxxxxx (PLAIN TEXT EMAIL ONLY, ANYTHING ELSE IS AUTOMATICALLY REJECTED). >>>>>>> >>>>>>> Our next step is to find everyone's availability so that we can generally set expectations about who is doing work and when. These projects do not have to happen simultaneously as each work package has different end-goals, but we should share relevant information between teams to prevent redundant work and wasted resources. >>>>>>> >>>>>>> So the questions to answer: >>>>>>> >>>>>>> Do we have everyone here? >>>>>>> Is everyone's role understood? >>>>>>> When can your respective teams begin? >>>>>>> >>>>>>> >>>>>>> Thank you all for participating in this! I'm confident that this effort is going to help secure all of open source! >>>>>>> >>>>>>> All the best, >>>>>>> >>>>>>> Derek Zimmer >>>>>>> Executive Director >>>>>>> Open Source Technology Improvement Fund >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Joern SchneeweiszStaff Security Engineer, Security Research | GitLab >>>>>> >>>>>> GitLab GmbH >>>>>> >>>>>> Elsenheimerstraße 7 >>>>>> c/o RPI Roehm + Partner 80687 München >>>>>> Registergericht: Amtsgericht München, HRB 237630 >>>>>> Geschäftsführer: Sytse Rients Sijbrandij >>>> >>>> >>>> >>>> -- >>>> >>>> Dennis Appelt Security Engineer | GitLab >>> >>> >>> >>> -- >>> Amir Montazery >>> Managing Director >>> Open Source Technology Improvement Fund >>> https://ostif.org/ >>> https://calendly.com/ostif >>> >> >> >> -- >> Amir Montazery >> Managing Director >> Open Source Technology Improvement Fund >> https://ostif.org/ >> https://calendly.com/ostif >> -- Amir Montazery Managing Director Open Source Technology Improvement Fund https://ostif.org/ https://calendly.com/ostif -- Amir Montazery Managing Director Open Source Technology Improvement Fund https://ostif.org/ https://calendly.com/ostif