Identify and implement CFF-wide standards to support supply-chain risk management

[emalm]

@pburkholder raised this as a discussion topic during the 2022-05-10 TOC meeting. Capturing some of the discussion context here:

• Governmental bodies that use or audit software are increasingly asking OSS projects to prove integrity of software artifacts and to document artifact provenance.
  • https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf
  • https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
• Software bills of materials (SBOMs) and initiatives such as SLSA.dev can help in these areas
• While CFF processes genrate some of this SBOM information and can guarantee integrity of some artifacts, these processes are not consistent across CFF artifacts and not complete.
• Paketo and kpack already generate SBOMs and annotate them on the images they build.

The TOC and the Working Groups should decide how far we would like the projects to go in supporting these emerging supply-chain standards, which standards to implement, and then assign responsibility to one or more bodies within the CFF to carry out the work.

[pburkholder]

Thanks for the succinct issue description, @emalm

[rkoster]

The first step for incorporating supply chain related files in bosh releases is currently being discussed here: cloudfoundry/bosh#2466

[beyhan]

This is still revenant and the TOC plans to look into this.