Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add model signing as a sandbox project #347

Merged
merged 2 commits into from
Aug 29, 2024

Conversation

mihaimaruseac
Copy link
Contributor

@mihaimaruseac mihaimaruseac commented Jun 20, 2024

We have a working group that meets for model signing work, as part of ossf/ai-ml-security#10. Since this working group helps in developing https://github.com/sigstore/model-transparency and building standards around it, it needs to be officially a project, not a WG.

We add the project at a sandbox stage.

Please note that there are 2 repos invovled here:

These two repositories should work in unison to achieve a common goal.

@mihaimaruseac
Copy link
Contributor Author

changing to draft as there needs to be some work regarding repo

@lehors
Copy link
Contributor

lehors commented Jun 21, 2024

I think the naming needs some work.

First the repo is called model_transparency but the proposed project name is "Model Signing". Then looking into the repo README it appears that model signing is only part of what's being done (i.e., Model Signing + SLSA).

Finally, "Model Transparency" is actually a complex topic which is quite broader than what this project aims to tackle. See The Foundation Model Transparency Index.

So, while I'm not really sure what name should be used I think this ought to be sorted out. We should find another name and rename the repo accordingly to get everything aligned.

@mihaimaruseac
Copy link
Contributor Author

Yes, the repo confusion is why I made this as a draft for now, apologies for the notifications.

The sigstore/model_transparency repo and the SIG (to become project) repo should be different entities, since they had different histories. I'll update this PR with better naming and documentation, pending some external discussions.

Copy link
Contributor

@SecurityCRob SecurityCRob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please get the names synchronized. the effort has merit, lets make sure it is clearly documented and communicated

@marcelamelara
Copy link
Contributor

@mihaimaruseac Bumping this PR. Please let us know if/how the TAC can help the Project sort things out.

@mihaimaruseac
Copy link
Contributor Author

mihaimaruseac commented Aug 14, 2024

Sorry, got delayed with a bunch of other items and missed this one. Will do by the end of the week. Thank you for the nudge

@mihaimaruseac mihaimaruseac marked this pull request as ready for review August 19, 2024 20:06
@mihaimaruseac
Copy link
Contributor Author

Made it clearer that we have 2 separate repositories, under 2 separate organizations. The model signing SIG (to become project) under the AI/ML WG will have a repo under OpenSSF for the work regarding standardizations, efficiency, etc., but the technical signing work that is developed as part of sigstore/model-transparency will stay with Sigstore, since it encompasses more than what the SIG (to become project) aims to do.

Force pushed an amended commit and marked the PR as ready for review. Apologies it took so long to do this.

@mihaimaruseac mihaimaruseac changed the title Add model_transparency as a sandbox project Add model signing as a sandbox project Aug 19, 2024
Copy link
Contributor

@mlieberman85 mlieberman85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@marcelamelara marcelamelara added TI Lifecycle Issue/PR related to TIs' lifecycle status. Needs 5 approvals, 10d review. Major Changes to Charter/Technical Strategy/TI Lifecycle process, new TI. Needs 7 approvals, 15d review. and removed TI Lifecycle Issue/PR related to TIs' lifecycle status. Needs 5 approvals, 10d review. labels Aug 21, 2024
Copy link
Contributor

@sevansdell sevansdell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work!

Copy link
Contributor

@marcelamelara marcelamelara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates @mihaimaruseac ! I have a couple of suggestions related to making the scope of the project clearer, but otherwise, I think this application is almost ready to go.

We have a working group that meets for model signing work, as part of
ossf/ai-ml-security#10. Since this working
group helps in developing https://github.com/sigstore/model-transparency
and building standards around it, it needs to be officially a project,
not a WG.

We add the project at a sandbox stage.

Please note that there are 2 repos invovled here:

- https://github.com/sigstore/model-transparency which will be owned by
  Sigstore and is just the implementation work for the library for model
  signing
- a new repository to be created under https://github.com/ossf to
  represent standard documents, as outputs of this project

These two repositories should work in unison to achieve a common goal.

Signed-off-by: Mihai Maruseac <[email protected]>
Signed-off-by: Mihai Maruseac <[email protected]>
@mihaimaruseac
Copy link
Contributor Author

Thank you for the reviews! Updated and rebased on latest main

Copy link
Contributor

@marcelamelara marcelamelara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates! LGTM.

@SecurityCRob SecurityCRob merged commit cd72053 into ossf:main Aug 29, 2024
1 check passed
@mihaimaruseac mihaimaruseac deleted the model-signing-project branch August 29, 2024 20:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Major Changes to Charter/Technical Strategy/TI Lifecycle process, new TI. Needs 7 approvals, 15d review.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants