-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add model signing as a sandbox project #347
Conversation
changing to draft as there needs to be some work regarding repo |
d15ae89
to
cdc03f9
Compare
I think the naming needs some work. First the repo is called model_transparency but the proposed project name is "Model Signing". Then looking into the repo README it appears that model signing is only part of what's being done (i.e., Model Signing + SLSA). Finally, "Model Transparency" is actually a complex topic which is quite broader than what this project aims to tackle. See The Foundation Model Transparency Index. So, while I'm not really sure what name should be used I think this ought to be sorted out. We should find another name and rename the repo accordingly to get everything aligned. |
Yes, the repo confusion is why I made this as a draft for now, apologies for the notifications. The sigstore/model_transparency repo and the SIG (to become project) repo should be different entities, since they had different histories. I'll update this PR with better naming and documentation, pending some external discussions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please get the names synchronized. the effort has merit, lets make sure it is clearly documented and communicated
@mihaimaruseac Bumping this PR. Please let us know if/how the TAC can help the Project sort things out. |
Sorry, got delayed with a bunch of other items and missed this one. Will do by the end of the week. Thank you for the nudge |
fcd33f4
to
803e00d
Compare
Made it clearer that we have 2 separate repositories, under 2 separate organizations. The model signing SIG (to become project) under the AI/ML WG will have a repo under OpenSSF for the work regarding standardizations, efficiency, etc., but the technical signing work that is developed as part of sigstore/model-transparency will stay with Sigstore, since it encompasses more than what the SIG (to become project) aims to do. Force pushed an amended commit and marked the PR as ready for review. Apologies it took so long to do this. |
803e00d
to
1b68c71
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the updates @mihaimaruseac ! I have a couple of suggestions related to making the scope of the project clearer, but otherwise, I think this application is almost ready to go.
process/project-lifecycle-documents/model_signing_sandbox_stage.md
Outdated
Show resolved
Hide resolved
1b68c71
to
7e0ad88
Compare
We have a working group that meets for model signing work, as part of ossf/ai-ml-security#10. Since this working group helps in developing https://github.com/sigstore/model-transparency and building standards around it, it needs to be officially a project, not a WG. We add the project at a sandbox stage. Please note that there are 2 repos invovled here: - https://github.com/sigstore/model-transparency which will be owned by Sigstore and is just the implementation work for the library for model signing - a new repository to be created under https://github.com/ossf to represent standard documents, as outputs of this project These two repositories should work in unison to achieve a common goal. Signed-off-by: Mihai Maruseac <[email protected]>
Signed-off-by: Mihai Maruseac <[email protected]>
7e0ad88
to
8f7b73a
Compare
Thank you for the reviews! Updated and rebased on latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the updates! LGTM.
We have a working group that meets for model signing work, as part of ossf/ai-ml-security#10. Since this working group helps in developing https://github.com/sigstore/model-transparency and building standards around it, it needs to be officially a project, not a WG.
We add the project at a sandbox stage.
Please note that there are 2 repos invovled here:
These two repositories should work in unison to achieve a common goal.