examples: tutorials: rolling alice: federated forge: alice and bob: R…

…EADME: Add more todos and basic explainer Related: ietf-scitt/use-cases#18 Related: #1421 Related: ietf-scitt/use-cases#14 Related: https://github.com/ossf/s2c2f/blame/2bf86e4df77ace51853443a3dc2e64e6107ce92a/specification/framework.md#L355 Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
intel · Mar 30, 2023 · 51f0765 · 51f0765
1 parent f9146ab
commit 51f0765
Showing 1 changed file with 39 additions and 1 deletion.
diff --git a/examples/tutorials/rolling_alice/federated_forge/alice_and_bob/README.md b/examples/tutorials/rolling_alice/federated_forge/alice_and_bob/README.md
@@ -4,6 +4,44 @@
 $ docker-compose up
 ```
 
+## Sketch Notes
+
+- ActivityPub (future: TransparencyInterop) protos for grpc service / openapi definition
+  - On webfinger resolved endpoint for `/inbox`
+    - Policy Engine (Prioritizer's Gatekeeper/Umbrella) - Defined via CycloneDX DataFlows
+      - Upstream
+        - Cypher queries
+      - Overlay
+        - https://github.com/intel/cve-bin-tool/issues/2639
+        - https://github.com/seedwing-io/seedwing-policy/
+      - Orchestrator
+        - pr-validation
+          - https://code.forgejo.org/forgejo/runner/src/branch/main/cmd/exec.go
+        - prod / service batch jobs L0
+          - https://github.com/ipvm-wg/spec/pull/8
+- KERI backed keys for duplicity detection to reboot web of trust off less robust revocation detection mechanisms
+  - Publish `releaseartifact.json` to ActivityPub security.txt/md stream
+    - Others who are committing or online cloning a repo watch those streams (schema in content)
+- Setup auto prs
+  - Rebuild chains based off SBOM as inventory for building cross linkage to determine downstream validation pattern / hypothesized flows and prs-to-prs required to enable execution, the dependency tree of artifacts.
+    - https://github.com/intel/cve-bin-tool/blob/main/.github/workflows/sbom.yml
+    - https://github.com/renovatebot/renovate
+- Mirror webhook event streams into federated forge environment
+  - Upstream changes directly to git
+    - Publish federated event corresponding to `git ...` action
+      - Federate with more servers/services/nodes for availability.
+    - Comms over SSI Service/DWN with KERI backed keys ideally rooted to [TEE enclave keys](https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html)
+    - Watch SCITT stream of peers with ephemeral resync when online KERI watcher
+      - Require sync before queries to streams, raft?
+
+## References
+
+- [https://codeberg.org/forgejo/discussions/issues/12](CI/CD Event Federation codeberg.org/forgejo/discussions#12)
+- [RFCv4.1: IETF SCITT: Use Case: OpenSSF Metrics: activitypub extensions for security.txt](https://github.com/ietf-scitt/use-cases/blob/748597b37401bd59512bfedc80158b109eadda9b/openssf_metrics.md#openssf-metrics)
+
 ## TODO
 
-- [ ] Feed build server (melange) on events
+- [ ] Federated Forge events
+- [ ] Policy engine leveraging CycloneDX dataflow format and IPVM execution
+- [ ] GAUC emmiter for ActivityPub federated event space
+- [ ] Feed build server (melange) on SBOM / Dockerfile `FROM` retrigger events