[trustable-software] SDLC Evidence Metadata
Will Barnard
will.barnard at codethink.co.uk
Mon Jul 16 13:48:37 BST 2018
I have been considering the issues of SDLC metadata capture and storage
with regard to generating trustable evidence of the software development
process.
As I see it, there is a need for a industry standard format for storage
of such metadata
- A server agnostic standard that can be adopted by different server
implementations
The data needs to be trustable (integrity and provenance assured)
- Storage as immutable revisions within the Git repo is the preferred
approach, storage as proprietary mutable database data is not considered
a good approach
As such, we have developed a proof-of-concept tool, gitect
(https://gitlab.com/trustable/gitect), which is capable of storing SDLC
evidence metadata within a Git repo (in Git notes) for the construction,
validation, review and approval of software changes. For the review and
approval evidence metadata, Gitect does not currently generate its own
data but it does support pulling that from a GitLab server and could be
extended to support other Git server implementations. Going forward we
would like to incorporate the functionality to allow a developer to
perform code reviews offline and push the data to the server. As this is
an area where there already been some activity, I am not sure that
developing our own custom solution is the best approach.
There has been some interesting work within other projects. Notedb used
in Gerrit/Openstack has a large user base, it has good coverage of
review and approval metadata but little in the other areas. The
git-appraise tool developed within Google also takes an interesting
approach.
We're considering doing (more) work on this... are folks aware of prior
art or existing projects that deal with the same concerns?
Regards,
Will
More information about the trustable-software
mailing list