[trustable-software] SDLC Evidence Metadata

[Will Barnard]

I have been considering the issues of SDLC metadata capture and storage 
with regard to generating trustable evidence of the software development 
process.

As I see it, there is a need for a industry standard format for storage 
of such metadata
- A server agnostic standard that can be adopted by different server 
implementations

The data needs to be trustable (integrity and provenance assured)
  - Storage as immutable revisions within the Git repo is the preferred 
approach, storage as proprietary mutable database data is not considered 
a good approach

As such, we have developed a proof-of-concept tool, gitect 
(https://gitlab.com/trustable/gitect), which is capable of storing SDLC 
evidence metadata within a Git repo (in Git notes) for the construction, 
validation, review and approval of software changes. For the review and 
approval evidence metadata, Gitect does not currently generate its own 
data but it does support pulling that from a GitLab server and could be 
extended to support other Git server implementations. Going forward we 
would like to incorporate the functionality to allow a developer to 
perform code reviews offline and push the data to the server. As this is 
an area where there already been some activity, I am not sure that 
developing our own custom solution is the best approach.

There has been some interesting work within other projects. Notedb used 
in Gerrit/Openstack has a large user base, it has good coverage of 
review and approval metadata but little in the other areas. The 
git-appraise tool developed within Google also takes an interesting 
approach.

We're considering doing (more) work on this... are folks aware of prior 
art or existing projects that deal with the same concerns?

Regards,

Will