SLSA Blog #309
Comments
|
I like the idea. Most projects that I know of use Medium to make it easy. |
|
Great idea, demonstrating the liveliness of the project to folks not attending the community meetings and providing a space to share ideas both seem like good uses of a blog. |
|
What should the process be for approving posts? Just have one other committee member verify that it's not spam? I'm happy to set it up on Medium. |
|
Ok, I'm going to try to set up a Medium 'Publication' for SLSA. Then we can have slsa.dev/blog redirect there somehow. Someone let me know if they have a better idea. [edit] Turns out you need a Medium subscription to make a Publication. No idea how we'd handle the billing for that in the SLSA org... |
|
I've found a point of contact at the Linux Foundation that should be able to help figure out the payment options. Will follow up with results. |
I think keeping it simple and easy is best. One other committee member and lazy consensus (after say 2 working days?) sgtm. If this doesn't work, we can always revisit of course. |
|
👋🏻 qq, is Medium a strong want here? I ask because another project I work with has historically had several challenges managing its blog on Medium. It's great for the social/share component, and the UI for writers is great, but we find for a variety of reasons its hard to keep it updated (access control/permissions management, collaborating on drafts, people who don't have medium accounts & want to contribute, etc etc). If it's all the same to ya'll, hosting a blog via GH tends to be more successful long term. |
|
I'd prefer GitHub too, it feels like that would be easier for review? I'm on-board with lazy consensus, but worry that two days might be too short? Perhaps it's enough for folks to indicate their intent/desire to review within two days? |
|
I also prefer GitHub, but it is a bit more work to set up and I'm not the one doing it. Medium does have nice commenting, which GitHub wouldn't have by default. I'm OK either way. To set it up on GitHub, I believe this involves:
If we instead want the blog on a subdomain, I think we'd need to create a new git repo and set up Jekyll there, including the theme, and link to it from the main SLSA website. |
|
I believe @jorydotcom is volunteering to set it up for us. Also I think I'd prefer not having comments since it's just another thing to moderate. If people really want to comment they can use Twitter or file GH issues? I don't feel that strongly about this though. |
|
@MarkLodato @TomHennen happy to do the setup whichever route ya'll go. And great question whether you want the blog to sit with your existing site or spun up on a subdomain. Probably keeping it with the existing repo would be faster, so we don't have to track down whoever has access to the DNS and mess with that. Also one less repo to maintain. |
|
Great! I'm ok with /blog/. Any objections? |
|
I like /blog/ |
|
Yes +1 to same site and /blog/ |
|
|
|
It's been a few days and there have been no objections to a github-driven blog, that lives with the SLSA site - I think it's safe to get started on this this week! Will plan to have something for you to review Monday. |
|
Great, thanks Jory! |
|
Thank you!
…On Tue, Mar 22, 2022 at 9:56 AM Tom Hennen ***@***.***> wrote:
Great, thanks Jory!
—
Reply to this email directly, view it on GitHub
<#309 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABXWJ66C5A54G6KCO4NOX3VBH3TDANCNFSM5P5VGNRA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
MarkLodato
added
website
|
@jorydotcom @kimsterv When this issue was discussed on a WG call a while ago I suggested that before a post gets published a heads-up be given to the WG so that people have a chance to have a look. I was surprised by the announcement of the new post made on the call last week. Where does one get to see what's coming up? |
|
Hey, I saw the post through PR #354 . Are you subscribed to github notifications for the repo? I can also encourage folks to post a link in slack for upcoming blog posts too. |
|
@lehors - every blog post is reviewed by members of the @slsa-framework/slsa-steering-committee. We want to keep this process lightweight, so the way it happens is an interest community member uploads the blog post in the form of PR and we add the steering committee as reviewer to review it in next couple of days before it gets merged. As @kimsterv said, we can do an additional notification on the supply chain wg slack channel from now on as well. You can get more actively involved by joining the SLSA steering committee as well, so please attend the slsa biweekly meeting to discuss more. |
This seems quite heavyweight to me. I agree if the blog is going to be on the official OpenSSF announcements blog there should be oversight, but I worry about projects not having some autonomy to communicate with their community. |
Sounds good. Thanks! |
Thanks @inferno-chromium . This is actually the first time I see an active reference to a "steering committee". The discussions around the OpenSSF governance have been leaning towards forgoing such entities until the organization is so big that this kind of additional structure is deemed necessary. I'm interested to know whether something is being overlooked. |
I must admit not to understand. Are you saying that notifying the SLSA WG of an upcoming blog post on the WG's website is heavyweight? What am I missing? |
The SLSA project has been led by a seven member steering committee since shortly after inception, it's documented here in the README: https://github.com/slsa-framework/slsa#steering-committee |
|
I'd like to reconsider the format of the blog and perhaps remove it in favor of per-author blogs. I had envisioned a place for people to write about their opinions of SLSA with clear messaging that this does not represent community consensus. Consensus is expensive and time consuming, as can be seen from the two blog post PR's so far (#354 and #376). In both of these cases, the review was much more heavyweight than I would have expected. Of course each author can just write to their own random location, but then it's difficult for people to track. Maybe a lightweight feed that just links to other blog posts, with clear messaging that it's not an endorsement? Or alternatively track it via a twitter hashtag or similar? (I don't use social media so I don't know what other communities do.) |
|
FWIW I like the original goal as you stated, and think it's not worth giving up on yet. It can be made more clear in the blog itself, the contribution documentation and process for reviews. |
|
I agree. I didn't think my blog review was particularly heavyweight, and I also think it's growing pains as the group comes to a consensus around SLSA itself. I think a lot of the feedback has been useful on also informing new issues. My only worry is if there's several layers of that review. If every blog post needs some multilevel review like maintains -> steering committee -> broader working group, etc. it will never get done. |
|
OK, let's try to make it work then. As a first step, how about we prefix each blog post with something like:
|
Probably at the end of blog post, and we should also add the point that we have tried our best to review content and incorporated reviewer feedback where feasible. @olivekl , can you please help with this footer language. |
|
On a related (and somewhat self-interested note) should slsa.dev also consider linking to interesting posts made by others in different venues? E.g. Where would we link to the GitHub post? |
How about: |
|
Great. Sent out #379 to add the banner. What remains is still to update documentation (the contributing guide?) to explain the guidelines for blog posts. |
This could be a great item to discuss in the next SLSA bi-weekly. My personal opinion is encourage cross-post, but not repeat the whole content, e.g. https://security.googleblog.com/2021/08/allstar-continuous-security-policy.html. Also, we could ask SLSA community if they would be interested to keep a section of must-reads (via some section in repo's README.md). |
|
I don't think the process needs to be heavyweight. I do think adding a disclaimer pointing out that the post doesn't imply consensus from the whole WG is a good step. You could also have some indication on the main blog page making it clear that the posts are from "SLSA WG members" rather than the SLSA WG as a whole. I think this can be achieved by adding under the title "Blog" something like "Posts from SLSA WG members". Doing so removes the need for seeking consensus from the WG before posting. You can then have a simple process with an optional round of review/comments that is left to the author's discretion to use or not before posting. |
Hi @MarkLodato I agree with the documentation the process for blogs but could not find it. I was trying to understand the guidelines/decision making process as I was confused. I would be glad to help with this. However, looking through this discussion I'm a bit confused on the intent of the blog. Anyone can post their thoughts on SLSA on their blog, website, social media etc. Same for any company. I thought the intent of a community blog is to present information AS the (SLSA) community with community consensus, to then present to the BROADER community. Am I naive in that assumption? |
We support 2 kinds of posts:
We don't have any posts which are random thoughts from a random person or company. We are happy to take feedback to improve this process or jot it down more formally. PRs welcome! |
|
Thanks for clarifying @inferno-chromium. To explain a bit more, I did not mean to suggest anyone can post without review, so apologies for any confusion. It was more so, guest posts appear to be more appropriate for the guests' social media feed versus a community feed. I do see the "fine print", but a concern would be that most folks would not see/read that, just like the fine print at the bottom of television ads that most people don't even bother looking at ;-). Perhaps we can add something more subtle, such as "Guest Post by < author >" and when its a community post its just "by SLSA" ? Just a thought :-) |
Very happy to hear your thoughts. Can you please add an agenda item for next SLSA community meeting to discuss. Also, see if you can propose this change via a PR. That addition of prexies/suffixes in author list to make it clear seems ok to me. As always, we would love for you to join steering committee and contribute to SLSA/review these posts. |
|
"Guest post by" vs "Official post by" (or something like that) sounds like a good idea to me. Thanks! If you all think that the "guest" vs "official" distinction isn't too meaningful in practice, I'm also open to dropping that. |
|
Not sure how to see a list of issues i've commented on (i tend to lose them and takes me forever to find them again) I did add this to the agenda for next time. Thanks @inferno-chromium @MarkLodato! |
|
Aside: you can find issues you've commented on with a query of |
|
This has been implemented for a while now. Marking as resolved. If there are further issues with the blog, please open a more specific issue. |
I suggest that we create a SLSA Blog. The posts would be presented as opinions of the author, not necessarily of the SLSA project. Benefits:
Thoughts?
The text was updated successfully, but these errors were encountered: