Discuss OpenChain and ISO compliance

[jenstroeger]

The OpenChain project maintains two ISO standards related to software supply chains (ISO/IEC 5230 and ISO/IEC 18974), and for more context see also Transforming the Supply Chain with Openchain.

I’ve not yet noodled through these sources thoroughly and in depth, but I wanted to start a discussion on whether it would make sense for Macaron to provide a set of policies that check for compliance. In other words: if a package passes those policies it would comply to the OpenChain & ISO requirements.

[behnazh-w]

Thanks @jenstroeger . To enable Macaron to check compliance with these ISO standards, we need to first identify which additional checks are required to collect the required evidence. Then we can design Datalog policies that enforce compliance with each standard.

The current checks in Macaron are listed here. We need to determine which additional checks are required.

We also need to create new Datalog policies. The policy that the Graal Development Kit (GDK) team is using in their build pipeline for SLSA compliance can be found here as an example. We can add similar policies for the ISO standards that verify the relevant checks in Macaron pass.