Proposal for establishing the SIG Security

[jpkrohling]

Based on the discussion from open-telemetry/opentelemetry-collector-releases#207, I would like to propose the creation of the SIG Security. The SIG would be responsible for establishing the patterns to be adopted by other SIGs and repositories, as well as serve as a go-to place for security inquiries.

Initially, the SIG would have @cpanato and me, and we are open to having anyone else who'd want to join us.

This would NOT be a security response team (although we can kick off a discussion around that if needed).

[jpkrohling]

@reyang volunteered to be a sponsor for this proposal.

[reyang]

@reyang volunteered to be a sponsor for this proposal.

Yup 👍

[cpanato]

thanks for the trust and +1

[arminru]

+1 on this initiative!

It would be great if the security of our Github actions/workflows/automations/secrets and repo settings could be covered there as well.
Only if they are solid, signed binaries like the ones produced by open-telemetry/opentelemetry-collector-releases#207 can actually be considered trustworthy.

[cpanato]

definitely we can work on those things as well

[reyang]

@jpkrohling consider borrow from open-telemetry/opentelemetry-specification#3112 PR description.

[jpkrohling]

I had too many things on my plate and couldn't follow up. I'll likely be able to give more attention to this and make a formal proposal for this SIG following @reyang's suggestion.

[cartersocha]

I'm willing to help out @jpkrohling

[cartersocha]

I created a draft issue @cpanato @jpkrohling

#1454

[jpkrohling]

SIG is there for a while now, closing.