ossf / tac Goto Github PK
View Code? Open in Web Editor NEWTechnical Advisory Council
Home Page: https://openssf.org
License: Other
Technical Advisory Council
Home Page: https://openssf.org
License: Other
When a working group reaches Active state it should have latitude to accomplish its work, only seeking TAC or Governing Board approval for limited cases.
Consider what creates the most efficiency for adding value to the open source community balanced with what oversight ensures the most quality.
Some example items for consideration:
Here are some opinions to get the conversation started (the word Active is omitted below for brevity)...
Projects
The TAC authorizes all Technical Initiatives including projects. However the working groups are intended to be the subject matter experts in their domains. Consequently, Projects should be proposed to Working Groups who will then vet and/or revise the proposals before recommending them to the TAC.
Papers
As the working groups are intended to be the subject matter experts in their domains, they should author papers for release through the OpenSSF without TAC approval. All papers should still follow open source best practices including transparency in development and avoiding vendor bias.
(Note that at this time the OpenSSF is also considering a committee to review white papers. If that is approved then all authors would submit for review through that committee.)
Repositories
Working groups should be able to create repositories as needed under their org. A project approved by the TAC should have its own org and the ability to create repos under it, regardless of which working group recommended it to the TAC.
Funding
Working Groups may request funding for activities from the Governing Board.
Projects are distinct Technical Initiatives and may also directly request funding from the Governing Board (i.e. there is no request hierarchy requiring projects to go through working groups nor working groups through the TAC).
Working Groups may not request donations directly from 3rd parties but may encourage those parties to join the OpenSSF and/or engage the Governing Board to facilitate donations. (The assumption is that there are too many laws and accounting considerations for working groups to directly handle donations).
We have a community calendar here: https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ
We should get all the WG meetings published here.
Who should be the Election Officials?
Suggestion:
As part of ossf/gb-planning-committee#7 we want the main OSSF site to give a list of the current working groups as well as links to mailing lists, calendars, and other useful resources. But we don't want to be editing this information by hand. We could certainly collate a lot of this from the existing github settings.yml
This issue is to figure out if that's enough or if there is a use in having WGs provide more metadata we could collate so everything can be automated and never ends up out of date.
From the Strategy WG proposal:
- list of working groups, description, link to repos
We can get this from all the settings.yml
- WG: Meetings. <link to Google calendar(s), and information about how to add to your own calendar>
All these should be in the main OSSF calendar. Perhaps as that calendar gets large and if WG's end up with meetings for sub-projects then having some way to find them on a per-sub-project basis (and/or outside of having to use a google calendar)
Mailing lists.
All these should already be here already https://lists.openssf.org/g/main/subgroups but perhaps a list with longer description will be useful if projects end up with multiple lists.
Slack.
Perhaps a list of the channels/rooms (again it's kind of obvious until we have many wg's with sub-projects)
Google Drive folders
Recorded meeting videos
Current WG's do have a mix of location of agendas and minutes and recordings, so collating these links would be useful.
Blog posts
I've not seen how blog posts will work yet to if this is needed or will be obvious.
(I brought this up on a strategy call as The Apache Software Foundation does this by having projects publish information in DOAP with a master list of the locations of these files, https://svn.apache.org/repos/asf/comdev/projects.apache.org/trunk/data/projects.xml and here is a good example of a specific DOAP RDF file: http://svn.apache.org/repos/asf/tomcat/site/trunk/docs/doap_Tomcat.rdf and all this ends up used all over the site for project listings etc. But I'm not proposing using this legacy solution given we can just collect things in a yml file (and probably needing a separate file to not overload/confuse the bot that parses settings.yml))
Proposal
Keep Ryan Haning & Dan Lorenc as the TAC chair and rep respectively for the duration of the current term.
The Alpha-Omega project has been proposed to the TAC and requires a vote to move forward to the Governing Board for budget approval.
TAC Reps, please provide your vote by leaving a comment on this issue with either an 'Approve' or 'Reject'.
https://slack.openssf.org/ shows:
This link is no longer active
To join this workspace, you’ll need to ask the person who originally invited you for a new link.
Hello, it appears that the link to join the Slack workspace in the README is no longer working: https://slack.openssf.org/
I saw this was recently fixed in #46 too.
Thanks
There is a new release of OWASP Security Knowledge Framework coming up. This learning platform has been chosen by the OSSF Best Practices working group as part of his strategy, and we'd like to announce this release and mention that it's part of the OSSF effort.
We'd like
OWASP Security knowledge framework (SKF) has had a major refactor!
Thanks to Google Summer of Code we were able to get in contact
with an awesome UX designer (Akash) that helped us create a new and
fresh look and feel on the OWASP SKF application!
Not only did the front-end changed a lot, we also added a feature
for our SKF-labs and OWASP-Juice Shop that helps you to deploy your
favourite labs on the spot trough the SKF UI!We created a standardized set of Design patterns to go.
These design patterns make it easier than ever to get started
with ASVS and get your requirements in your projects.ASVS level 1 controls now also have best practices
code examples and automated test cases correlated (OWASP-ZAP, CodeQL …)
to them so you know where to get started for your test automation!We are also really happy to announce that we have started a
collaboration with the OSSF to help improve SKF with a dedicated
team of experts to further iterate the platform to the next level.
Trough OSSF, we intend to provide SKF as a SaaS platform so you no
longer have to find a place to host it, making it easier than ever
before to get started with the SKF, and building applications secure by design!More information can be found on GitHub
Should update the README to make clear:
We will be using the description listed in the .github/settings.yml to populate the OpenSSF website getting started page and include in an upcoming press release. Please create the file and edit the description field to include a short (1-2 sentence) description of the TAC. Due Date - Thursday 10/8/2020
See example here:
https://github.com/ossf/gb-planning-committee/blob/master/.github/settings.yml
establish mailing list for each incubating (or active) technical initiative https://lists.openssf.org/g/main/subgroups
The Best Practices WG wants to prepare the Go to market of the learning platform. This learning platform is leveraging the existing OWASP Security Knowledge Framework. This platform is available for everyone to deploy locally but we'd like to offer a public instance on the cloud, that the community could contribute to in terms of labs and content.
The requests below are needed to prepare this go to market
TAC to create OpenSSF 12-month Roadmap in time for announcement at the next quarterly press release (end of January 2021).
Starter document here: https://docs.google.com/document/d/1yLo713am8_hvU90Lw0YdYBvXhfTjh7Shn4ATXPNX9ic/edit?ts=5f970f6b#heading=h.vpw70bcgenot
Technical Vision is tracked at: #40
I'd like to add
If your organization is a member of OpenSSF, we will create a GitHub team for you to manage individual membership.
Please provide the GitHub handle(s) of your desired team maintainers:
They will be responsible for adding any new team members to the appropriate team.
If you're not part of the OpenSSF GitHub org, you can be added. You do not need to be part of an organization which is a member of OpenSSF.
Please provide your GitHub handle:
naveensrinivasan
https://github.com/ossf/scorecard/graphs/contributors
https://github.com/ossf/scorecard/pulls?q=+is%3Apr+author%3Anaveensrinivasan+
https://github.com/ossf/package-feeds/pulls?q=+is%3Apr+author%3Anaveensrinivasan
If you're part of a member organization of the OpenSSF, please ask to be added to the appropriate team.
Ongoing discussion on the openssf-gb and openssf-tac mailing lists. I am coordinating feedback in-thread on a proposal created for how this will work.
"annually electing a chairperson to preside over meetings, set the agenda for meetings, ensure meeting minutes are taken, and who will also serve on the Governing Board as the TAC’s representative (the “TAC Representative”)"
Some of the WGs are getting started on code and specifications. We should figure out what we need to do for CLAs and licensing across the OSSF.
The OpenSSF charter calls for one Governing Board member who is a Security Community Individual Representative elected by contributors to Technical Initiatives.
This issue is to request that the TAC identify how this person shall be nominated and elected, and the timeframe for doing so.
We should be eating our own cooking, don't you think?
Hi Folks!
We'd like to launch metrics.openssf.org soon, and was wondering how we can get a DNS entry set up. I can provide the destination IP address, but not sure what the process (approval or technical is) on this. We think LF would do the actual work, but we'd like to make sure you're all on board.
Mike
We'd like to change the license for the Project-Security-Reviews from the current/default (Apache) to CC-BY-4.0. (The repository is not public, so perhaps I should be saying, "we'd like to start with the CC-BY-4.0 license."
Since the overwhelming majority of the content in the repository/project will be user-contributed documentation (security reviews) and as such, we think that requiring attribution in any derivatives is important.
There will be a few other things in the repository (build scripts, validation, templates, etc.) that could be licensed under Apache if needed.
Currently the TAC is comprised of 7 seats. It has been suggested that increasing the size of the TAC could improve effectiveness by increasing diversity and varying view points. It has also been mention that too large of a TAC could hamper progress, but also that no one had directly observed this.
Suggestion: Increase to 7 or 9 seats for the next year and revisit before the next election.
Proposal:
For the 10/30 planning milestone, the strategy committee would like to announce consolidation of OpenSSF, LF and CII initiatives.
Several of the WG's (Best Practices, Identifying Security Threats and Critical Projects) are or will be investigating adoption of the identified initiatives into their own.
This issue is a placeholder for the TAC to review and approve WG proposals, ideally by the 10/6 meeting.
Identifying Security Threats WG: $41,600
Hosting: $1600 Azure credits
Development: $40,000
Developer Best Practices WG: $63,100
Operational: $30,000
Development - SKF SSO WebHook: $13,100
Development - SKF Labs: $20,000
We have recently had several new members joining the vulnerability disclosures WG.
How can I invite them to this GitHub org?
Proposal:
Keep TAC size at 7 members
The TAC is to define the Technical Vision for OpenSSF for the next 3-5 years. An annual roadmap (#37) of detailed work will be created separately.
Timeline:
Guidelines/ideas for defining the vision:
Working Group categorization:
The charter states that the TAC needs to figure out its composition and election process after bootstrapping.
Based on @jenniferfernick's comment here: #41 (comment)
I decided to take a quick look at what "resources" WGs are currently using and what they might want/need.
I'm probably missing some, but let's use this as a place to collect a "wishlist" to take to the GB as they consider budgets. We might even be able to get some member companies to kick in help in the meantime. If I missed anything, let me know in the comments and I'll merge back up into this list.
Nothing was obvious from scrolling through the meeting notes/repo.
The CVE benchmark repo is in a separate GitHub org. It's unclear if this has been properly merged into the OSSF yet, but that's tracked here: #35
Looks like they have some other stuff going on in personal repos/other orgs that might need to be moved over here eventually: (I don't know the actual intent, just guessing based on conversations I skimmed)
This is run manually right now I think, so no real infrastructure. The results got published on GCS, but it's just a few small text files that could easily be moved to anywhere.
Nothing is really setup here yet. I was going to try running it in a GKE cluster once we get a little farther along.
I've funded a few efforts (ISRG, etc.) directly from Google that have presented or asked in these meetings. We'll get a lot more of these requests, and I won't be able to keep up forever. That's working as intented :)
The main assets here are the awesome presentations hosted on Youtube. I think there's a "round up" blog post coming soon to summarize all of these from Gavin and @kimsterv
There's also talk of a few other whitepapers/publications that could just be hosted out of the repo and linked to from openssf.org.
As discussed during the last TAC, sigstore is interested in joining the OpenSSF as a project. This issue is to facilitate discussions within the TAC.
sigstore is an open source answer to software supply chain trust and security. It consists of a community of 386 contributors across 20 organizations, who produce the tools and services to allow developers to easily sign , verify and attest all supply chain artifacts.
sigstore is currently situated in the Linux foundation as its own project and is now receptive to joining with the OpenSSF to help drive the improvement of supply chain security.
sigstore will run as a public good , non profit service funded by supporters. The project has to this date already been in soft launch for over 6 months with almost 1 million signing records stored within its public ledger service.
sigstore has secured an initial funding bootstrap via Chain Guard, Red Hat, Google, VMWare, Cisco, HPE to help with the large adoption the project is experiencing by means of a professional security audit and developer relations engineer. sigstore is supportive of receiving funding under the OpenSSF and seeking synergies around the supply chain space. This would place sigstore as an OpenSSF project, under the OpenSSF brand.
sigstore is currently being implemented into the scorecards project.
various quotes on sigstore:
“Securing a software deployment ought to start with making sure we're running the software we think we are. sigstore represents a great opportunity to bring more confidence and transparency to the open source software supply chain.” Josh Aas, Executive Director at ISRG / Let's Encrypt
“sigstore will make code signing free and easy for software developers, providing an important first line of defense.” Lily Hay Newman, Wired Magazine
“sigstore a small big significant step towards making OSS more secure: easy code signing and verification.” Urs Hölzle, SVP Engineering at Google
“sigstore is a key step towards building trust and transparency in the open source supply chain.” Chris Wright, CTO at Red Hat
Further details:
Hi TAC 👋!
Within the Security Tooling working group, we've been working on an initiative called "CVE benchmarking" (working title, might change). The idea is quite simple:
eslint
, jslint
, jshint
)All of the above lives in a collection of repositories:
We've almost finished creating the first version of the tooling and the data set (specifically for JavaScript CVEs). In fact, our talk proposal for Black Hat Europe has been accepted, so we'll be announcing it there on 7-10 December.
We'd love to release this tooling and data under the OpenSSF flag. In particular, we'd love for the repositories to be published in an OpenSSF GitHub org. For example, we could consider:
(It goes without saying that I'm very happy to talk about details like repository structure — the above is just an example)
It'd also be great if we could bundle our efforts on the announcement side of things.
What's the best way to proceed? To give an idea of timelines: the BlackHat talk needs pre-recording, which we're hoping to do in the week of Monday 9 November.
cc @greysteil, @mayakacz
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.