ossf / tac Goto Github PK

When a working group reaches Active state it should have latitude to accomplish its work, only seeking TAC or Governing Board approval for limited cases.

Consider what creates the most efficiency for adding value to the open source community balanced with what oversight ensures the most quality.

Some example items for consideration:

• Projects
• Papers
• Repositories
• Funding

Here are some opinions to get the conversation started (the word Active is omitted below for brevity)...

Projects
The TAC authorizes all Technical Initiatives including projects. However the working groups are intended to be the subject matter experts in their domains. Consequently, Projects should be proposed to Working Groups who will then vet and/or revise the proposals before recommending them to the TAC.

Papers
As the working groups are intended to be the subject matter experts in their domains, they should author papers for release through the OpenSSF without TAC approval. All papers should still follow open source best practices including transparency in development and avoiding vendor bias.
(Note that at this time the OpenSSF is also considering a committee to review white papers. If that is approved then all authors would submit for review through that committee.)

Repositories
Working groups should be able to create repositories as needed under their org. A project approved by the TAC should have its own org and the ability to create repos under it, regardless of which working group recommended it to the TAC.

Funding
Working Groups may request funding for activities from the Governing Board.
Projects are distinct Technical Initiatives and may also directly request funding from the Governing Board (i.e. there is no request hierarchy requiring projects to go through working groups nor working groups through the TAC).
Working Groups may not request donations directly from 3rd parties but may encourage those parties to join the OpenSSF and/or engage the Governing Board to facilitate donations. (The assumption is that there are too many laws and accounting considerations for working groups to directly handle donations).

We have a community calendar here: https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ

We should get all the WG meetings published here.

Who should be the Election Officials?

Suggestion:

• OpenSSF General Manager
• OpenSSF Program Director
• OpenSSF TAC Chair
• OpenSSF TAC rep from an org that is not the same org as the TAC Chair

As part of ossf/gb-planning-committee#7 we want the main OSSF site to give a list of the current working groups as well as links to mailing lists, calendars, and other useful resources. But we don't want to be editing this information by hand. We could certainly collate a lot of this from the existing github settings.yml

This issue is to figure out if that's enough or if there is a use in having WGs provide more metadata we could collate so everything can be automated and never ends up out of date.

From the Strategy WG proposal:

• list of working groups, description, link to repos

We can get this from all the settings.yml

• WG: Meetings. <link to Google calendar(s), and information about how to add to your own calendar>

All these should be in the main OSSF calendar. Perhaps as that calendar gets large and if WG's end up with meetings for sub-projects then having some way to find them on a per-sub-project basis (and/or outside of having to use a google calendar)

Mailing lists.

All these should already be here already https://lists.openssf.org/g/main/subgroups but perhaps a list with longer description will be useful if projects end up with multiple lists.

Slack.

Perhaps a list of the channels/rooms (again it's kind of obvious until we have many wg's with sub-projects)

Google Drive folders
Recorded meeting videos

Current WG's do have a mix of location of agendas and minutes and recordings, so collating these links would be useful.

Blog posts

I've not seen how blog posts will work yet to if this is needed or will be obvious.

(I brought this up on a strategy call as The Apache Software Foundation does this by having projects publish information in DOAP with a master list of the locations of these files, https://svn.apache.org/repos/asf/comdev/projects.apache.org/trunk/data/projects.xml and here is a good example of a specific DOAP RDF file: http://svn.apache.org/repos/asf/tomcat/site/trunk/docs/doap_Tomcat.rdf and all this ends up used all over the site for project listings etc. But I'm not proposing using this legacy solution given we can just collect things in a yml file (and probably needing a separate file to not overload/confuse the bot that parses settings.yml))

• Who is eligible to be nominated?
• Must they be OpenSSF members?
• May individuals self nominate?

https://github.com/ossf/tac#technical-initiatives

Proposal
Keep Ryan Haning & Dan Lorenc as the TAC chair and rep respectively for the duration of the current term.

The Alpha-Omega project has been proposed to the TAC and requires a vote to move forward to the Governing Board for budget approval.

TAC Reps, please provide your vote by leaving a comment on this issue with either an 'Approve' or 'Reject'.

Proposal Document

https://slack.openssf.org/ shows:

This link is no longer active
To join this workspace, you’ll need to ask the person who originally invited you for a new link.

Hello, it appears that the link to join the Slack workspace in the README is no longer working: https://slack.openssf.org/

I saw this was recently fixed in #46 too.

Thanks

There is a new release of OWASP Security Knowledge Framework coming up. This learning platform has been chosen by the OSSF Best Practices working group as part of his strategy, and we'd like to announce this release and mention that it's part of the OSSF effort.

We'd like

1. The TAC's review and suggestions on the announcement text below
2. To know if there is an opportunity to include something about SKF in the upcoming OSSF press release

cc @blabla1337 @RiieCco

OWASP Security knowledge framework (SKF) has had a major refactor!

Thanks to Google Summer of Code we were able to get in contact
with an awesome UX designer (Akash) that helped us create a new and
fresh look and feel on the OWASP SKF application!
Not only did the front-end changed a lot, we also added a feature
for our SKF-labs and OWASP-Juice Shop that helps you to deploy your
favourite labs on the spot trough the SKF UI!

We created a standardized set of Design patterns to go.
These design patterns make it easier than ever to get started
with ASVS and get your requirements in your projects.

ASVS level 1 controls now also have best practices
code examples and automated test cases correlated (OWASP-ZAP, CodeQL …)
to them so you know where to get started for your test automation!

We are also really happy to announce that we have started a
collaboration with the OSSF to help improve SKF with a dedicated
team of experts to further iterate the platform to the next level.
Trough OSSF, we intend to provide SKF as a SaaS platform so you no
longer have to find a place to host it, making it easier than ever
before to get started with the SKF, and building applications secure by design!

More information can be found on GitHub

Should update the README to make clear:

• TAC meetings open to anyone
• Use GH Issues to request/discuss agenda items
• link to calendar and indicate recurring meeting time/zoom link

@rhaning, @dlorenc

We will be using the description listed in the .github/settings.yml to populate the OpenSSF website getting started page and include in an upcoming press release. Please create the file and edit the description field to include a short (1-2 sentence) description of the TAC. Due Date - Thursday 10/8/2020

See example here:
https://github.com/ossf/gb-planning-committee/blob/master/.github/settings.yml

establish mailing list for each incubating (or active) technical initiative https://lists.openssf.org/g/main/subgroups

Problem statement

The Best Practices WG wants to prepare the Go to market of the learning platform. This learning platform is leveraging the existing OWASP Security Knowledge Framework. This platform is available for everyone to deploy locally but we'd like to offer a public instance on the cloud, that the community could contribute to in terms of labs and content.
The requests below are needed to prepare this go to market

Questions / Requests

• Need for development and ops resources:
  • 120 dev hours for SKF
  • 180 dev hours for SKF-Labs
  • Permanent: 8h / week for operations
  • These are approximations, details are documented
• Need 2 k8s clusters on a cloud (GCP? Azure? ...)
• What will the promotion plan look like? SKF is currently an OWASP project. Apart from putting the OSSF logo and text on the SKF platform and project, and referencing the project on the OSSF page, is there something else we want to do?

TAC to create OpenSSF 12-month Roadmap in time for announcement at the next quarterly press release (end of January 2021).

Starter document here: https://docs.google.com/document/d/1yLo713am8_hvU90Lw0YdYBvXhfTjh7Shn4ATXPNX9ic/edit?ts=5f970f6b#heading=h.vpw70bcgenot

Technical Vision is tracked at: #40

I'd like to add

• an organization
• an individual

Organization - create a team

If your organization is a member of OpenSSF, we will create a GitHub team for you to manage individual membership.

Please provide the GitHub handle(s) of your desired team maintainers:

They will be responsible for adding any new team members to the appropriate team.

Individual - get access to the org

If you're not part of the OpenSSF GitHub org, you can be added. You do not need to be part of an organization which is a member of OpenSSF.

Please provide your GitHub handle:
naveensrinivasan
https://github.com/ossf/scorecard/graphs/contributors
https://github.com/ossf/scorecard/pulls?q=+is%3Apr+author%3Anaveensrinivasan+

https://github.com/ossf/package-feeds/pulls?q=+is%3Apr+author%3Anaveensrinivasan

If you're part of a member organization of the OpenSSF, please ask to be added to the appropriate team.

Ongoing discussion on the openssf-gb and openssf-tac mailing lists. I am coordinating feedback in-thread on a proposal created for how this will work.

• Complete refresh of the TAC, all 7 seats will be up for election.
• Anyone may self nominate by sending an email to the TAC mailing list.
• Candidates should submit a 'candidate statement' when self nominating.

"annually electing a chairperson to preside over meetings, set the agenda for meetings, ensure meeting minutes are taken, and who will also serve on the Governing Board as the TAC’s representative (the “TAC Representative”)"

Some of the WGs are getting started on code and specifications. We should figure out what we need to do for CLAs and licensing across the OSSF.

The OpenSSF charter calls for one Governing Board member who is a Security Community Individual Representative elected by contributors to Technical Initiatives.

This issue is to request that the TAC identify how this person shall be nominated and elected, and the timeframe for doing so.

We should be eating our own cooking, don't you think?

Hi Folks!
We'd like to launch metrics.openssf.org soon, and was wondering how we can get a DNS entry set up. I can provide the destination IP address, but not sure what the process (approval or technical is) on this. We think LF would do the actual work, but we'd like to make sure you're all on board.

Mike

We'd like to change the license for the Project-Security-Reviews from the current/default (Apache) to CC-BY-4.0. (The repository is not public, so perhaps I should be saying, "we'd like to start with the CC-BY-4.0 license."

Since the overwhelming majority of the content in the repository/project will be user-contributed documentation (security reviews) and as such, we think that requiring attribution in any derivatives is important.

There will be a few other things in the repository (build scripts, validation, templates, etc.) that could be licensed under Apache if needed.

• Those wishing to vote in the election will request a ballot by submitting a (to be created) Google Form.
• Election Officials will determine eligibility based upon participation/contributions. Note that a contribution does not specifically imply only code contributions.

Currently the TAC is comprised of 7 seats. It has been suggested that increasing the size of the TAC could improve effectiveness by increasing diversity and varying view points. It has also been mention that too large of a TAC could hamper progress, but also that no one had directly observed this.
Suggestion: Increase to 7 or 9 seats for the next year and revisit before the next election.

Proposal:

• 2 year staggered terms. Even year, GB vote. Odd year, TI vote.

For the 10/30 planning milestone, the strategy committee would like to announce consolidation of OpenSSF, LF and CII initiatives.

Several of the WG's (Best Practices, Identifying Security Threats and Critical Projects) are or will be investigating adoption of the identified initiatives into their own.

This issue is a placeholder for the TAC to review and approve WG proposals, ideally by the 10/6 meeting.

Identifying Security Threats WG: $41,600
Hosting: $1600 Azure credits
Development: $40,000

Developer Best Practices WG: $63,100
Operational: $30,000
Development - SKF SSO WebHook: $13,100
Development - SKF Labs: $20,000

We have recently had several new members joining the vulnerability disclosures WG.

How can I invite them to this GitHub org?

Proposal:
Keep TAC size at 7 members

• 4 members are elected by the governing board
• 3 members are elected by Technical Initiative contributors. Each TI determines who is a contributor and may vote. 1 vote per person across all Technical Initiatives

• Utilize OpaVote with "meek stv" ranked-choice voting
• Election Officials will announce the timeline for nominations and election via the TAC mailing list and Slack channel
• At the conclusion of the nomination period, the Election Officials will publish the complete list of candidates. Publishing options include, email, doc, and/or TAC repo.
• Election Officials will validate the eligibility of voters before the election.

The TAC is to define the Technical Vision for OpenSSF for the next 3-5 years. An annual roadmap (#37) of detailed work will be created separately.

Timeline:

• Review Draft at TAC meeting December 15
• Review Final at TAC meeting January 12
• Press Release Final January 15 (to be confirmed)

Guidelines/ideas for defining the vision:

1. Aspirational and motivational.
2. Incorporate current work being done in OpenSSF and also broad enough to incorporate future, related works.
3. What has changed in 3-5 years because the OpenSSF exists?

Working Group categorization:

1. Educate – Best Practices
2. Inform - Identifying Security Threats, Vulnerability Disclosure, Digital Identity Attestation
3. Protect – Vulnerability Disclosure , Digital Identity Attestation, Security Tooling, Securing Critical Projects

The charter states that the TAC needs to figure out its composition and election process after bootstrapping.

Based on @jenniferfernick's comment here: #41 (comment)

I decided to take a quick look at what "resources" WGs are currently using and what they might want/need.

I'm probably missing some, but let's use this as a place to collect a "wishlist" to take to the GB as they consider budgets. We might even be able to get some member companies to kick in help in the meantime. If I missed anything, let me know in the comments and I'll merge back up into this list.

Vulnerability Disclosures

Nothing was obvious from scrolling through the meeting notes/repo.

Security Tooling

The CVE benchmark repo is in a separate GitHub org. It's unclear if this has been properly merged into the OSSF yet, but that's tracked here: #35

Looks like they have some other stuff going on in personal repos/other orgs that might need to be moved over here eventually: (I don't know the actual intent, just guessing based on conversations I skimmed)

• https://gist.github.com/bkimminich/5fc27e974ffa0add8bde279f45a4ae47
• https://github.com/Wenzel/checksec.py
• Something called AATIF? I can't tell what that is. @psiinon might know more.

Best Practices

Badges

• Presumably the CII badging program has some infrastructure somewhere, managed and paid for by someone? I assume @david-a-wheeler knows more. The landing page is still at coreinfrastructure.org. Maybe we want to move that to openssf.org at some point?

SKF

• The SKF Learning platform is running on a bunch of raspberry pis in @blabla1337's house :)
• They've requested some type of budget for infrastructure to host this. I'm not quite sure on the exact "ownership" of this project, or even what the intent is. It's also listed as part of OWASP in a few places?
• The repos are under a personal Github[https://github.com/blabla1337/skf-flask)
• There's a domain (securityknowledgeframework.org)

Scorecards

• The Scorecards project has a cron that runs every day in a GKE cluster I setup and some text files get published to GCS.

Identifying Security Threats

• The metrics project appears to be running on Azure somewhere. Probably under @scovetta's account?

Securing Critical Projects

Criticality

This is run manually right now I think, so no real infrastructure. The results got published on GCS, but it's just a few small text files that could easily be moved to anywhere.

Package Feeds

Nothing is really setup here yet. I was going to try running it in a GKE cluster once we get a little farther along.

General Funding

I've funded a few efforts (ISRG, etc.) directly from Google that have presented or asked in these meetings. We'll get a lot more of these requests, and I won't be able to keep up forever. That's working as intented :)

Digital Identity

The main assets here are the awesome presentations hosted on Youtube. I think there's a "round up" blog post coming soon to summarize all of these from Gavin and @kimsterv

There's also talk of a few other whitepapers/publications that could just be hosted out of the repo and linked to from openssf.org.

As discussed during the last TAC, sigstore is interested in joining the OpenSSF as a project. This issue is to facilitate discussions within the TAC.

sigstore is an open source answer to software supply chain trust and security. It consists of a community of 386 contributors across 20 organizations, who produce the tools and services to allow developers to easily sign , verify and attest all supply chain artifacts.

sigstore is currently situated in the Linux foundation as its own project and is now receptive to joining with the OpenSSF to help drive the improvement of supply chain security.

sigstore will run as a public good , non profit service funded by supporters. The project has to this date already been in soft launch for over 6 months with almost 1 million signing records stored within its public ledger service.

sigstore has secured an initial funding bootstrap via Chain Guard, Red Hat, Google, VMWare, Cisco, HPE to help with the large adoption the project is experiencing by means of a professional security audit and developer relations engineer. sigstore is supportive of receiving funding under the OpenSSF and seeking synergies around the supply chain space. This would place sigstore as an OpenSSF project, under the OpenSSF brand.

sigstore is currently being implemented into the scorecards project.

various quotes on sigstore:

“Securing a software deployment ought to start with making sure we're running the software we think we are. sigstore represents a great opportunity to bring more confidence and transparency to the open source software supply chain.” Josh Aas, Executive Director at ISRG / Let's Encrypt

“sigstore will make code signing free and easy for software developers, providing an important first line of defense.” Lily Hay Newman, Wired Magazine

“sigstore a small big significant step towards making OSS more secure: easy code signing and verification.” Urs Hölzle, SVP Engineering at Google

“sigstore is a key step towards building trust and transparency in the open source supply chain.” Chris Wright, CTO at Red Hat

Further details:

https://www.sigstore.dev/

https://github.com/sigstore

Hi TAC 👋!

Within the Security Tooling working group, we've been working on an initiative called "CVE benchmarking" (working title, might change). The idea is quite simple:

• Construct a large data set of CVEs, including metadata on fix commits and exact source code location of the vulnerability
• Tooling that allows the following workflow
  1. Select a bunch of CVEs (e.g. anything related to the OWASP top-10)
  2. Select a bunch of tools to benchmark (e.g. eslint, jslint, jshint)
  3. For every CVE, feed the code base to each of the tools that needs to be benchmarked.
  4. Determine whether the tool (1) detects the vulnerability and (2) recognises the fix
  5. Generate a report that tells you which tool is best for your purposes

All of the above lives in a collection of repositories:

• A single repo containing the metadata and tooling
• For every CVE: a repository (a fork of sorts) with the source code of the affected project. We expect there to be ~300 CVEs (so: ~300 repositories) at launch time.

We've almost finished creating the first version of the tooling and the data set (specifically for JavaScript CVEs). In fact, our talk proposal for Black Hat Europe has been accepted, so we'll be announcing it there on 7-10 December.

We'd love to release this tooling and data under the OpenSSF flag. In particular, we'd love for the repositories to be published in an OpenSSF GitHub org. For example, we could consider:

• https://github.com/ossf-cve-benchmark/cve-2019-123456 (one repo for every CVE)
• https://github.com/ossf-cve-benchmark/ossf-cve-benchmark (repo for tooling and metadata)

(It goes without saying that I'm very happy to talk about details like repository structure — the above is just an example)

It'd also be great if we could bundle our efforts on the announcement side of things.

What's the best way to proceed? To give an idea of timelines: the BlackHat talk needs pre-recording, which we're hoping to do in the week of Monday 9 November.

People

• PM for this initiative: @sj (GitHub)
• OpenSSF Security Tooling Working group lead: @psiinon (OWASP)
• Engineering: @esbena (IC), @calumgrant (EM)
• Team working on announcement on GitHub side: @secure-dev, @samanthachau, @margheritadicerbo
• Presenters for BlackHat Europe: @sj and @kevinbackhouse
• GitHub Security Lab: @xcorail and @kevinbackhouse

cc @greysteil, @mayakacz

We should setup a simple doodle pool, I believe the third week of August was floated due to people's vacations.

cc: @rhaning @dlorenc