Proposal: New GitHub *organization* as part of OpenSSF: something like repository-service-tuf about tac HOT 14 CLOSED

@kairoaraujo sorry, to clarify, i meant that discovery of all OpenSSF-adjacent orgs is pretty easy with an OpenSSF org readme that points to all the sub-orgs, including repositry-service-tuf

from tac.

I don't have a problem with having separate GH orgs as long as we have clear docs pointing to the correct locations and affiliations appropriately noted.

from tac.

Sgtm on the separate org.

from tac.

Seperate org sounds fine to me as well.

from tac.

Here are more details from the RSTUF project on why they think a separate organization would make sense in this case.

Fundamentally, the RSTUF project has multiple components/repositories, repository-service-tuf (umbrella), repository-service-tuf-api, repository-service-tuf-cli, repository-service-tuf-worker. They have multiple components and maybe in the future we will have more (analitics, webui, etc...). Instead of having it be under the ossf organization, they think it'd be a better structure to have it under another org also owned by OpenSSF. More detailed rationale:

• The development and contribution experience is not good having to search the repositories/components in a bigger repositories such as ossf
• The same for the user experience, to report a bug or something
• They use issues and milestones , per component/repositories. But the RSTUF roadmap is controlled by GitHub Projects. They also think it's very confused having the Projects on top of Organization with multiple parts.

Hopefully I've captured their concerns accurately (please let me know if I got something wrong!). The main thing I'm trying to do is highlight something unusual ahead of time, so that people can think it through.

from tac.

BTW: To get going, we can create this as a separate organization while the TAC decides if that's okay. If it's not okay, we can move things.

from tac.

You can put all of these together under a single GitHub Enterprise account if you want them grouped together for manageability, billing, etc. It doesn't particularly help with discoverability, however. https://docs.github.com/en/enterprise-cloud@latest/admin/overview/about-enterprise-accounts

from tac.

Discoverability is solved pretty easily with an org-level readme that points to all related orgs.

from tac.

Discoverability is solved pretty easily with an org-level readme that points to all related orgs.

The idea is not to have multiple organizations for RSTUF, but one repository-service-tuf organization and all the repositories as part of this organization.

from tac.

Would org-wide policies, for example, a SECURITY.md file be the same across all orgs, or be unique? If they are the same, then there may need to be some automation to automatically sync the .github repository between these different organizations.

from tac.

@JLLeitschuh i think potentially they could be different, but in the cases where they're desired to be the same, we'd indeed set up a github action on a cron in all the non-ossf orgs, to keep them in sync.

from tac.

This I think is done: https://github.com/repository-service-tuf
Soon when we have the Github Enterprise Account it will be tied with OpenSSF.

from tac.

can this issue be closed now?

from tac.

@SecurityCRob
Yes, RSTUF is already using the https://github.com/repository-service-tuf
Thank you!

from tac.