Comments (14)
@kairoaraujo sorry, to clarify, i meant that discovery of all OpenSSF-adjacent orgs is pretty easy with an OpenSSF org readme that points to all the sub-orgs, including repositry-service-tuf
from tac.
I don't have a problem with having separate GH orgs as long as we have clear docs pointing to the correct locations and affiliations appropriately noted.
from tac.
Sgtm on the separate org.
from tac.
Seperate org sounds fine to me as well.
from tac.
Here are more details from the RSTUF project on why they think a separate organization would make sense in this case.
Fundamentally, the RSTUF project has multiple components/repositories, repository-service-tuf (umbrella), repository-service-tuf-api, repository-service-tuf-cli, repository-service-tuf-worker. They have multiple components and maybe in the future we will have more (analitics, webui, etc...). Instead of having it be under the ossf organization, they think it'd be a better structure to have it under another org also owned by OpenSSF. More detailed rationale:
- The development and contribution experience is not good having to search the repositories/components in a bigger repositories such as ossf
- The same for the user experience, to report a bug or something
- They use issues and milestones , per component/repositories. But the RSTUF roadmap is controlled by GitHub Projects. They also think it's very confused having the Projects on top of Organization with multiple parts.
Hopefully I've captured their concerns accurately (please let me know if I got something wrong!). The main thing I'm trying to do is highlight something unusual ahead of time, so that people can think it through.
from tac.
BTW: To get going, we can create this as a separate organization while the TAC decides if that's okay. If it's not okay, we can move things.
from tac.
You can put all of these together under a single GitHub Enterprise account if you want them grouped together for manageability, billing, etc. It doesn't particularly help with discoverability, however. https://docs.github.com/en/enterprise-cloud@latest/admin/overview/about-enterprise-accounts
from tac.
Discoverability is solved pretty easily with an org-level readme that points to all related orgs.
from tac.
Discoverability is solved pretty easily with an org-level readme that points to all related orgs.
The idea is not to have multiple organizations for RSTUF, but one repository-service-tuf
organization and all the repositories as part of this organization.
from tac.
Would org-wide policies, for example, a SECURITY.md
file be the same across all orgs, or be unique? If they are the same, then there may need to be some automation to automatically sync the .github
repository between these different organizations.
from tac.
@JLLeitschuh i think potentially they could be different, but in the cases where they're desired to be the same, we'd indeed set up a github action on a cron in all the non-ossf orgs, to keep them in sync.
from tac.
This I think is done: https://github.com/repository-service-tuf
Soon when we have the Github Enterprise Account it will be tied with OpenSSF.
from tac.
can this issue be closed now?
from tac.
@SecurityCRob
Yes, RSTUF is already using the https://github.com/repository-service-tuf
Thank you!
from tac.
Related Issues (20)
- New issue template development for TI updates HOT 3
- [Technical Initiative Funding Request] - S2C2F PAS Submission Funding Request HOT 11
- Make getting/staying involved in TIs easier HOT 4
- WG lifecycle update HOT 4
- TAC Vote Needed - Enable GitHub Secret Scanning and Push Protection HOT 22
- Publish TI funding requests cycles. HOT 1
- Programmatic Help with Standardization HOT 1
- [Technical Initiative Funding Request]: Sigstore Documentation Modernization HOT 10
- Project Onboarding Action Items HOT 5
- Threat Model for an Open Source Project - Yes/No? HOT 12
- [Technical Initiative Funding Request]: Cybersecurity Workforce Development (Education Focus) HOT 18
- Add benefits/impact questions to TI funding request template
- Proposal: Expanding Security Benchmarks for Critical OSS in OpenSSF HOT 2
- Proposal: Funding Critical Projects POC with commercial vendors HOT 9
- Advice Needed - Staff-Produced Architecture Document Review Process HOT 5
- Should Scorecard Adoption in project-lifecycle.md besides TI Gives? HOT 2
- [IP policy and license review] Bomctl Sandbox Project Entry
- Provide Logos to Sandbox Projects HOT 5
- Resolve FRSCA HOT 6
- Resolve Status of Projects Lagging in Onboarding HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tac.