Skip to content

Commit

Permalink
Switch layout from tables to lists
Browse files Browse the repository at this point in the history 
Signed-off-by: Arnaud J Le Hors <[email protected]>
  • Loading branch information
@lehors
lehors committed Nov 28, 2023
1 parent 96ef0b3 commit 9923087
Showing 1 changed file with 70 additions and 38 deletions.
108 changes: 70 additions & 38 deletions process/TI-Gives+Gets.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,48 +5,80 @@ In exchange for meeting certain requirements, the TIs are eligible to receive an

## Sandbox level Gives & Gets

| Gives/Requirements | Gets/Benefits |
| :-----------------------------: | :-----------------------------------: |
| TI must be aligned with the OpenSSF mission and either be a novel approach for existing areas or address an unfulfilled need. It is expected that the initial code needed for an OpenSSF WG to work be kept within their repository and will not function as a project in its own right. Should initial WG code grow and mature that it warrants its own Project status, then it is subject to Sandbox entry requirements. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project. | TI can get assistance with Architecture & Roadmap Alignment |
| TI must maintain a diversified contributor base (i.e. not a single-vendor project). TI must have a minimum of two maintainers with different organization affiliations. | Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. |
| TI must find an aligned WG to host the TI and must have a TAC sponsor that can help guide the TI through processes. | TI receives guidance on technical direction from TAC sponsor |
| TI agrees to follow the [Secure Software Development Guiding Principles](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/SecureSoftwareGuidingPrinciples.md) and the [Open Source Consumption Manifesto](https://github.com/ossf/wg-endusers/tree/main/MANIFESTO). | Receives OpenSSF Code of Conduct Committee support.|
| If contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). | Reserved space for project updates in OpenSSF newsletters.|
| Provides quarterly updates to the TAC on technical vision and progress on vision. | May request infrastructure support from the OpenSSF. |
| TI will have a [SECURITY.md](http://security.md/) that describes how the Project manages vulnerabilities, or more broadly how the OSSF handles vulnerability reports | Projects may say they are, "A sandbox project in the OpenSSF" or "An experimental project in the OpenSSF." Gets an "sandbox" logo that is shared amongst all OpenSSF sandbox TIs. |
| | Communication & Collaboration - OpenSSF mailing list, OpenSSF Slack channel, OpenSSF GitHub, OpenSSF Calendaring / Recording, OpenSSF Social Media & External Engagement Support |
| | Governance & Administration - TI Charter Development & Review, TI Technical Steering Committee Setup, TI IP & License Review, TI Operations & Maintenance, Technical Support |
### Gives/Requirements

* TI must be aligned with the OpenSSF mission and either be a novel approach for existing areas or address an unfulfilled need. It is expected that the initial code needed for an OpenSSF WG to work be kept within their repository and will not function as a project in its own right. Should initial WG code grow and mature that it warrants its own Project status, then it is subject to Sandbox entry requirements. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project.
* TI must maintain a diversified contributor base (i.e. not a single-vendor project). TI must have a minimum of two maintainers with different organization affiliations.
* TI must find an aligned WG to host the TI and must have a TAC sponsor that can help guide the TI through processes.
* TI agrees to follow the [Secure Software Development Guiding Principles](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/SecureSoftwareGuidingPrinciples.md) and the [Open Source Consumption Manifesto](https://github.com/ossf/wg-endusers/tree/main/MANIFESTO).
* If contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF).
* Provides quarterly updates to the TAC on technical vision and progress on vision.
* TI will have a [SECURITY.md](http://security.md/) that describes how the Project manages vulnerabilities, or more broadly how the OSSF handles vulnerability reports

### Gets/Benefits

* TI can get assistance with Architecture & Roadmap Alignment
* Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event.
* TI receives guidance on technical direction from TAC sponsor
* Receives OpenSSF Code of Conduct Committee support.
* Reserved space for project updates in OpenSSF newsletters.
* May request infrastructure support from the OpenSSF.
* Projects may say they are, "A sandbox project in the OpenSSF" or "An experimental project in the OpenSSF." Gets an "sandbox" logo that is shared amongst all OpenSSF sandbox TIs.
* Communication & Collaboration - OpenSSF mailing list, OpenSSF Slack channel, OpenSSF GitHub, OpenSSF Calendaring / Recording, OpenSSF Social Media & External Engagement Support
* Governance & Administration - TI Charter Development & Review, TI Technical Steering Committee Setup, TI IP & License Review, TI Operations & Maintenance, Technical Support


## Incubating level Gives & Gets

| Gives/Requirements | Gets/Benefits |
| :-----------------------------: | :-----------------------------------: |
| All requirements of Sandbox must be fulfilled. PR filed to promote group to Incubating stage. | TI eligible to receive all Gets from Sandbox |
| Group has met no less than 5 times within the last calendar quarter | Receives infrastructure support |
| Maintains a diversified contributor base (i.e. not a single-vendor project) with an active flow of contributions. Projects must have a minimum of three maintainers with a minimum of two different organization affiliations, and document the current list of maintainers. | Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. |
| Projects must have defined a contributor guide, which makes it clear how and when contributors should be given increasing responsibilities towards maintainership of the project. (Example guides: Sigstore, AllStar) | Project may request custom OpenSSF Logo for group |
| Projects should be able to show adoption by multiple parties and adoption's value to the open source community and/or end users (may include adoption of beta/early versions) with the intent to showcase wide adoption by the project's consumers. | Projects may use the OpenSSF logo to promote their project (in accordance with the trademark guidelines). Projects may not be referred to as an "OpenSSF Project" or "OpenSSF $ProjectName." Projects may say they are an "OpenSSF Incubating Project." |
| TI must have documented, initial group governance. | With additional TAC or WG approval, may fundraise for dedicated project funds, coordinated by the OpenSSF. |
| Maintains a point of contact for vulnerability reports in the security.md | Receives support with vulnerability disclosure from the OpenSSF (Vulnerability Disclosure WG). |
| Implements, practices, and refines mature software development and release practices such as following a version schema. |
| TI Follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria | May post project updates and tutorials to the OpenSSF blog. |
| Project should be integrating with Scorecards | |
| Begins to establish the appropriate governance that enables its sustainment for potential graduation.| |
| Projects should be Securing Code Repository -> Managing Contributions Commit Signing , Secret Scanning, Code Scanning (OSFUZZ at a minimum) + Self-assessment Should OpenSSF require these if the SCM supports it, especially using Sigstore? | |
### Gives/Requirements

All requirements of Sandbox must be fulfilled. PR filed to promote group to Incubating stage.
* Group has met no less than 5 times within the last calendar quarter
* Maintains a diversified contributor base (i.e. not a single-vendor project) with an active flow of contributions. Projects must have a minimum of three maintainers with a minimum of two different organization affiliations, and document the current list of maintainers.
* Projects must have defined a contributor guide, which makes it clear how and when contributors should be given increasing responsibilities towards maintainership of the project. (Example guides: Sigstore, AllStar)
* Projects should be able to show adoption by multiple parties and adoption's value to the open source community and/or end users (may include adoption of beta/early versions) with the intent to showcase wide adoption by the project's consumers.
* TI must have documented, initial group governance.
* Maintains a point of contact for vulnerability reports in the security.md
* Implements, practices, and refines mature software development and release practices such as following a version schema.
* TI Follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria
* Project should be integrating with Scorecards
* Begins to establish the appropriate governance that enables its sustainment for potential graduation.
* Projects should be Securing Code Repository -> Managing Contributions Commit Signing , Secret Scanning, Code Scanning (OSFUZZ at a minimum) + Self-assessment Should OpenSSF require these if the SCM supports it, especially using Sigstore?

Check failure on line 46 in process/TI-Gives+Gets.md

View workflow job for this annotation

GitHub Actions / Check Spelling 

`OSFUZZ` is not a recognized word. (unrecognized-spelling)

### Gets/Benefits

TI eligible to receive all Gets from Sandbox plus:
* Receives infrastructure support
* Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event.
* Project may request custom OpenSSF Logo for group
* Projects may use the OpenSSF logo to promote their project (in accordance with the trademark guidelines). Projects may not be referred to as an "OpenSSF Project" or "OpenSSF $ProjectName." Projects may say they are an "OpenSSF Incubating Project."
* With additional TAC or WG approval, may fundraise for dedicated project funds, coordinated by the OpenSSF.
* Receives support with vulnerability disclosure from the OpenSSF (Vulnerability Disclosure WG).
* May post project updates and tutorials to the OpenSSF blog.


## Graduated level Gives & Gets
| Gives/Requirements | Gets/Benefits |
| :-----------------------------: | :-----------------------------------: |
| All requirements of Incubating must be fulfilled and additionally: | All Gets from Incubating are valid and additionally: |
| Projects must be able to show a consistent release cadence. | Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. |
| Maintains a point of contact for vulnerability reports and follow coordinated vulnerability disclosure practices. | Receives infrastructure support (details determined by project leads and OpenSSF Budget Committee). |
| Implements, practices, and refines mature software development and release practices, such as adherence to semantic versioning, and having a declared policy for stable releases and backported fixes. | May post project updates and tutorials to the OpenSSF blog. |
| Projects must have documented project governance and be able to demonstrate that governance in action. | May request OpenSSF budget for project improvements such as security audits or time-bound contracting needs. |
| When applicable, projects must have completed a security audit through a third party and addressed audit findings and recommendations. | May request OpenSSF budget for sustained maintainer stipends (details determined by OpenSSF and project leads). |
| When applicable, Projects should achieve **BLAH** level of SLSA | With additional TAC or WG approval, may fundraise for dedicated project funds, coordinated by the OpenSSF.|
| | Projects may use the OpenSSF logo to promote their project (in accordance with the trademark guidelines). Projects may be referred to as an "OpenSSF Project" or "OpenSSF $ProjectName." |
| | May request considered for Grants |
| | May request consideration to get Contract Developers |
| | Requests for one time funding needs to include: Tech writer, Graphic designer, Security audit, Event support, Outreach, Dashboard/reports, Recognition awards, Infrastructure support for software projects (like special build, QA) (will have ongoing operational expense), Cloud hosting (will have ongoing operational expense) |

### Gives/Requirements

All requirements of Incubating must be fulfilled and additionally:
* Projects must be able to show a consistent release cadence.
* Maintains a point of contact for vulnerability reports and follow coordinated vulnerability disclosure practices.
* Implements, practices, and refines mature software development and release practices, such as adherence to semantic versioning, and having a declared policy for stable releases and backported fixes.
* Projects must have documented project governance and be able to demonstrate that governance in action.
* When applicable, projects must have completed a security audit through a third party and addressed audit findings and recommendations.
* When applicable, Projects should achieve **BLAH** level of SLSA

### Gets/Benefits

TI eligible to receive all Gets from Incubating plus:
* Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event.
* Receives infrastructure support (details determined by project leads and OpenSSF Budget Committee).
* May post project updates and tutorials to the OpenSSF blog.
* May request OpenSSF budget for project improvements such as security audits or time-bound contracting needs.
* May request OpenSSF budget for sustained maintainer stipends (details determined by OpenSSF and project leads).
* With additional TAC or WG approval, may fundraise for dedicated project funds, coordinated by the OpenSSF.
* Projects may use the OpenSSF logo to promote their project (in accordance with the trademark guidelines). Projects may be referred to as an "OpenSSF Project" or "OpenSSF $ProjectName."
* May request considered for Grants
* May request consideration to get Contract Developers
* Requests for one time funding needs to include: Tech writer, Graphic designer, Security audit, Event support, Outreach, Dashboard/reports, Recognition awards, Infrastructure support for software projects (like special build, QA) (will have ongoing operational expense), Cloud hosting (will have ongoing operational expense)

0 comments on commit 9923087

Please sign in to comment.