[Technical Initiative Funding Request]: Technical Writer for Package Yanking Guidance

[steiza]

Technical Initiative

Securing Repositories Working Group

Lifecycle Phase

Graduated

Funding amount

$4000

Problem Statement

Software repositories are looking for guidance on when to allow a previously published package to be deleted. This is tricky, as a flexible policy makes it easy to recover from releases that are mistakenly published, where a restrictive policy prevents supply chain attacks.

Who does this affect?

People who operate software repositories (PyPI, RubyGems, Rust Crates, NuGet, etc)

Have there been previous attempts to resolve the problem?

Not to solve this specific problem (that I'm aware of) but other guidance our working group has published has been well received (like https://repos.openssf.org/trusted-publishers-for-all-package-repositories)

Why should it be tackled now and by this TI?

Because people are asking for it! https://openssf.slack.com/archives/C034CBLMQ9G/p1732095578884899 Even though our guidance might not be published in time for Rust Crates to make use of it, it will help other repositories who take on this problem in the future.

Give an idea of what is required to make the funding initiative happen

1. We will contract a technical writer to research existing policies in this space (like https://docs.npmjs.com/policies/unpublish, https://pypi.org/help/#file-name-reuse, https://peps.python.org/pep-0541/, https://peps.python.org/pep-0592/, and others)
2. Draft a pull request in https://github.com/ossf/wg-securing-software-repos
3. Get community feedback from people who have written these policies in the past, and from people who would write a policy like this in the future
4. Respond to the feedback and merge the PR

What is going to be needed to deliver this funding initiative?

A technical writer (see above)

Are there tools or tech that still need to be produced to facilitate the funding initiative?

No, we'll be writing guidance on policy and documentation that the software repositories would host on their website

Give a summary of the requirements that contextualize the costs of the funding initiative

This will give us 40 hours of a technical writer's time to research, draft, and respond to community feedback

Who is responsible for doing the work of this funding initiative?

TBD - does OpenSSF select the technical writer? Or do I recommend someone?

Who is accountable for doing the work of this funding initiative?

Zach Steindler, co-chair of Securing Repos Working Group

If the responsible or accountable parties are no longer available, what is the backup contact or plan?

Dustin Ingram, co-chair of Securing Repos Working Group

What license is this funding initiative being used under?

https://github.com/ossf/wg-securing-software-repos/blob/main/LICENSE

Code of Conduct

• I agree to follow the OpenSSF's Code of Conduct

List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.

Jan 2025 - draft pull request created
Feb 2025 - respond to community comments and land content

If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.

We'll need to work with OpenSSF staff to create a formal statement of work. Roughly:

• Research existing policies that repositories have around allowing a previously published package to be deleted
• Draft guidance in the form of a pull request in https://github.com/ossf/wg-securing-software-repos, similar to Trusted Publishers for All Package Repositories wg-securing-software-repos#43
• After the community has had time to review and give feedback, if time remains on the contract, make edits to respond to feedback

[riaankleinhans]

/cc @riaankleinhans