From 34496e21edd1a677b3b37d6e7b0407a9b393cee1 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Mon, 27 Nov 2023 08:57:46 -0500 Subject: [PATCH 01/22] Create TI-Gives+Gets.md first draft for debate to determine requirements of and benefits for TIs. Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 52 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 process/TI-Gives+Gets.md diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md new file mode 100644 index 00000000..da66ce4d --- /dev/null +++ b/process/TI-Gives+Gets.md @@ -0,0 +1,52 @@ +# "Gives and Gets" for OpenSSF Technical Initiatives (TI) +The OpenSSF has a large community of contributors and efforts that span the broad spectrum of open source security interests. The Technical Initiaives (TIs) of the foundation are where our members collaborate and help craft unique solutions to addressing improving the security of the open source ecosystem. +In exchange for meeting certain requirements, the TIs are eligable to receive an assortment of benefits and have access to the capabilities of the Foundation's resources. The specific requirements and benefits (aka "Gives and Gets") for each level of maturity are documented below. Based on the specific type of work the TI is focused on (e.g a software project vs. a specificiation or documentation-based effort) the requirements and benefits may slightly differ as applicable. + + +## Sandbox level Gives & Gets + +| Gives/Requirements | Gets/Benefits | +| :-----------------------------: | :-----------------------------------: | +| TI must be aligned with the OpenSSF mission and either be a novel approach for existing areas or address an unfulfilled need. It is expected that the initial code needed for an OpenSSF WG to work be kept within their repository and will not function as a project in its own right. Should initial WG code grow and mature that it warrants its own Project status, then it is subject to Sandbox entry requirements. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project. | TI can get assistance with Architecture & Roadmap Alignment | +| TI must maintain a diversified contributor base (i.e. not a single-vendor project). TI must have a minimum of two maintainers with different organization affiliations. | Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. | +| TI must find an aligned WG to host the TI and must have a TAC sponsor that can help guide the TI through processes. | TI receives guidance on technical direction from TAC sponsor | +| TI agrees to follow the [Secure Software Development Guiding Principles](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/SecureSoftwareGuidingPrinciples.md) and the [Open Source Consumption Manifesto](https://github.com/ossf/wg-endusers/tree/main/MANIFESTO). | Receives OpenSSF Code of Conduct Committee support.| +| If contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). | Reserved space for project updates in OpenSSF newsletters.| +| Provides quarterly updates to the TAC on technical vision and progress on vision. | May request infrastructure support from the OpenSSF. | +| TI will have a [SECURITY.md](http://security.md/) that describes how the Project manages vulns, or more boradly how the OSSF handles vuln reports | Projects may say they are, "A sandbox project in the OpenSSF" or "An experimental project in the OpenSSF." Gets an "sandbox" logo that is shared amongst all OpenSSF sandbox TIs. | +| | Communication & Collaboration - OpenSSF mailing list, OpenSSF Slack channel, OpenSSF GitHub, OpenSSF Calendaring / Recording, OpenSSF Social Media & External Engagement Support | +| | Governance & Administration - TI Charter Development & Review, TI Technical Steering Committee Setup, TI IP & License Review, TI Operations & Maintenance, Technical Support | + + +## Incubating level Gives & Gets + +| Gives/Requirements | Gets/Benefits | +| :-----------------------------: | :-----------------------------------: | +| All requirements of Sandbox must be fulfilled. PR filed to promote group to Incubating stage. | TI eligible to receive all Gets from Sandbox | +| Group has met no less than 5 times within the last calendar quarter | | +| Maintains a diversified contributor base (i.e. not a single-vendor project) with an active flow of contributions. Projects must have a minimum of three maintainers with a minimum of two different organization affiliations, and document the current list of maintainers. | Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. | +| Projects must have defined a contributor guide, which makes it clear how and when contributors should be given increasing responsibilities towards maintainership of the project. (Example guides: Sigstore, AllStar) | Receives infrastructure support | +| Projects should be able to show adoption by multiple parties and adoption's value to the open source community and/or end users (may include adoption of beta/early versions) with the intent to showcase wide adoption by the project's consumers. | | +| TI must have documented, initial group governance. | | +| Maintains a point of contact for vulnerability reports in the security.md | Receives support with vulnerability disclosure from the OpenSSF (Vulnerability Disclosure WG). | +| Implements, practices, and refines mature software development and release practices such as following a version schema. | +| TI Follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria | | +| Project should be integrating with Scorecards | May post project updates and tutorials to the OpenSSF blog. | With additional TAC or WG approval, may fundraise for dedicated project funds, coordinated by the OpenSSF. | +| Begins to establish the appropriate governance that enables its sustainment for potential graduation.| Projects may use the OpenSSF logo to promote their project (in accordance with the trademark guidelines). Projects may not be referred to as an "OpenSSF Project" or "OpenSSF $ProjectName." Projects may say they are an "OpenSSF Incubating Project."| +| Projects should be Securing Code Repository -> Managing Contributions Commit Signing , Secret Scanning, Code Scanning (OSFUZZ at a minimum) + Self-assessment Should OpenSSF require therse if the SCM supports it, especially using Sigstore? | Project may request custom OpenSSF Logo for group | + +## Graduated level Gives & Gets +| Gives/Requirements | Gets/Benefits | +| :-----------------------------: | :-----------------------------------: | +| All requirements of Incubating must be fulfilled and additionally: | All Gets from Incubating are valid and additionally: | +| Projects must be able to show a consistent release cadence. | Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. | +| Maintains a point of contact for vulnerability reports and follow coordinated vulnerability disclosure practices. | Receives infrastructure support (details determined by project leads and OpenSSF Budget Committee). | +| Implements, practices, and refines mature software development and release practices, such as adherence to semantic versioning, and having a declared policy for stable releases and backported fixes. | May post project updates and tutorials to the OpenSSF blog. | +| Projects must have documented project governance and be able to demonstrate that governance in action. | May request OpenSSF budget for project improvements such as security audits or time-bound contracting needs. | +| When applicable, projects must have completed a security audit through a third party and addressed audit findings and recommendations. | May request OpenSSF budget for sustained maintainer stipends (details determined by OpenSSF and project leads). | +| When applicable, Projects should achieve **BLAH** level of SLSA | With additional TAC or WG approval, may fundraise for dedicated project funds, coordinated by the OpenSSF.| +| | Projects may use the OpenSSF logo to promote their project (in accordance with the trademark guidelines). Projects may be referred to as an "OpenSSF Project" or "OpenSSF $ProjectName." | +| | May request considered for Grants | +| | May request consideration to get Contract Developers | +| | Requests for one time funding needs to include: Tech writer, Graphic designer, Security audit, Event support, Outreach, Dashboard/reports, Recognition awards, Infrastructure support for software projects (like special build, QA) (will have ongoing operational expense), Cloud hosting (will have ongoing operational expense) | + From 9ed71c50e5351401af8a71d7ab0ec7f2484eabf8 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Mon, 27 Nov 2023 08:59:46 -0500 Subject: [PATCH 02/22] Update TI-Gives+Gets.md typos Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index da66ce4d..cddb1baa 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -1,6 +1,6 @@ # "Gives and Gets" for OpenSSF Technical Initiatives (TI) -The OpenSSF has a large community of contributors and efforts that span the broad spectrum of open source security interests. The Technical Initiaives (TIs) of the foundation are where our members collaborate and help craft unique solutions to addressing improving the security of the open source ecosystem. -In exchange for meeting certain requirements, the TIs are eligable to receive an assortment of benefits and have access to the capabilities of the Foundation's resources. The specific requirements and benefits (aka "Gives and Gets") for each level of maturity are documented below. Based on the specific type of work the TI is focused on (e.g a software project vs. a specificiation or documentation-based effort) the requirements and benefits may slightly differ as applicable. +The OpenSSF has a large community of contributors and efforts that span the broad spectrum of open source security interests. The Technical Initiatives (TIs) of the foundation are where our members collaborate and help craft unique solutions to addressing improving the security of the open source ecosystem. +In exchange for meeting certain requirements, the TIs are eligible to receive an assortment of benefits and have access to the capabilities of the Foundation's resources. The specific requirements and benefits (aka "Gives and Gets") for each level of maturity are documented below. Based on the specific type of work the TI is focused on (e.g a software project vs. a specificiation or documentation-based effort) the requirements and benefits may slightly differ as applicable. ## Sandbox level Gives & Gets From 70d8ade1bee8cdd5e29fb8a3b384fa02c3d942a8 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Mon, 27 Nov 2023 09:02:33 -0500 Subject: [PATCH 03/22] Update TI-Gives+Gets.md more typos Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index cddb1baa..d060aae1 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -1,6 +1,6 @@ # "Gives and Gets" for OpenSSF Technical Initiatives (TI) The OpenSSF has a large community of contributors and efforts that span the broad spectrum of open source security interests. The Technical Initiatives (TIs) of the foundation are where our members collaborate and help craft unique solutions to addressing improving the security of the open source ecosystem. -In exchange for meeting certain requirements, the TIs are eligible to receive an assortment of benefits and have access to the capabilities of the Foundation's resources. The specific requirements and benefits (aka "Gives and Gets") for each level of maturity are documented below. Based on the specific type of work the TI is focused on (e.g a software project vs. a specificiation or documentation-based effort) the requirements and benefits may slightly differ as applicable. +In exchange for meeting certain requirements, the TIs are eligible to receive an assortment of benefits and have access to the capabilities of the Foundation's resources. The specific requirements and benefits (aka "Gives and Gets") for each level of maturity are documented below. Based on the specific type of work the TI is focused on (e.g a software project vs. a specification or documentation-based effort) the requirements and benefits may slightly differ as applicable. ## Sandbox level Gives & Gets @@ -13,7 +13,7 @@ In exchange for meeting certain requirements, the TIs are eligible to receive an | TI agrees to follow the [Secure Software Development Guiding Principles](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/SecureSoftwareGuidingPrinciples.md) and the [Open Source Consumption Manifesto](https://github.com/ossf/wg-endusers/tree/main/MANIFESTO). | Receives OpenSSF Code of Conduct Committee support.| | If contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). | Reserved space for project updates in OpenSSF newsletters.| | Provides quarterly updates to the TAC on technical vision and progress on vision. | May request infrastructure support from the OpenSSF. | -| TI will have a [SECURITY.md](http://security.md/) that describes how the Project manages vulns, or more boradly how the OSSF handles vuln reports | Projects may say they are, "A sandbox project in the OpenSSF" or "An experimental project in the OpenSSF." Gets an "sandbox" logo that is shared amongst all OpenSSF sandbox TIs. | +| TI will have a [SECURITY.md](http://security.md/) that describes how the Project manages vulns, or more broadly how the OSSF handles vuln reports | Projects may say they are, "A sandbox project in the OpenSSF" or "An experimental project in the OpenSSF." Gets an "sandbox" logo that is shared amongst all OpenSSF sandbox TIs. | | | Communication & Collaboration - OpenSSF mailing list, OpenSSF Slack channel, OpenSSF GitHub, OpenSSF Calendaring / Recording, OpenSSF Social Media & External Engagement Support | | | Governance & Administration - TI Charter Development & Review, TI Technical Steering Committee Setup, TI IP & License Review, TI Operations & Maintenance, Technical Support | From 95e2a72e2aa5d516ff136cbe91c9bf2dccce1935 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Mon, 27 Nov 2023 09:04:35 -0500 Subject: [PATCH 04/22] Update TI-Gives+Gets.md last typo? Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index d060aae1..12aa2442 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -33,7 +33,7 @@ In exchange for meeting certain requirements, the TIs are eligible to receive an | TI Follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria | | | Project should be integrating with Scorecards | May post project updates and tutorials to the OpenSSF blog. | With additional TAC or WG approval, may fundraise for dedicated project funds, coordinated by the OpenSSF. | | Begins to establish the appropriate governance that enables its sustainment for potential graduation.| Projects may use the OpenSSF logo to promote their project (in accordance with the trademark guidelines). Projects may not be referred to as an "OpenSSF Project" or "OpenSSF $ProjectName." Projects may say they are an "OpenSSF Incubating Project."| -| Projects should be Securing Code Repository -> Managing Contributions Commit Signing , Secret Scanning, Code Scanning (OSFUZZ at a minimum) + Self-assessment Should OpenSSF require therse if the SCM supports it, especially using Sigstore? | Project may request custom OpenSSF Logo for group | +| Projects should be Securing Code Repository -> Managing Contributions Commit Signing , Secret Scanning, Code Scanning (OSFUZZ at a minimum) + Self-assessment Should OpenSSF require these if the SCM supports it, especially using Sigstore? | Project may request custom OpenSSF Logo for group | ## Graduated level Gives & Gets | Gives/Requirements | Gets/Benefits | From 0f00b4f47a3a7fed9b783e6a15371bde1955406c Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Mon, 27 Nov 2023 10:37:30 -0500 Subject: [PATCH 05/22] Update TI-Gives+Gets.md lined 2nd table up better-ish Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index 12aa2442..9bb198c1 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -23,17 +23,17 @@ In exchange for meeting certain requirements, the TIs are eligible to receive an | Gives/Requirements | Gets/Benefits | | :-----------------------------: | :-----------------------------------: | | All requirements of Sandbox must be fulfilled. PR filed to promote group to Incubating stage. | TI eligible to receive all Gets from Sandbox | -| Group has met no less than 5 times within the last calendar quarter | | +| Group has met no less than 5 times within the last calendar quarter | Receives infrastructure support | | Maintains a diversified contributor base (i.e. not a single-vendor project) with an active flow of contributions. Projects must have a minimum of three maintainers with a minimum of two different organization affiliations, and document the current list of maintainers. | Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. | -| Projects must have defined a contributor guide, which makes it clear how and when contributors should be given increasing responsibilities towards maintainership of the project. (Example guides: Sigstore, AllStar) | Receives infrastructure support | -| Projects should be able to show adoption by multiple parties and adoption's value to the open source community and/or end users (may include adoption of beta/early versions) with the intent to showcase wide adoption by the project's consumers. | | -| TI must have documented, initial group governance. | | +| Projects must have defined a contributor guide, which makes it clear how and when contributors should be given increasing responsibilities towards maintainership of the project. (Example guides: Sigstore, AllStar) | Project may request custom OpenSSF Logo for group | +| Projects should be able to show adoption by multiple parties and adoption's value to the open source community and/or end users (may include adoption of beta/early versions) with the intent to showcase wide adoption by the project's consumers. | Projects may use the OpenSSF logo to promote their project (in accordance with the trademark guidelines). Projects may not be referred to as an "OpenSSF Project" or "OpenSSF $ProjectName." Projects may say they are an "OpenSSF Incubating Project." | +| TI must have documented, initial group governance. | With additional TAC or WG approval, may fundraise for dedicated project funds, coordinated by the OpenSSF. | | Maintains a point of contact for vulnerability reports in the security.md | Receives support with vulnerability disclosure from the OpenSSF (Vulnerability Disclosure WG). | | Implements, practices, and refines mature software development and release practices such as following a version schema. | | TI Follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria | | -| Project should be integrating with Scorecards | May post project updates and tutorials to the OpenSSF blog. | With additional TAC or WG approval, may fundraise for dedicated project funds, coordinated by the OpenSSF. | -| Begins to establish the appropriate governance that enables its sustainment for potential graduation.| Projects may use the OpenSSF logo to promote their project (in accordance with the trademark guidelines). Projects may not be referred to as an "OpenSSF Project" or "OpenSSF $ProjectName." Projects may say they are an "OpenSSF Incubating Project."| -| Projects should be Securing Code Repository -> Managing Contributions Commit Signing , Secret Scanning, Code Scanning (OSFUZZ at a minimum) + Self-assessment Should OpenSSF require these if the SCM supports it, especially using Sigstore? | Project may request custom OpenSSF Logo for group | +| Project should be integrating with Scorecards | May post project updates and tutorials to the OpenSSF blog. | | +| Begins to establish the appropriate governance that enables its sustainment for potential graduation.| | +| Projects should be Securing Code Repository -> Managing Contributions Commit Signing , Secret Scanning, Code Scanning (OSFUZZ at a minimum) + Self-assessment Should OpenSSF require these if the SCM supports it, especially using Sigstore? | | ## Graduated level Gives & Gets | Gives/Requirements | Gets/Benefits | From 8a7eb68e0440960cf2dbb891e5a22c839ac06155 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Mon, 27 Nov 2023 10:38:40 -0500 Subject: [PATCH 06/22] Update TI-Gives+Gets.md more lining Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index 9bb198c1..e29309a6 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -30,8 +30,8 @@ In exchange for meeting certain requirements, the TIs are eligible to receive an | TI must have documented, initial group governance. | With additional TAC or WG approval, may fundraise for dedicated project funds, coordinated by the OpenSSF. | | Maintains a point of contact for vulnerability reports in the security.md | Receives support with vulnerability disclosure from the OpenSSF (Vulnerability Disclosure WG). | | Implements, practices, and refines mature software development and release practices such as following a version schema. | -| TI Follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria | | -| Project should be integrating with Scorecards | May post project updates and tutorials to the OpenSSF blog. | | +| TI Follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria | May post project updates and tutorials to the OpenSSF blog. | +| Project should be integrating with Scorecards | | | Begins to establish the appropriate governance that enables its sustainment for potential graduation.| | | Projects should be Securing Code Repository -> Managing Contributions Commit Signing , Secret Scanning, Code Scanning (OSFUZZ at a minimum) + Self-assessment Should OpenSSF require these if the SCM supports it, especially using Sigstore? | | From 2c5a7a78fd6d872e80e529eeefdd81b2f25b800c Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Mon, 27 Nov 2023 12:04:48 -0500 Subject: [PATCH 07/22] Update process/TI-Gives+Gets.md Co-authored-by: Arnaud J Le Hors Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index e29309a6..5624c6fb 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -1,5 +1,5 @@ # "Gives and Gets" for OpenSSF Technical Initiatives (TI) -The OpenSSF has a large community of contributors and efforts that span the broad spectrum of open source security interests. The Technical Initiatives (TIs) of the foundation are where our members collaborate and help craft unique solutions to addressing improving the security of the open source ecosystem. +The OpenSSF has a large community of contributors and efforts that span the broad spectrum of open source security interests. The Technical Initiatives (TIs) of the foundation are where community members collaborate and help craft unique solutions to address improving the security of the open source ecosystem. In exchange for meeting certain requirements, the TIs are eligible to receive an assortment of benefits and have access to the capabilities of the Foundation's resources. The specific requirements and benefits (aka "Gives and Gets") for each level of maturity are documented below. Based on the specific type of work the TI is focused on (e.g a software project vs. a specification or documentation-based effort) the requirements and benefits may slightly differ as applicable. From 96ef0b38f139f4bc78e3b72d1b7b7156fe7b1772 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Mon, 27 Nov 2023 12:05:13 -0500 Subject: [PATCH 08/22] Update process/TI-Gives+Gets.md Co-authored-by: Arnaud J Le Hors Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index 5624c6fb..b749886e 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -13,7 +13,7 @@ In exchange for meeting certain requirements, the TIs are eligible to receive an | TI agrees to follow the [Secure Software Development Guiding Principles](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/SecureSoftwareGuidingPrinciples.md) and the [Open Source Consumption Manifesto](https://github.com/ossf/wg-endusers/tree/main/MANIFESTO). | Receives OpenSSF Code of Conduct Committee support.| | If contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). | Reserved space for project updates in OpenSSF newsletters.| | Provides quarterly updates to the TAC on technical vision and progress on vision. | May request infrastructure support from the OpenSSF. | -| TI will have a [SECURITY.md](http://security.md/) that describes how the Project manages vulns, or more broadly how the OSSF handles vuln reports | Projects may say they are, "A sandbox project in the OpenSSF" or "An experimental project in the OpenSSF." Gets an "sandbox" logo that is shared amongst all OpenSSF sandbox TIs. | +| TI will have a [SECURITY.md](http://security.md/) that describes how the Project manages vulnerabilities, or more broadly how the OSSF handles vulnerability reports | Projects may say they are, "A sandbox project in the OpenSSF" or "An experimental project in the OpenSSF." Gets an "sandbox" logo that is shared amongst all OpenSSF sandbox TIs. | | | Communication & Collaboration - OpenSSF mailing list, OpenSSF Slack channel, OpenSSF GitHub, OpenSSF Calendaring / Recording, OpenSSF Social Media & External Engagement Support | | | Governance & Administration - TI Charter Development & Review, TI Technical Steering Committee Setup, TI IP & License Review, TI Operations & Maintenance, Technical Support | From 992308756424240e3691731fa36e4b5a4112d5d2 Mon Sep 17 00:00:00 2001 From: Arnaud J Le Hors Date: Tue, 28 Nov 2023 21:37:53 +0100 Subject: [PATCH 09/22] Switch layout from tables to lists Signed-off-by: Arnaud J Le Hors --- process/TI-Gives+Gets.md | 108 +++++++++++++++++++++++++-------------- 1 file changed, 70 insertions(+), 38 deletions(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index b749886e..862f162f 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -5,48 +5,80 @@ In exchange for meeting certain requirements, the TIs are eligible to receive an ## Sandbox level Gives & Gets -| Gives/Requirements | Gets/Benefits | -| :-----------------------------: | :-----------------------------------: | -| TI must be aligned with the OpenSSF mission and either be a novel approach for existing areas or address an unfulfilled need. It is expected that the initial code needed for an OpenSSF WG to work be kept within their repository and will not function as a project in its own right. Should initial WG code grow and mature that it warrants its own Project status, then it is subject to Sandbox entry requirements. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project. | TI can get assistance with Architecture & Roadmap Alignment | -| TI must maintain a diversified contributor base (i.e. not a single-vendor project). TI must have a minimum of two maintainers with different organization affiliations. | Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. | -| TI must find an aligned WG to host the TI and must have a TAC sponsor that can help guide the TI through processes. | TI receives guidance on technical direction from TAC sponsor | -| TI agrees to follow the [Secure Software Development Guiding Principles](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/SecureSoftwareGuidingPrinciples.md) and the [Open Source Consumption Manifesto](https://github.com/ossf/wg-endusers/tree/main/MANIFESTO). | Receives OpenSSF Code of Conduct Committee support.| -| If contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). | Reserved space for project updates in OpenSSF newsletters.| -| Provides quarterly updates to the TAC on technical vision and progress on vision. | May request infrastructure support from the OpenSSF. | -| TI will have a [SECURITY.md](http://security.md/) that describes how the Project manages vulnerabilities, or more broadly how the OSSF handles vulnerability reports | Projects may say they are, "A sandbox project in the OpenSSF" or "An experimental project in the OpenSSF." Gets an "sandbox" logo that is shared amongst all OpenSSF sandbox TIs. | -| | Communication & Collaboration - OpenSSF mailing list, OpenSSF Slack channel, OpenSSF GitHub, OpenSSF Calendaring / Recording, OpenSSF Social Media & External Engagement Support | -| | Governance & Administration - TI Charter Development & Review, TI Technical Steering Committee Setup, TI IP & License Review, TI Operations & Maintenance, Technical Support | +### Gives/Requirements + + * TI must be aligned with the OpenSSF mission and either be a novel approach for existing areas or address an unfulfilled need. It is expected that the initial code needed for an OpenSSF WG to work be kept within their repository and will not function as a project in its own right. Should initial WG code grow and mature that it warrants its own Project status, then it is subject to Sandbox entry requirements. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project. + * TI must maintain a diversified contributor base (i.e. not a single-vendor project). TI must have a minimum of two maintainers with different organization affiliations. + * TI must find an aligned WG to host the TI and must have a TAC sponsor that can help guide the TI through processes. + * TI agrees to follow the [Secure Software Development Guiding Principles](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/SecureSoftwareGuidingPrinciples.md) and the [Open Source Consumption Manifesto](https://github.com/ossf/wg-endusers/tree/main/MANIFESTO). + * If contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). + * Provides quarterly updates to the TAC on technical vision and progress on vision. + * TI will have a [SECURITY.md](http://security.md/) that describes how the Project manages vulnerabilities, or more broadly how the OSSF handles vulnerability reports + +### Gets/Benefits + + * TI can get assistance with Architecture & Roadmap Alignment + * Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. + * TI receives guidance on technical direction from TAC sponsor + * Receives OpenSSF Code of Conduct Committee support. + * Reserved space for project updates in OpenSSF newsletters. + * May request infrastructure support from the OpenSSF. + * Projects may say they are, "A sandbox project in the OpenSSF" or "An experimental project in the OpenSSF." Gets an "sandbox" logo that is shared amongst all OpenSSF sandbox TIs. + * Communication & Collaboration - OpenSSF mailing list, OpenSSF Slack channel, OpenSSF GitHub, OpenSSF Calendaring / Recording, OpenSSF Social Media & External Engagement Support + * Governance & Administration - TI Charter Development & Review, TI Technical Steering Committee Setup, TI IP & License Review, TI Operations & Maintenance, Technical Support ## Incubating level Gives & Gets -| Gives/Requirements | Gets/Benefits | -| :-----------------------------: | :-----------------------------------: | -| All requirements of Sandbox must be fulfilled. PR filed to promote group to Incubating stage. | TI eligible to receive all Gets from Sandbox | -| Group has met no less than 5 times within the last calendar quarter | Receives infrastructure support | -| Maintains a diversified contributor base (i.e. not a single-vendor project) with an active flow of contributions. Projects must have a minimum of three maintainers with a minimum of two different organization affiliations, and document the current list of maintainers. | Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. | -| Projects must have defined a contributor guide, which makes it clear how and when contributors should be given increasing responsibilities towards maintainership of the project. (Example guides: Sigstore, AllStar) | Project may request custom OpenSSF Logo for group | -| Projects should be able to show adoption by multiple parties and adoption's value to the open source community and/or end users (may include adoption of beta/early versions) with the intent to showcase wide adoption by the project's consumers. | Projects may use the OpenSSF logo to promote their project (in accordance with the trademark guidelines). Projects may not be referred to as an "OpenSSF Project" or "OpenSSF $ProjectName." Projects may say they are an "OpenSSF Incubating Project." | -| TI must have documented, initial group governance. | With additional TAC or WG approval, may fundraise for dedicated project funds, coordinated by the OpenSSF. | -| Maintains a point of contact for vulnerability reports in the security.md | Receives support with vulnerability disclosure from the OpenSSF (Vulnerability Disclosure WG). | -| Implements, practices, and refines mature software development and release practices such as following a version schema. | -| TI Follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria | May post project updates and tutorials to the OpenSSF blog. | -| Project should be integrating with Scorecards | | -| Begins to establish the appropriate governance that enables its sustainment for potential graduation.| | -| Projects should be Securing Code Repository -> Managing Contributions Commit Signing , Secret Scanning, Code Scanning (OSFUZZ at a minimum) + Self-assessment Should OpenSSF require these if the SCM supports it, especially using Sigstore? | | +### Gives/Requirements + + All requirements of Sandbox must be fulfilled. PR filed to promote group to Incubating stage. + * Group has met no less than 5 times within the last calendar quarter + * Maintains a diversified contributor base (i.e. not a single-vendor project) with an active flow of contributions. Projects must have a minimum of three maintainers with a minimum of two different organization affiliations, and document the current list of maintainers. + * Projects must have defined a contributor guide, which makes it clear how and when contributors should be given increasing responsibilities towards maintainership of the project. (Example guides: Sigstore, AllStar) + * Projects should be able to show adoption by multiple parties and adoption's value to the open source community and/or end users (may include adoption of beta/early versions) with the intent to showcase wide adoption by the project's consumers. + * TI must have documented, initial group governance. + * Maintains a point of contact for vulnerability reports in the security.md + * Implements, practices, and refines mature software development and release practices such as following a version schema. + * TI Follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria + * Project should be integrating with Scorecards + * Begins to establish the appropriate governance that enables its sustainment for potential graduation. + * Projects should be Securing Code Repository -> Managing Contributions Commit Signing , Secret Scanning, Code Scanning (OSFUZZ at a minimum) + Self-assessment Should OpenSSF require these if the SCM supports it, especially using Sigstore? + +### Gets/Benefits + + TI eligible to receive all Gets from Sandbox plus: + * Receives infrastructure support + * Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. + * Project may request custom OpenSSF Logo for group + * Projects may use the OpenSSF logo to promote their project (in accordance with the trademark guidelines). Projects may not be referred to as an "OpenSSF Project" or "OpenSSF $ProjectName." Projects may say they are an "OpenSSF Incubating Project." + * With additional TAC or WG approval, may fundraise for dedicated project funds, coordinated by the OpenSSF. + * Receives support with vulnerability disclosure from the OpenSSF (Vulnerability Disclosure WG). + * May post project updates and tutorials to the OpenSSF blog. + ## Graduated level Gives & Gets -| Gives/Requirements | Gets/Benefits | -| :-----------------------------: | :-----------------------------------: | -| All requirements of Incubating must be fulfilled and additionally: | All Gets from Incubating are valid and additionally: | -| Projects must be able to show a consistent release cadence. | Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. | -| Maintains a point of contact for vulnerability reports and follow coordinated vulnerability disclosure practices. | Receives infrastructure support (details determined by project leads and OpenSSF Budget Committee). | -| Implements, practices, and refines mature software development and release practices, such as adherence to semantic versioning, and having a declared policy for stable releases and backported fixes. | May post project updates and tutorials to the OpenSSF blog. | -| Projects must have documented project governance and be able to demonstrate that governance in action. | May request OpenSSF budget for project improvements such as security audits or time-bound contracting needs. | -| When applicable, projects must have completed a security audit through a third party and addressed audit findings and recommendations. | May request OpenSSF budget for sustained maintainer stipends (details determined by OpenSSF and project leads). | -| When applicable, Projects should achieve **BLAH** level of SLSA | With additional TAC or WG approval, may fundraise for dedicated project funds, coordinated by the OpenSSF.| -| | Projects may use the OpenSSF logo to promote their project (in accordance with the trademark guidelines). Projects may be referred to as an "OpenSSF Project" or "OpenSSF $ProjectName." | -| | May request considered for Grants | -| | May request consideration to get Contract Developers | -| | Requests for one time funding needs to include: Tech writer, Graphic designer, Security audit, Event support, Outreach, Dashboard/reports, Recognition awards, Infrastructure support for software projects (like special build, QA) (will have ongoing operational expense), Cloud hosting (will have ongoing operational expense) | +### Gives/Requirements + + All requirements of Incubating must be fulfilled and additionally: + * Projects must be able to show a consistent release cadence. + * Maintains a point of contact for vulnerability reports and follow coordinated vulnerability disclosure practices. + * Implements, practices, and refines mature software development and release practices, such as adherence to semantic versioning, and having a declared policy for stable releases and backported fixes. + * Projects must have documented project governance and be able to demonstrate that governance in action. + * When applicable, projects must have completed a security audit through a third party and addressed audit findings and recommendations. + * When applicable, Projects should achieve **BLAH** level of SLSA + +### Gets/Benefits + + TI eligible to receive all Gets from Incubating plus: + * Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. + * Receives infrastructure support (details determined by project leads and OpenSSF Budget Committee). + * May post project updates and tutorials to the OpenSSF blog. + * May request OpenSSF budget for project improvements such as security audits or time-bound contracting needs. + * May request OpenSSF budget for sustained maintainer stipends (details determined by OpenSSF and project leads). + * With additional TAC or WG approval, may fundraise for dedicated project funds, coordinated by the OpenSSF. + * Projects may use the OpenSSF logo to promote their project (in accordance with the trademark guidelines). Projects may be referred to as an "OpenSSF Project" or "OpenSSF $ProjectName." + * May request considered for Grants + * May request consideration to get Contract Developers + * Requests for one time funding needs to include: Tech writer, Graphic designer, Security audit, Event support, Outreach, Dashboard/reports, Recognition awards, Infrastructure support for software projects (like special build, QA) (will have ongoing operational expense), Cloud hosting (will have ongoing operational expense) From 99086fc480e145732aeba061f064bb7ab765e22d Mon Sep 17 00:00:00 2001 From: Arnaud J Le Hors Date: Tue, 28 Nov 2023 21:46:10 +0100 Subject: [PATCH 10/22] Address a couple of comments Signed-off-by: Arnaud J Le Hors --- process/TI-Gives+Gets.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index 862f162f..ecd9cf1c 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -20,10 +20,9 @@ In exchange for meeting certain requirements, the TIs are eligible to receive an * TI can get assistance with Architecture & Roadmap Alignment * Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. * TI receives guidance on technical direction from TAC sponsor - * Receives OpenSSF Code of Conduct Committee support. * Reserved space for project updates in OpenSSF newsletters. * May request infrastructure support from the OpenSSF. - * Projects may say they are, "A sandbox project in the OpenSSF" or "An experimental project in the OpenSSF." Gets an "sandbox" logo that is shared amongst all OpenSSF sandbox TIs. + * Projects may say they are, "A sandbox project in the OpenSSF" or "An experimental project in the OpenSSF." Gets a "sandbox" logo that is shared amongst all OpenSSF sandbox TIs. * Communication & Collaboration - OpenSSF mailing list, OpenSSF Slack channel, OpenSSF GitHub, OpenSSF Calendaring / Recording, OpenSSF Social Media & External Engagement Support * Governance & Administration - TI Charter Development & Review, TI Technical Steering Committee Setup, TI IP & License Review, TI Operations & Maintenance, Technical Support From 990e4d41f650ce9e5d27f41f6cf231c101e0d899 Mon Sep 17 00:00:00 2001 From: Arnaud J Le Hors Date: Tue, 28 Nov 2023 21:55:06 +0100 Subject: [PATCH 11/22] Address another couple of comments Signed-off-by: Arnaud J Le Hors --- process/TI-Gives+Gets.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index ecd9cf1c..8442f8d6 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -1,7 +1,11 @@ # "Gives and Gets" for OpenSSF Technical Initiatives (TI) + The OpenSSF has a large community of contributors and efforts that span the broad spectrum of open source security interests. The Technical Initiatives (TIs) of the foundation are where community members collaborate and help craft unique solutions to address improving the security of the open source ecosystem. -In exchange for meeting certain requirements, the TIs are eligible to receive an assortment of benefits and have access to the capabilities of the Foundation's resources. The specific requirements and benefits (aka "Gives and Gets") for each level of maturity are documented below. Based on the specific type of work the TI is focused on (e.g a software project vs. a specification or documentation-based effort) the requirements and benefits may slightly differ as applicable. +In exchange for meeting certain requirements, the TIs are eligible to receive an assortment of benefits and have access to the capabilities of the Foundation's resources. The specific requirements and benefits (aka "Gives and Gets") for each level of maturity are documented below. + +Based on the specific type of work the TI is focused on (e.g., software, specification, or documentation development) the requirements and benefits may slightly differ as applicable. +Also note that benefits may actually vary based on resources and funds availability, or lack thereof. ## Sandbox level Gives & Gets From d6b46f227f6305b83c5f4563b79ca4f7488e3f2a Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 30 Nov 2023 15:32:38 -0500 Subject: [PATCH 12/22] Update process/TI-Gives+Gets.md Co-authored-by: Zach Steindler Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index 8442f8d6..86a0c40f 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -17,7 +17,7 @@ Also note that benefits may actually vary based on resources and funds availabil * TI agrees to follow the [Secure Software Development Guiding Principles](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/SecureSoftwareGuidingPrinciples.md) and the [Open Source Consumption Manifesto](https://github.com/ossf/wg-endusers/tree/main/MANIFESTO). * If contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). * Provides quarterly updates to the TAC on technical vision and progress on vision. - * TI will have a [SECURITY.md](http://security.md/) that describes how the Project manages vulnerabilities, or more broadly how the OSSF handles vulnerability reports + * TI will have a [SECURITY.md](https://github.com/ossf/project-template/blob/main/SECURITY.md) that describes how the Project manages vulnerabilities, or more broadly how the OSSF handles vulnerability reports ### Gets/Benefits From 9a66b92b6cb11c01e1cae48536cc568afc65d6d2 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Mon, 4 Dec 2023 09:38:27 -0500 Subject: [PATCH 13/22] Update TI-Gives+Gets.md added booth space to graduated Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index 86a0c40f..c6aadd69 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -75,7 +75,7 @@ Also note that benefits may actually vary based on resources and funds availabil ### Gets/Benefits TI eligible to receive all Gets from Incubating plus: - * Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. + * Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. This includes consideration for booth space at the conference and/or the OpenSSF booth. * Receives infrastructure support (details determined by project leads and OpenSSF Budget Committee). * May post project updates and tutorials to the OpenSSF blog. * May request OpenSSF budget for project improvements such as security audits or time-bound contracting needs. From c6ca5f279bb4e3791c3bee965ae736cecb044495 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Tue, 5 Dec 2023 14:59:48 -0500 Subject: [PATCH 14/22] Update process/TI-Gives+Gets.md Co-authored-by: Zach Steindler Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index c6aadd69..f6ab27b3 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -43,7 +43,7 @@ Also note that benefits may actually vary based on resources and funds availabil * TI must have documented, initial group governance. * Maintains a point of contact for vulnerability reports in the security.md * Implements, practices, and refines mature software development and release practices such as following a version schema. - * TI Follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria + * TI follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria, secret scanning, and code scanning. * Project should be integrating with Scorecards * Begins to establish the appropriate governance that enables its sustainment for potential graduation. * Projects should be Securing Code Repository -> Managing Contributions Commit Signing , Secret Scanning, Code Scanning (OSFUZZ at a minimum) + Self-assessment Should OpenSSF require these if the SCM supports it, especially using Sigstore? From 077a644b77d4483a2e0a9233ff7c608ef60dc939 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Tue, 5 Dec 2023 15:00:03 -0500 Subject: [PATCH 15/22] Update process/TI-Gives+Gets.md Co-authored-by: Zach Steindler Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index f6ab27b3..de0ff6f9 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -44,7 +44,7 @@ Also note that benefits may actually vary based on resources and funds availabil * Maintains a point of contact for vulnerability reports in the security.md * Implements, practices, and refines mature software development and release practices such as following a version schema. * TI follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria, secret scanning, and code scanning. - * Project should be integrating with Scorecards + * TIs that include code use Scorecards * Begins to establish the appropriate governance that enables its sustainment for potential graduation. * Projects should be Securing Code Repository -> Managing Contributions Commit Signing , Secret Scanning, Code Scanning (OSFUZZ at a minimum) + Self-assessment Should OpenSSF require these if the SCM supports it, especially using Sigstore? From c00616bb54a0032bc60bbd8bd46bd73eeaacb45f Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Tue, 5 Dec 2023 15:00:25 -0500 Subject: [PATCH 16/22] Update process/TI-Gives+Gets.md Co-authored-by: Zach Steindler Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 1 - 1 file changed, 1 deletion(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index de0ff6f9..829d355f 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -46,7 +46,6 @@ Also note that benefits may actually vary based on resources and funds availabil * TI follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria, secret scanning, and code scanning. * TIs that include code use Scorecards * Begins to establish the appropriate governance that enables its sustainment for potential graduation. - * Projects should be Securing Code Repository -> Managing Contributions Commit Signing , Secret Scanning, Code Scanning (OSFUZZ at a minimum) + Self-assessment Should OpenSSF require these if the SCM supports it, especially using Sigstore? ### Gets/Benefits From 9e5ca2222ea99e70e5417a8dc5421ee1ac55bcfb Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Tue, 5 Dec 2023 15:00:37 -0500 Subject: [PATCH 17/22] Update process/TI-Gives+Gets.md Co-authored-by: Zach Steindler Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index 829d355f..3d07c463 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -69,7 +69,7 @@ Also note that benefits may actually vary based on resources and funds availabil * Implements, practices, and refines mature software development and release practices, such as adherence to semantic versioning, and having a declared policy for stable releases and backported fixes. * Projects must have documented project governance and be able to demonstrate that governance in action. * When applicable, projects must have completed a security audit through a third party and addressed audit findings and recommendations. - * When applicable, Projects should achieve **BLAH** level of SLSA + * Projects should harden their build systems in accordance with the SLSA Framework ### Gets/Benefits From d7b4da20fbf79ec9a2766c78a20577b6dd9d5c87 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Wed, 6 Dec 2023 11:11:13 -0500 Subject: [PATCH 18/22] Update process/TI-Gives+Gets.md Co-authored-by: Arnaud J Le Hors Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index 3d07c463..a98875c2 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -1,7 +1,7 @@ # "Gives and Gets" for OpenSSF Technical Initiatives (TI) The OpenSSF has a large community of contributors and efforts that span the broad spectrum of open source security interests. The Technical Initiatives (TIs) of the foundation are where community members collaborate and help craft unique solutions to address improving the security of the open source ecosystem. -In exchange for meeting certain requirements, the TIs are eligible to receive an assortment of benefits and have access to the capabilities of the Foundation's resources. The specific requirements and benefits (aka "Gives and Gets") for each level of maturity are documented below. +In exchange for meeting certain requirements, the TIs are eligible to receive an assortment of benefits and have access to the capabilities of the Foundation's resources. The specific requirements and benefits (aka "Gives and Gets") for each level of maturity are documented below. Note that this about the maturity of the TI itself - basically about how it operates - rather than of its product. A TI can be at an advanced level of maturity even though its product is still immature and vice versa. Based on the specific type of work the TI is focused on (e.g., software, specification, or documentation development) the requirements and benefits may slightly differ as applicable. From 3fbe929601c65b50f532b34bdd896c5e79248ebf Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Wed, 6 Dec 2023 12:28:37 -0500 Subject: [PATCH 19/22] Update process/TI-Gives+Gets.md Co-authored-by: Arnaud J Le Hors Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index a98875c2..1755acc5 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -25,7 +25,7 @@ Also note that benefits may actually vary based on resources and funds availabil * Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. * TI receives guidance on technical direction from TAC sponsor * Reserved space for project updates in OpenSSF newsletters. - * May request infrastructure support from the OpenSSF. + * May request basic infrastructure support from the OpenSSF (e.g., mailing list and github repo). * Projects may say they are, "A sandbox project in the OpenSSF" or "An experimental project in the OpenSSF." Gets a "sandbox" logo that is shared amongst all OpenSSF sandbox TIs. * Communication & Collaboration - OpenSSF mailing list, OpenSSF Slack channel, OpenSSF GitHub, OpenSSF Calendaring / Recording, OpenSSF Social Media & External Engagement Support * Governance & Administration - TI Charter Development & Review, TI Technical Steering Committee Setup, TI IP & License Review, TI Operations & Maintenance, Technical Support From e25d69ea0caa06aff3d48961c7ee535e6472a9b3 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Wed, 6 Dec 2023 12:28:55 -0500 Subject: [PATCH 20/22] Update process/TI-Gives+Gets.md Co-authored-by: Arnaud J Le Hors Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index 1755acc5..5da846eb 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -50,7 +50,7 @@ Also note that benefits may actually vary based on resources and funds availabil ### Gets/Benefits TI eligible to receive all Gets from Sandbox plus: - * Receives infrastructure support + * Receives more infrastructure support from the OpenSSF (e.g., website support) * Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. * Project may request custom OpenSSF Logo for group * Projects may use the OpenSSF logo to promote their project (in accordance with the trademark guidelines). Projects may not be referred to as an "OpenSSF Project" or "OpenSSF $ProjectName." Projects may say they are an "OpenSSF Incubating Project." From 216d87f5c56b26db323e5f34759f7948b74996ce Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Wed, 6 Dec 2023 12:29:14 -0500 Subject: [PATCH 21/22] Update process/TI-Gives+Gets.md Co-authored-by: Arnaud J Le Hors Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index 5da846eb..66709924 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -75,7 +75,7 @@ Also note that benefits may actually vary based on resources and funds availabil TI eligible to receive all Gets from Incubating plus: * Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event. This includes consideration for booth space at the conference and/or the OpenSSF booth. - * Receives infrastructure support (details determined by project leads and OpenSSF Budget Committee). + * Receives advanced infrastructure support from the OpenSSF (e.g., cloud hosting, to be determined by project leads and OpenSSF Budget Committee). * May post project updates and tutorials to the OpenSSF blog. * May request OpenSSF budget for project improvements such as security audits or time-bound contracting needs. * May request OpenSSF budget for sustained maintainer stipends (details determined by OpenSSF and project leads). From e15349b75fce6617026abedb5da945558a3d2826 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Wed, 6 Dec 2023 12:31:52 -0500 Subject: [PATCH 22/22] Update TI-Gives+Gets.md added version/approval date at head of doc Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- process/TI-Gives+Gets.md | 1 + 1 file changed, 1 insertion(+) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index 66709924..08538ca7 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -1,4 +1,5 @@ # "Gives and Gets" for OpenSSF Technical Initiatives (TI) +_v1.0 approved and merged by the TAC on December XX, 2023_ The OpenSSF has a large community of contributors and efforts that span the broad spectrum of open source security interests. The Technical Initiatives (TIs) of the foundation are where community members collaborate and help craft unique solutions to address improving the security of the open source ecosystem. In exchange for meeting certain requirements, the TIs are eligible to receive an assortment of benefits and have access to the capabilities of the Foundation's resources. The specific requirements and benefits (aka "Gives and Gets") for each level of maturity are documented below. Note that this about the maturity of the TI itself - basically about how it operates - rather than of its product. A TI can be at an advanced level of maturity even though its product is still immature and vice versa.