[OSPO Book] Scenarios & Recommendations - CH 4

[anajsana]

Based on discussions from the past contributors' call: https://docs.google.com/document/d/1lbq_EfpAS3B7ygh8LkqLXiheAFwKWx3gYORAB7Aggio/edit

Two main scenarios were discussed:

• Social Engineering Attack on Upstream xz/liblzma
• License Changes and Software Trustworthiness (Redis use case)

Several best practices were raised during the call (see meeting notes for reference)

[netlify]

✅ Deploy Preview for ospomindmap canceled.

Name	Link
🔨 Latest commit	cd14763
🔍 Latest deploy log	https://app.netlify.com/sites/ospomindmap/deploys/660c25c7b4d5b600081f5d84

[netlify]

✅ Deploy Preview for ospobook ready!

Name	Link
🔨 Latest commit	cd14763
🔍 Latest deploy log	https://app.netlify.com/sites/ospobook/deploys/660c25c760a50f00083176bb
😎 Deploy Preview	https://deploy-preview-455--ospobook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[UlisesGascon]

Great additions!

[UlisesGascon]

Suggested change

Social Engineering Attack on Upstream xz/liblzma: A social engineering attack targeted the xz/liblzma, an essential open source library. The attack was meticulously planned, gaining trust within the community before executing a malicious attack. This incident was discovered inadvertently by an unrelated project, underscoring the sophistication and stealthiness of such vulnerabilities. The challenge for Open Source Program Offices (OSPOs) lies in identifying and mitigating these vulnerabilities, which are not always apparent until after they occur. Despite existing procedures and policies, OSPOs recognize the need for mechanisms to proactively measure and respond to such threats.

Social Engineering Attack on Upstream xz/liblzma: A social engineering attack targeted the xz/liblzma, an essential open source library. The attack was meticulously planned, gaining trust within the community before executing a malicious attack. This incident was discovered inadvertently by an unrelated project, underscoring the sophistication and stealthiness of such vulnerabilities ([more details](https://research.swtch.com/xz-timeline)). The challenge for Open Source Program Offices (OSPOs) lies in identifying and mitigating these vulnerabilities, which are not always apparent until after they occur. Despite existing procedures and policies, OSPOs recognize the need for mechanisms to proactively measure and respond to such threats.

I added a link to provide more context about the attack vector details

[alice-sowerby]

@anajsana I think that this PR and the google doc have become out of sync. At least, I believe there is more input on the google doc since this PR has been created!

This PR could be merged and the next round of changes added later, or we could abandon this PR and go back to editing - what do you prefer?

[anajsana]

@anajsana I think that this PR and the google doc have become out of sync. At least, I believe there is more input on the google doc since this PR has been created!

This PR could be merged and the next round of changes added later, or we could abandon this PR and go back to editing - what do you prefer?

Good point, @alice-sowerby. It seems that this PR was created in the past and is now far behind the live version / main branch (see here). I noticed that the Google Doc is more aligned with the structure / content of the main branch of chapter-4.md, not the branch in this PR. +1 to close this PR without merging and open a new PR based on the g Doc.

PS: before doing this, we should make sure that the use case on the "Social Engineering Attack on Upstream xz/liblzma" that @UlisesGascon reviewed is also included in the new PR (so we don't lose this contribution)

[anajsana]

Included the changes from this PR in a new PR that contains the review of chapter 4 here: #500 - also including @UlisesGascon change