-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSF Security MVP #215
Comments
related to #45 |
related to #214 |
Had a discussion with CRob about how to formalize the establish the baseline incrementally, by publishing baseline for sandbox first. Here are the advices from CROb
Do TAC members agree with the process in point 1 to 3? |
I am definitely in favor of security baselines being part of our existing lifecycle docs that we have in https://github.com/ossf/tac/tree/main/process. I think once we're broadly aligned on content, we should make pull requests to modify those docs. What I've learned in the past is it might make sense to start will one scoped pull request (like just adding security requirements to Sandbox stage), to align on phrasing / formatting / content before we progress to the other lifecycle stages. |
@mlieberman85 May we use GUAC as an initial test TI for the Security MVP, per Zach's recommendation above. @Danajoyluck do you have any outstanding items from your comment above that you need to get started with a proof of concept using GUAC? How can I help? |
I've reviewed the latest version of the proposed baseline and I think implementing it would really move us forward. I'm in favor of adopting it sooner rather than later. As always we can still fine tune it as we gain experience implementing it. |
By the way we will need to define a transition path to phase this in. We could start with a few pilot projects and progressively require existing TIs to implement the different levels of requirements they are expected to fulfill according to their lifecycle status. |
During the @openvex meeting on Jul 8th 2024 we discussed and we want the project to participate in the initial baseline pilot. I think we can volunteer @protobom as well, I will share it with the community in our next community meeting to confirm, I think our contributors will be happy to help out too. |
I will be talking to Dana shortly, and I think GUAC is already set up to do most of this but I think the big challenge is going to be less around adopting the baseline and more about proving that we are adopting this baseline and how to make sure the data is consumed and accessible to project maintainers, OpenSSF stakeholders, and the broader community as a whole. |
The baseline by and large makes sense. I just want to be open to minor revisions as we pilot it. |
Agree with this direction of work and would also support piloting it. |
I really appreciate Dana leading the conversation here and doing consensus building. Just to be clear, you don't need TAC pre-approval to open up a pull request (the review happens on the pull request itself). That said, I'm happy to say I support this moving forward by opening up a pull request! |
this was approved by the TAC on 9july2024 and will be implemented in a series of forthcoming PRs that will augment the existing TI lifecycle documentation. |
We need to define the minimal security requirements/baseline for OpenSSF projects. The requirements will include projects at different stages of the lifecycle.
This would be an extension of issue 214 Universal adoption of scorecard and best practices
The effort is to drive cross-Linux foundation security standards. This is one of the outcomes of Linux Foundation Member Summit.
The draft baseline is here: https://docs.google.com/document/d/1-NBXdKvEJ9Wsh2i7lDNYven4fY9Bn6uvNJM5ySlMrdg/edit
The text was updated successfully, but these errors were encountered: