ossf
[feedback] Improve maintainer experience in achieving OSPS and Best Practices Badging
tl;dr
OSPS contains the mapping to the BPB criteria, but doesnt provide the specific link or translate between the BPB criteria code to the BPB criteria titling (which uses tags to link, and appear to be misaligned). This increases the burden on maintainers in understanding how to do both.
Details
It is not readily apparent which specific BPB area the OSPS criteria addresses without looking at the crosswalk matrix. This is a few clicks too many for project maintainers trying to do both. What could we do to improve this? would linking to the tag help? (assuming the tags drop you in the right spot, the interact one (B-B-3) which maps to GV-02, GV-03, and DO-02 doesn't drop you in the right spot on the BPB page)
UX
Maintainers in scope for achieving BPB Passing criteria (which many LF projects need to do) are being asked to also do OSPS. These are two frameworks with some overlap but not 1for1. This means they need to check two places to compare if the one thing they did do meets both or only one. It could introduce inconsistencies for projects that divide and conquer expressing both of these were one maintainer is focused on OSPS and provides more detail and specifics than what is provided to the BPB.
Desire outcome
We need to make the dead simple and easy. Projects can't bounce between badging/criteria. they barely have enough time to keep up with their regular work. Given the LF's current focus to push OSPS out to all foundation projects, we need to prioritize this UX that allows maintainers to get approach this in a phased approach or a superset that allows them to express OSPS and BPB at the same time (even if one is still inflight)
the crosswalk matrix
Is this a published artifact you could share @TheFoxAtWork ? I did some hunting and couldn't find one.
When I've been looking for this information I've been consulting artifacts like: https://github.com/ossf/security-baseline/blob/main/baseline/OSPS-GV.yaml#L19
I've been puzzling through how the BPB ID values like "B-B-1, B-B-9, B-S-7, B-S-9" actually identify the relevant statements in https://www.bestpractices.dev/en/criteria and would appreciate any pointers on that.
The more I understand, the more likely I will be able to help address the issues
Ah yes! i can't recall where @SecurityCRob squirreled away the link to it i found but its in the deck and now here for you!
https://docs.google.com/spreadsheets/d/1an5mx3rayoz3JRFUepD56zgprpwXBXBG70fVZvIMCpA/edit?gid=468811656#gid=468811656
I brought this up in Slack a few weeks ago, but haven't yet had the chance to do anything about it. Here's a link to the conversation that helps explain what the BPB titles mean (and why I think they're wrong): https://openssf.slack.com/archives/C07DC6TT2QY/p1740684753755539?thread_ts=1740671082.680349&cid=C07DC6TT2QY
In the compliance crosswalk there is a tab for badges where i list the short-hand ids to the words on the BP page (since I have yet to convince that project to adopt that or any similar method yet). Basically the id = Area-Level-Order it appears on the list so "B-B-1" would be Basic Area - Bronze level (aka "Passing") - #1 on the list. We can refactor this, or work with David and see if there's a path forward in short-handing his categories. here's the link to the tab - https://docs.google.com/spreadsheets/d/1an5mx3rayoz3JRFUepD56zgprpwXBXBG70fVZvIMCpA/edit?gid=468811656#gid=468811656
I've shared that tab with a few folks, but this sounds like we need to have a more focused conversation about where OSPS Baselines sit in relation to BPB and how to mesh them (and in doing so address the above).