tac icon indicating copy to clipboard operation
tac copied to clipboard

Published 20 hours ago verified publisher icon ossf

Foundation groups documentation audit

Open SecurityCRob opened this issue 1 year ago • 9 comments

A short-lived working committee should be created under the TAC for the purpose of conducting a review to ensure existence, consistency, and accuracy for all Foundation group documentations (TAC, WG, SIG, SIF, AP, Committees, etc.). This should include, but not be limited to the following artifacts:

  • clear readme.md file that provides overview of group, with meeting times, communication channels, all active & past work, and areas where contributions are desired, any sub-groups affiliated with the higher-level working group, group leader(s), designated TAC liaison that assists the group
  • a clearly discoverable list of active members, their project level (maintainer, collaborator, contributor, etc) as well as membership criteria and voting procedures
  • an up-to-date and approved group charter.md
  • a security.md file that documents project defect and vulnerability reporting process (sourced from approved foundation template)
  • other artifacts or documentation that is deemed necessary by the committee

SecurityCRob avatar May 13 '23 03:05 SecurityCRob

This was brought up in the TAC with @steiza @jchestershopify @lehors @hythloda volunteering to help Do want a zoom meeting to get this started? Or async?

hythloda avatar May 16 '23 15:05 hythloda

It's not that I really want a zoom meeting (who does?? :) but I think we may need it to get things really going. Otherwise I fear time will just go by without anything happening.

lehors avatar May 24 '23 13:05 lehors

A nit: the best handle to use for me right now is this one; @jchestershopify is (as the name suggests) tied to my previous work for Shopify.

jchester avatar May 30 '23 14:05 jchester

For projects of the OpenSSF, should we add a "contributor ladder" to the list of artifacts? AFAIK Allstar is the only project that approaches this, I think this would be good to roughly standardize across all projects.

di avatar May 30 '23 14:05 di

For projects of the OpenSSF, should we add a "contributor ladder" to the list of artifacts? AFAIK Allstar is the only project that approaches this, I think this would be good to roughly standardize across all projects.

sigstore also publishes one: https://github.com/sigstore/community/blob/main/MEMBERSHIP.md

bobcallaway avatar May 30 '23 15:05 bobcallaway

Aha, thanks. (We might also want to align on what this document is called, to help with discoverability 😉)

di avatar May 30 '23 15:05 di

Perhaps this is also an opportunity to make a template repository that can be used for new GitHub repositories?

di avatar May 30 '23 15:05 di

We have a WIP proposal for what sections each should have. We would love comments!

hythloda avatar Jun 01 '23 18:06 hythloda

Allstar can enforce security.md and branch protection currently. We can add more features as needed as well.

jeffmendoza avatar Jun 13 '23 15:06 jeffmendoza

As TIs are reporting in quarterly, part of that process is a docs review/check to ensure that group has completed all the necessary tasks. This review should be complete by the end of Q3.

SecurityCRob avatar May 24 '24 12:05 SecurityCRob