tac
tac copied to clipboard
ossf
OpenSSF Security MVP
We need to define the minimal security requirements/baseline for OpenSSF projects. The requirements will include projects at different stages of the lifecycle.
This would be an extension of issue 214 Universal adoption of scorecard and best practices
The effort is to drive cross-Linux foundation security standards. This is one of the outcomes of Linux Foundation Member Summit.
Had a discussion with CRob about how to formalize the establish the baseline incrementally, by publishing baseline for sandbox first. Here are the advices from CROb
- Publish the baseline content to a centralized location, GitHub would be ideal for public access. Currently it’s on Google drive
- Incorporate the baseline into the operating model for the specific life cycle
- Incorporate the baseline into the TAC lifecycle definition document
- Reuse the this TAC issue to raise PR for point 2 & 3?
Do TAC members agree with the process in point 1 to 3? Can I get the precise list of the documents for the PR in point 4?
I am definitely in favor of security baselines being part of our existing lifecycle docs that we have in https://github.com/ossf/tac/tree/main/process.
I think once we're broadly aligned on content, we should make pull requests to modify those docs. What I've learned in the past is it might make sense to start will one scoped pull request (like just adding security requirements to Sandbox stage), to align on phrasing / formatting / content before we progress to the other lifecycle stages.
@mlieberman85 May we use GUAC as an initial test TI for the Security MVP, per Zach's recommendation above.
@Danajoyluck do you have any outstanding items from your comment above that you need to get started with a proof of concept using GUAC?
How can I help?
I've reviewed the latest version of the proposed baseline and I think implementing it would really move us forward. I'm in favor of adopting it sooner rather than later. As always we can still fine tune it as we gain experience implementing it.
By the way we will need to define a transition path to phase this in. We could start with a few pilot projects and progressively require existing TIs to implement the different levels of requirements they are expected to fulfill according to their lifecycle status.
During the @openvex meeting on Jul 8th 2024 we discussed and we want the project to participate in the initial baseline pilot.
I think we can volunteer @protobom as well, I will share it with the community in our next community meeting to confirm, I think our contributors will be happy to help out too.
I will be talking to Dana shortly, and I think GUAC is already set up to do most of this but I think the big challenge is going to be less around adopting the baseline and more about proving that we are adopting this baseline and how to make sure the data is consumed and accessible to project maintainers, OpenSSF stakeholders, and the broader community as a whole.
The baseline by and large makes sense. I just want to be open to minor revisions as we pilot it.
I really appreciate Dana leading the conversation here and doing consensus building. Just to be clear, you don't need TAC pre-approval to open up a pull request (the review happens on the pull request itself). That said, I'm happy to say I support this moving forward by opening up a pull request!
this was approved by the TAC on 9july2024 and will be implemented in a series of forthcoming PRs that will augment the existing TI lifecycle documentation.