tac
tac copied to clipboard
ossf
[Technical Initiative Funding Request] - S2C2F PAS Submission Funding Request
Problem Statement
S2C2F requires 4k in funding to pay the JDF contracted ISO Editor to help form the correct language in the S2C2F Specification in preparation for ISO PAS submission.
Who does this affect?
Without this necessary step the spec will not be in proper form for PAS submission and will not be balloted.
Have there been previous attempts to resolve the problem?
No. S2C2F is requesting funding through the OpenSSF for the first time and as a first course of action.
Why should it be tackled now and by this TI?
S2C2F Project is ready and has been accepted by the JDF to begin the process for PAS submission
Give an idea of what is required to make the funding initiative happen
Funding will cover the JDF contracted ISO Editors work in total.
What is going to be needed to deliver this funding initiative?
The JDF contracted ISO Editor is all that is required.
Are there tools or tech that still need to be produced to facilitate the funding initiative?
NO.
Give a summary of the requirements that contextualize the costs of the funding initiative
4k will cover the JDF contracted ISO Editor requested 3-5k requirement for proper formatting of the S2C2F spec into a ballotable ISO Standard
Who is responsible for doing the work of this funding initiative?
JDF contracted ISO Editor. Contact in the JDF is Seth Newbury [email protected]
Who is accountable for doing the work of this funding initiative?
Jay White, Adrian Diglio, Tom Bedford
If the responsible or accountable parties are no longer available, what is the backup contact or plan?
JDF - Seth Newbury, Jory Burson
Which technical initiative will this funding initiative be associated with, and will it report to which WG or project?
S2C2F Project under the SUpply Chain Integrity WG
What license is this funding initiative being used under?
Community Specification License 1.0
Code of Conduct
- [X] I agree to follow the OpenSSF's Code of Conduct
List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.
Balloting is currently TBD, but we are anticipating finalizing the process by Jan 2025. 4k in funding will only be used to pay the JDF contracted ISO Editor to prepare the spec for entering the PAS Balloting process.
If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.
JDF issues the contract.
The TAC will review this at our next meeting (28May). I encourage everyone to review & comment beforehand
@camaleon2016 @adriandiglio can you add a bit of context here as to why making s2c2f an ISO standard is beneficial. What will achieving that enable for the group and consumers of the framework? If this is NOT funded, what is at risk?
We'll add more context today.
Jay
Get Outlook for Androidhttps://aka.ms/AAb9ysg
From: CRob @.> Sent: Friday, May 17, 2024 5:51:39 AM To: ossf/tac @.> Cc: Mention @.>; Author @.> Subject: Re: [ossf/tac] S2C2F PAS Submission Funding Request (Issue #328)
@camaleon2016https://github.com/camaleon2016 @adriandigliohttps://github.com/adriandiglio can you add a bit of context here as to why making s2c2f an IOS standard is beneficial. What will achieving that enable for the group and consumers of the framework? If this is NOT funded, what is at risk?
— Reply to this email directly, view it on GitHubhttps://github.com/ossf/tac/issues/328#issuecomment-2117534054 or unsubscribehttps://github.com/notifications/unsubscribe-auth/AYSMSZVKFOE34MYHY5IH6BTZCX4NZBFKMF2HI4TJMJ2XIZLTS6BKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVI2DQOBUGQ2TMNBUHCSG4YLNMWUWQYLTL5WGCYTFNSBKK5TBNR2WLKRUHA4DINJQHA3DONNENZQW2ZNJNBQXGX3MMFRGK3ECUV3GC3DVMWVDKOBXGMZDSNZUHEZ2I3TBNVS2S2DBONPWYYLCMVWIFJLWMFWHKZNKGY3DKNZSHE4DSNJSURXGC3LFVFUGC427NRQWEZLMVRZXKYTKMVRXIX3UPFYGLLCJONZXKZKDN5WW2ZLOOSTHI33QNFRXHFUCUR2HS4DFVJZGK4DPONUXI33SPGSXMYLMOVS2SMRXHAYTQNJZHAZYFJDUPFYGLJLJONZXKZNFOZQWY5LFVIZDEOJYG42DMOBZG2BKI5DZOBS2K3DBMJSWZJLWMFWHKZNKGQ4DQNBUGU3DINBYQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKRUHA4DINJQHA3DONMCUR2HS4DFUVWGCYTFNSSXMYLMOVS2UNJYG4ZTEOJXGQ4THAVEOR4XAZNFNRQWEZLMUV3GC3DVMWVDMNRVG4ZDSOBZGUZKO5DSNFTWOZLSUZRXEZLBORSQ. You are receiving this email because you were mentioned.
Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
This seems like a reasonable use of TAC funding to me and in line with our discussions. 👍🏻
I would love for @camaleon2016 / @omkhar to summarize here what they mentioned at today's TAC meeting about how ISO standardization helps with OpenSSF's engagement with EU public sector on the Cyber Resilience Act (and possibly other public / private sector conversations?)
That said, this seems like a good way for the OpenSSF to start exploring turning community specifications into standards, and seeing what opportunities that unlocks. +1 from me.
@steiza sure things!
In standards land, there are broadly two kinds of standards: ( from our good friend Wikipedia)
In law and government, de jure (/deɪ ˈdʒʊəri, di -, - ˈjʊər-/, Latin: [deː ˈjuːre]; lit. 'by law') describes practices that are legally recognized, regardless of whether the practice exists in reality.[1] In contrast, de facto ('in fact') describes situations that exist in reality, even if not formally recognized.
De jure standards typically bear a mark or recognition that the standard has been through an official standardization process. Ex: ISO/IEC 27001:2013 went through the JTC1 standardization process. De facto standards (S2C2F as an example) don't have a current mark nor has it been through the standardization process, even though it may be used extensively.
The goal of putting a de facto standard through the de jure process is two fold:
- When recognized as a de jure standard, we can more easily apply it to regulatory or governance standardization efforts like the EU CRA. If the standards body see that S2C2F is an ISO recognized standard, it makes it much easier to adopt.
- Commercially, when transacting with governments or regulatory agencies, declaring that a particular product/procedure/method is conformant with an international standard allows you to attest conformance with a requirement.
Overall, I think it's a Good Thing (tm) and something which we may wish to consider for other OpenSSF work (ex SLSA) if the TAC should choose.
3k-5k. 4k was in case the number had to be static.
Get Outlook for Androidhttps://aka.ms/AAb9ysg
From: CRob @.> Sent: Thursday, June 6, 2024 6:48:26 AM To: ossf/tac @.> Cc: Author @.>; Comment @.> Subject: Re: [ossf/tac] [Technical Initiative Funding Request] - S2C2F PAS Submission Funding Request (Issue #328)
Is this ask for $4000 or "$3000-$5000"? or both?
— Reply to this email directly, view it on GitHubhttps://github.com/ossf/tac/issues/328#issuecomment-2152576368 or unsubscribehttps://github.com/notifications/unsubscribe-auth/AYSMSZUJGPR56DHARGTP2YDZGBSCXBFKMF2HI4TJMJ2XIZLTS6BKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVI2DQOBUGQ2TMNBUHCSG4YLNMWUWQYLTL5WGCYTFNSBKK5TBNR2WLKRUHA4DINJQHA3DONNENZQW2ZNJNBQXGX3MMFRGK3ECUV3GC3DVMWVDKOBXGMZDSNZUHEZ2I3TBNVS2S2DBONPWYYLCMVWIFJLWMFWHKZNKGY3DKNZSHE4DSNJSURXGC3LFVFUGC427NRQWEZLMVRZXKYTKMVRXIX3UPFYGLLCJONZXKZKDN5WW2ZLOOSTHI33QNFRXHFUCUR2HS4DFVJZGK4DPONUXI33SPGSXMYLMOVS2SMRXHAYTQNJZHAZYFJDUPFYGLJLJONZXKZNFOZQWY5LFVIZDEOJYG42DMOBZG2BKI5DZOBS2K3DBMJSWZJLWMFWHKZNKGQ4DQNBUGU3DINBYQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKRUHA4DINJQHA3DONMCUR2HS4DFUVWGCYTFNSSXMYLMOVS2UNJYG4ZTEOJXGQ4THAVEOR4XAZNFNRQWEZLMUV3GC3DVMWVDMNRVG4ZDSOBZGUZKO5DSNFTWOZLSUZRXEZLBORSQ. You are receiving this email because you authored the thread.
Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
I will be out for the TAC meeting, but don't have any additional questions, and support this TI funding request. If this comment of support could be counted as a vote if needed, please use it.
Having this reviewed this ask, it's not a huge $ amount for an outcome that seems overall beneficial and may pave the trail for other OpenSSF specs. Can @camaleon2016 or @adriandiglio please comment on the impact to the project if the funding request isn't approved in Q2?
Since we're getting close to the decision deadline, and I'm still on the fence about supporting this request in Q2, my vote is to defer this request.
Vote created
@riaankleinhans has called for a vote on [Technical Initiative Funding Request] - S2C2F PAS Submission Funding Request (#328).
The members of the following teams have binding votes:
| Team |
|---|
| @ossf/tac |
Non-binding votes are also appreciated as a sign of support!
How to vote
You can cast your vote by reacting to this comment. The following reactions are supported:
| In favor | Against | Abstain |
|---|---|---|
| 👍 | 👎 | 👀 |
Please note that voting for multiple options is not allowed and those votes won't be counted.
The vote will be open for 1month 11days 13h 26m 24s. It will pass if at least 70% of the users with binding votes vote In favor 👍. Once it's closed, results will be published here as a new comment.
![git-vote[bot] avatar](https://avatars.githubusercontent.com/in/206179?v=4 "Published by a pub.dev verified publisher"){kind=small}
Gitvote was added as a tool to test for stream lining the TI Funding process. The members of the GH group "TAC" can vote by commenting with an +1. -1 or eye on the Gitvote block in this issue. Until the TAC is satisfied with the process the GitVote outcome would not be binding.
Community members can show their support by also voting, however only the "TAC" GH Group's votes will count.
The current passing threshold is 70% and the committee is the TAG GH group. The vote say open fo 6 week and an announcement is sent on the GH/TAC/Discussion
All these parameters can by fine tuned or changed here Please reach out if you have any questions.
Vote status
So far 0.00% of the users with binding vote are in favor (passing threshold: 70%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 0 | 0 | 0 | 9 |
Binding votes (0)
| User | Vote | Timestamp |
|---|---|---|
| @steiza | Pending | |
| @torgo | Pending | |
| @mlieberman85 | Pending | |
| @bobcallaway | Pending | |
| @lehors | Pending | |
| @SecurityCRob | Pending | |
| @marcelamelara | Pending | |
| @camaleon2016 | Pending | |
| @sevansdell | Pending |
Vote status
So far 0.00% of the users with binding vote are in favor (passing threshold: 70%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 0 | 0 | 0 | 9 |
Binding votes (0)
| User | Vote | Timestamp |
|---|---|---|
| @steiza | Pending | |
| @torgo | Pending | |
| @mlieberman85 | Pending | |
| @bobcallaway | Pending | |
| @lehors | Pending | |
| @SecurityCRob | Pending | |
| @marcelamelara | Pending | |
| @camaleon2016 | Pending | |
| @sevansdell | Pending |
Vote cancelled
@lehors has cancelled the vote in progress in this issue.