tac [Technical Initiative Funding Request]: RSTUF Security Audit for 1.0.0

[Technical Initiative Funding Request]: RSTUF Security Audit for 1.0.0

Open kairoaraujo opened this issue 5 months ago • 10 comments

Technical Initiative

Repository Service for TUF / Security Software Repositories Working Group

Lifecycle Phase

incubation

Funding amount

unknown -- help needed

Problem Statement

RSTUF is about to release the 1.0.0, we are moving close to 1.0.0-rc and before the final release we aim to have a security audit. This project is moving to staging phase in the PyPI and RubyGems repository.

Who does this affect?

Public Repository (and or Private repositories)

Have there been previous attempts to resolve the problem?

Why should it be tackled now and by this TI?

RSTUF is a project under wg-securing-software-repos (OpenSSF)

Give an idea of what is required to make the funding initiative happen

We require a security audit in the RSTUF projects, to help us to identify possible improvements on this aspect.

What is going to be needed to deliver this funding initiative?

A company/contractor that can run the audit and generate a report for RSTUF maintainers.

Are there tools or tech that still need to be produced to facilitate the funding initiative?

No response

Give a summary of the requirements that contextualize the costs of the funding initiative

Meeting with RSTUF Maintainers
Security Audit
Security Report

Who is responsible for doing the work of this funding initiative?

Kairo de Araujo (@kairoaraujo)

Who is accountable for doing the work of this funding initiative?

Kairo de Araujo (@kairoaraujo)

If the responsible or accountable parties are no longer available, what is the backup contact or plan?

Martin Vrachev (@MVrachev)

What license is this funding initiative being used under?

MIT

Code of Conduct

[X] I agree to follow the OpenSSF's Code of Conduct

List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.

By the end of Q4 2024 we want to have the RSTUF 1.0.0 out.

If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.

No response

Sep 05 '24 12:09 kairoaraujo

tac tac copied to clipboard

[Technical Initiative Funding Request]: RSTUF Security Audit for 1.0.0

Technical Initiative

Lifecycle Phase

Funding amount

Problem Statement

Who does this affect?

Have there been previous attempts to resolve the problem?

Why should it be tackled now and by this TI?

Give an idea of what is required to make the funding initiative happen

What is going to be needed to deliver this funding initiative?

Are there tools or tech that still need to be produced to facilitate the funding initiative?

Give a summary of the requirements that contextualize the costs of the funding initiative

Who is responsible for doing the work of this funding initiative?

Who is accountable for doing the work of this funding initiative?

If the responsible or accountable parties are no longer available, what is the backup contact or plan?

What license is this funding initiative being used under?

Code of Conduct

List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.

If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.

tac
tac copied to clipboard