tac
tac copied to clipboard
ossf
[Technical Initiative Funding Request]: RSTUF Security Audit for 1.0.0
Technical Initiative
Repository Service for TUF / Security Software Repositories Working Group
Lifecycle Phase
incubation
Funding amount
unknown -- help needed
Problem Statement
RSTUF is about to release the 1.0.0, we are moving close to 1.0.0-rc and before the final release we aim to have a security audit. This project is moving to staging phase in the PyPI and RubyGems repository.
Who does this affect?
Public Repository (and or Private repositories)
Have there been previous attempts to resolve the problem?
No
Why should it be tackled now and by this TI?
RSTUF is a project under wg-securing-software-repos (OpenSSF)
Give an idea of what is required to make the funding initiative happen
We require a security audit in the RSTUF projects, to help us to identify possible improvements on this aspect.
What is going to be needed to deliver this funding initiative?
A company/contractor that can run the audit and generate a report for RSTUF maintainers.
Are there tools or tech that still need to be produced to facilitate the funding initiative?
No response
Give a summary of the requirements that contextualize the costs of the funding initiative
- Meeting with RSTUF Maintainers
- Security Audit
- Security Report
Who is responsible for doing the work of this funding initiative?
Kairo de Araujo (@kairoaraujo)
Who is accountable for doing the work of this funding initiative?
Kairo de Araujo (@kairoaraujo)
If the responsible or accountable parties are no longer available, what is the backup contact or plan?
Martin Vrachev (@MVrachev)
What license is this funding initiative being used under?
MIT
Code of Conduct
- [X] I agree to follow the OpenSSF's Code of Conduct
List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.
By the end of Q4 2024 we want to have the RSTUF 1.0.0 out.
If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.
No response
Hey @kairoaraujo thanks for submitting this request! This week is the TAC review period for funding request, but we need a specific amount to review this request. Have you had a chance to reach out to folks who might perform the audit to get an idea of the amount needed?
Hey @kairoaraujo thanks for submitting this request! This week is the TAC review period for funding request, but we need a specific amount to review this request. Have you had a chance to reach out to folks who might perform the audit to get an idea of the amount needed?
Hi @steiza, I requested a quotation for the audit. I will update the issue as soon I have it.
Hello. The Open Source Technology Improvement Fund, Inc specializes in exactly this: facilitating and managing security audits for open source projects and communities. We did the php TUF (https://ostif.org/php-tuf-audit-complete/), go TUF (https://ostif.org/go-tuf-on-bugs-ostifs-audit-of-go-tuf/), and python TUF (https://ostif.org/our-audit-of-python-tuf-is-complete-multiple-issues-found-and-fixed/) security audits. So in addition to being an ideal candidate to handle any security audit request, OSTIF has a track record for doing these specific kinds of engagements. I hope you consider engaging us for this request, as we can deliver the intended results.
Vote created
@riaankleinhans has called for a vote on [Technical Initiative Funding Request]: RSTUF Security Audit for 1.0.0 (#379).
The members of the following teams have binding votes:
| Team |
|---|
| @ossf/tac |
Non-binding votes are also appreciated as a sign of support!
How to vote
You can cast your vote by reacting to this comment. The following reactions are supported:
| In favor | Against | Abstain |
|---|---|---|
| 👍 | 👎 | 👀 |
Please note that voting for multiple options is not allowed and those votes won't be counted.
The vote will be open for 1month 11days 13h 26m 24s. It will pass if at least 70% of the users with binding votes vote In favor 👍. Once it's closed, results will be published here as a new comment.
![git-vote[bot] avatar](https://avatars.githubusercontent.com/in/206179?v=4 "Published by a pub.dev verified publisher"){kind=small}
Gitvote was added as a tool to test for stream lining the TI Funding process. The members of the GH group "TAC" can vote by commenting with an +1. -1 or eye on the Gitvote block in this issue. Until the TAC is satisfied with the process the GitVote outcome would not be binding.
Community members can show their support by also voting, however only the "TAC" GH Group's votes will count.
The current passing threshold is 70% and the committee is the TAG GH group. The vote say open fo 6 week and an announcement is sent on the GH/TAC/Discussion
All these parameters can by fine tuned or changed here Please reach out if you have any questions.
I requested a quotation for the audit. I will update the issue as soon I have it.
@kairoaraujo pinging to see if you have an update on this?
@kairoaraujo pinging to see if you have an update on this?
I had one meeting with one provider yesterday (23rd Sept) and I have another one today (24th Sept). I will have an update soon on this issue.
A quorum of the TAC met on 17Sept to discuss Q3 TI Funding Requests.
The group reached consensus that pending a quote for the review that this is tentatively approved.
Vote status
So far 33.33% of the users with binding vote are in favor (passing threshold: 70%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 3 | 0 | 0 | 6 |
Binding votes (3)
| User | Vote | Timestamp |
|---|---|---|
| SecurityCRob | In favor | 2024-09-23 18:17:21.0 +00:00:00 |
| bobcallaway | In favor | 2024-09-23 20:01:48.0 +00:00:00 |
| marcelamelara | In favor | 2024-09-24 14:42:15.0 +00:00:00 |
| @steiza | Pending | |
| @torgo | Pending | |
| @mlieberman85 | Pending | |
| @lehors | Pending | |
| @camaleon2016 | Pending | |
| @sevansdell | Pending |
Non-binding votes (1)
| User | Vote | Timestamp |
|---|---|---|
| riaankleinhans | In favor | 2024-09-23 18:14:00.0 +00:00:00 |
Vote status
So far 33.33% of the users with binding vote are in favor (passing threshold: 70%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 3 | 0 | 0 | 6 |
Binding votes (3)
| User | Vote | Timestamp |
|---|---|---|
| marcelamelara | In favor | 2024-09-24 14:42:15.0 +00:00:00 |
| SecurityCRob | In favor | 2024-09-23 18:17:21.0 +00:00:00 |
| bobcallaway | In favor | 2024-09-23 20:01:48.0 +00:00:00 |
| @steiza | Pending | |
| @torgo | Pending | |
| @mlieberman85 | Pending | |
| @lehors | Pending | |
| @camaleon2016 | Pending | |
| @sevansdell | Pending |
Non-binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| riaankleinhans | In favor | 2024-09-23 18:14:00.0 +00:00:00 |
| simi | In favor | 2024-09-30 17:20:43.0 +00:00:00 |
Vote cancelled
@riaankleinhans has cancelled the vote in progress in this issue.
Is the request still open?
Yes, a quorum of the TAC approved this on September 17th: https://github.com/ossf/tac/issues/379#issuecomment-2371347503
This was one of the two issues I was asking @riaankleinhans about at the TAC meeting yesterday. On the funding project board it's sitting in Funding Approved but hasn't yet moved to Funding in Execution.
Hello everyone, chiming in here. OpenSSF has asked OSTIF to take a look at the proposal and help with moving forward with the security audit. We will take a look and explore next steps.
@kairoaraujo I will send out an email for formalized the process between OpenSSF & OSTIF.
@kairoaraujo as the process between RSTUF & OSTIF is in progress and SOW have been received which is well with in the approved budget, can this issue be closed?
Hello everyone - we've created the signed agreement and the funds are being released.
