wg-securing-critical-projects
wg-securing-critical-projects copied to clipboard
ossf
Helping allocate resources to secure the critical open source projects we all depend on.
The software in the OIN Linux System definition is described in a series of tables. Those tables can be browsed by technology area: https://openinventionnetwork.com/linux-system-definition/table-10/breakdowns/originating-project/ Fun fact, Steve Winslow has published...
Unsure if criticality is based on latest data, though noticed when reviewing: https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit#gid=306266575 modulo curl project (https://curl.se) that it may not factor in the official curl docker image (https://hub.docker.com/r/curlimages/curl) The...
In the spreadsheet, there is a column for a URL. Most of the ~100 rows have a link to a GitHub repository, with notable exceptions including the Linux kernel, `golang`,...
The `cip-core` project emits a package list comprising the minimal (core) CIP system. Several pieces of software in the list might already be in OpenSSF's critical projects list, but it'd...
The list of critical open source projects, components and framework is currently published as a [spreadsheet](https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit). I suggest that it's provided as a machine-readable file under source control in this...
Taking an inspiration from https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/critical-software-definition-explanatory and https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/critical-software-definition-faqs#Ref_FAQ3, could we use the techniques from #41 to identify additional projects that operate on the network or run with privileges, at least on...
The current spreadsheet shows package managers as candidate projects, and has build toolchains (generally comprising build systems, compilers and associated tooling) in the considered list. While the list is not...
When reviewing the current list of critical projects, I find some important low-level and embedded ones missing. Could you please consider adding those to the list: Updated to add descriptions...
In https://github.com/ossf/wg-securing-critical-projects/blob/main/identifying-critical-projects.md add information on Digital Public Goods' DPG-standard and links to the registered projects identified there. See: https://github.com/DPGAlliance/DPG-Standard https://digitalpublicgoods.net/registry/ https://digitalpublicgoods.net/
The governance section at https://github.com/ossf/wg-securing-critical-projects/tree/main/governance is a TODO from 2020. Has there been any progress on this front?
