coreinfrastructure / best-practices-badge

🏆Open Source Security Foundation (OpenSSF) Best Practices Badge (formerly Core Infrastructure Initiative (CII) Best Practices Badge)
https://www.bestpractices.dev
MIT License
1.22k stars 202 forks source link

Rebrand from CII to OpenSSF #1515

Closed david-a-wheeler closed 2 years ago

david-a-wheeler commented 3 years ago

The Core Infrastructure Initiative (CII) has been merged into the Open Source Security Foundation (OpenSSF), and the badging project is part of the OpenSSF Best Practices WG. It would be sensible to rebrand the CII Best Practices Badge to match.

HOWEVER! Rebranding takes a lot of time and effort, and it will have nontrivial costs. So it's important that this rebranding happen exactly once if it happens at all.

So the OpenSSF must FIRST agree on the rebranding, including the new name & proposed new URLs for the GitHub site and public URLs. I would like the OpenSSF Best Practices WG, Technical Advisory Council (TAC), and Governing Board (GB) to all agree to the specific changes, since this impacts the working group, technology, marketing, and so on.

Proposed changes:

It will be very important to automatically redirect users of the current repo site and website to the new site location. For the website this will probably need to happen for quite some time, probably 3+ years.

The current badge image says "cii best practices". I propose changing that to "openssf best practices", as that is clear even though that is extremely long. Shorter versions have their own problems:

There are a lot of things that will need to change if this occurs. The logo will have to be redone, which is costly. We'll also have to modify code & configurations in a number of places to deal with this change. I'll have to coordinate with LF IT to make the transition quick & transparent. We'll probably do name changes, then URL changes, so that people will get hints that the URL changes are coming.

Comments welcome!

dlorenc commented 3 years ago

Thanks David! I agree there's no rush here. As an engineer that's been asked to rename things frequently, I would much rather we take our time and get this right the first time!

GeorgLink commented 3 years ago

I like the new website URL https://bestpractices.dev

I don't care about renaming from CII to OpenSSF, which makes the name even longer. How about removing CII and calling it the "Best Practices Badge" only? In the logo, we could include "by OpenSSF" to have the branding.

david-a-wheeler commented 3 years ago

@GeorgLink - "Best Practices Badge" would be simpler. My concern is that I expect that there are (and will be) many organizations that "badge" best practices. But I'm open to making it shorter if people agree to it.

BTW, I know we at least used to have bestpractices.dev, but I need to make sure that we still own the domain. Hopefully we do, but I'm not going to switch until we are certain that we still own it :-).

TonyLHansen commented 3 years ago

Counter arguments to the above:

bagder commented 3 years ago

I think "Open Source Best Practices" or similar would be even better. The CII there always looked weird as people simply don't know what CII is (and the practices are for open source in general, not for CII). I don't think "OpenSSF" makes it any better than CII in that regard, as it is a rather new organization that to most people hasn't had any impact or importance and remains just-another-org with a name starting with "Open".

david-a-wheeler commented 3 years ago

I think "Open Source Best Practices" or similar would be even better.

It'd be easy for people to understand, agreed. But I'm sure there are many lists of Open Source Best Practices, and I'm concerned that they would be too-easily confused. There'd be no practical way to quickly distinguish between them.

bagder commented 3 years ago

Right, that's certainly true...

GeorgLink commented 3 years ago

Just to throw this out there: When I google "open source best practices", we are not on the first page. When I google "best practices badge" the first page is exclusively about us. At least for now, we "own" that name, with or without CII or OpenSFF.

david-a-wheeler commented 3 years ago

@GeorgLink - that search shows that people can easily find the name only if they include the word "badge". Other people can create badges about open source software in the future, we can't stop them - nor would we want to. I'd like to have a more distinctive "official" name so that even if another badge is created later there's little risk of confusion.

But your search does suggest that we'd better include the word "badge" in the official name. I think we should anyway, but I think your search confirms it.

JonZeolla commented 3 years ago

I feel there is value in the rename for clarity and agree with the proposed changes:

kaywilliams commented 3 years ago

From a marketing/branding perspective, I think I would prefer the following URL:

https://openssf.org/best-practices-badge

Two reasons:

  1. This keeps the website organizational structure in line with the github structure, making it easier for anyone who is familiar with one to find the other.

  2. I suspect we will want to follow a consistent pattern with other OpenSSF projects. For example, we have been discussing exposing the security metrics dashboard at the following URL:

https://openssf.org/metrics

This will be a good question to discuss with our marketing committee (once we have this established. :-))

david-a-wheeler commented 3 years ago

https://openssf.org/best-practices-badge

That won't work; it needs its own domain. The best practices badge runs on a different computer system, uses a different programming language, has its own database, etc. We could try to hide that, but that would create a lot of inefficiencies & effort for no obvious gain. It'd be a leaky abstraction anyway, so we're just creating problems.

Since it must have its own domain, there are several options:

  1. Do nothing (always an option).
  2. Something short like "bestpractices.dev".
  3. Something under openssf.org, e.g,. "bestpractices.openssf.org". The problem with this is that the URL is very long. A big complain about the current system is that its URLs are too long.
kaywilliams commented 3 years ago

Perhaps 'badge.openssf.org' (and also 'badge' as github repo name)? We can describe as 'best practices badge' in the text? A question might be, what if we want to introduce another sort of badge later? We can deal with that at the time, but in general, for simplicity, focus and impact, I think we might want only one badge sponsored by the OpenSSF. Just thoughts for consideration.

From: David A. Wheeler notifications@github.com Sent: Thursday, January 7, 2021 8:04 AM To: coreinfrastructure/best-practices-badge best-practices-badge@noreply.github.com Cc: Kay Williams kayw@microsoft.com; Comment comment@noreply.github.com Subject: Re: [coreinfrastructure/best-practices-badge] Rebrand from CII to OpenSSF (#1515)

https://openssf.org/best-practices-badgehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenssf.org%2Fbest-practices-badge&data=04%7C01%7Ckayw%40microsoft.com%7C56a36c0b05f84037bd3a08d8b325e1f7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637456322574037302%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=W57pK3bj%2B%2BbmS9OPrAyzKvoXLZOhZksIoR77fwewKwI%3D&reserved=0

That won't work; it needs its own domain. The best practices badge runs on a different computer system, uses a different programming language, has its own database, etc. We could try to hide that, but that would create a lot of inefficiencies & effort for no obvious gain. It'd be a leaky abstraction anyway, so we're just creating problems.

Since it must have its own domain, there are several options:

  1. Do nothing (always an option).
  2. Something short like "bestpractices.dev".
  3. Something under openssf.org, e.g,. "bestpractices.openssf.org". The problem with this is that the URL is very long. A big complain about the current system is that its URLs are too long.

- You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcoreinfrastructure%2Fbest-practices-badge%2Fissues%2F1515%23issuecomment-756208831&data=04%7C01%7Ckayw%40microsoft.com%7C56a36c0b05f84037bd3a08d8b325e1f7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637456322574037302%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MrlaczIxLYpYw0hc%2B8ax3RfvLjfzfZp8kezLi3lWKPw%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAB3QCOGDPUEWJ27JGN6XRGDSYXLP7ANCNFSM4U3GDDUA&data=04%7C01%7Ckayw%40microsoft.com%7C56a36c0b05f84037bd3a08d8b325e1f7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637456322574047293%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9QI65ZFurozW8BKX8eDxfHaQWoDGdBJ6jhMZRWRrtPY%3D&reserved=0.

david-a-wheeler commented 3 years ago

badge.openssf.org would certainly work, it meets the "must have its own domain" criterion. It also clearly associates it with OpenSSF, which is a plus.

It does have some potential downsides:

  1. It's longer than "bestpractices.dev".
  2. As you noted, there is a potential problem if OpenSSF eventually adds more badges.
  3. I suspect lacking "bestpractices" will make it harder to find via search engines when typing "best practices".
  4. It's been mooted that this should submitted for formal standardization. I'm not sure it's the right thing to do, but if we do, having its own domain name like bestpractices.dev might be an advantage.
KitsuneRal commented 3 years ago

Arguably, the current badge program is slanted towards security/integrity topics (rather than, say, usability/UI, or software documentation best practices etc.); at the same time, the current badge is really not only about the core infrastructure. So associating with OpenSSF make sense to me, and "OpenSSF Best Practices Badge" looks spot on.

As for the website name - badge.openssf.org implies the one and only OpenSSF badge, which is not scalable; moreover, it doesn't even say anything about software development, it's somewhat encrypted in the organisation name instead. bestpractices.dev might be a bit too generic but looks pretty cool and very descriptive.

david-a-wheeler commented 3 years ago

I have confirmed that we still have the bestpractices.dev domain. It's generic, but it's short & clear, and that has advantages.

bartlettroscoe commented 3 years ago

Just to be clear, will the BadgeApp site https://bestpractices.coreinfrastructure.org/en/projects be maintained under the new OpenSSF organization (under a new domain related to OpenSSF perhaps)?

The current status seems a little ambiguous since when you go to:

it still says "CII Best Practices Badge Program" but at:

it says:

The Core Infrastructure Initiative (CII) was an effort to improve the security of open-source software.

The CII has been replaced by the Open Source Security Foundation (OpenSSF). Please go to the OpenSSF site for current activities in securing open source software.

This CII website is being retained to preserve historical information and to help with transition to the OpenSSF.

That makes it sound like the CII is no more and the OpenSSF is something new. It does not suggest that efforts started under the CII will be transitioned to the OpenSSF.

When you go to the site:

and search "Best Practices", there are no hits that mentions this badge program. The only mention to "Best Practices" that I can find (other than "Security Best Practices") is under the FAQ section "What is the scope of OpenSSF?" at:

which says:

OpenSSF is focused on improving the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It will start with a focus on metrics, tooling, best practices, developer identity validation and vulnerability disclosures best practices. ...

Does this mean that a new best practices effort will be started under the OpenSSF or will the existing BadgeApp site really get transferred over to OpenSSF? Given that there have not been any comments in this GitHub Issue since Jan 27, 2021, that might seem to be a little concerning to an outsider.

Just looking for clarification.

Thanks!

bartlettroscoe commented 3 years ago

As for the website name - badge.openssf.org implies the one and only OpenSSF badge, which is not scalable; moreover, it doesn't even say anything about software development, it's somewhat encrypted in the organisation name instead. bestpractices.dev might be a bit too generic but looks pretty cool and very descriptive.

I have confirmed that we still have the bestpractices.dev domain. It's generic, but it's short & clear, and that has advantages.

There is a strong emphasis on security practices currently on https://bestpractices.coreinfrastructure.org/en/projects but the set of practices is so comprehensive that I think it could justify a more generic title and URL domain. But I think it would be good to have "opensource" in the name if possible since "bestpractices.dev" is likely too generic.

bartlettroscoe commented 3 years ago

Well, if there is any ambiguity as to the fate of https://bestpractices.coreinfrastructure.org/en/projects it does not seem to be impacting the usage of the site. When I look at this back on 6/15/2021, there were 3380 total projects on the site and just now on 8/24/2021 that is up to 4015 and the number of projects listed as "Passing 100%" has grown from 582 to 610 so usage of this site seems to be growing significantly even over the last 2 months.

david-a-wheeler commented 3 years ago

@bartlettroscoe - thanks for commenting. Some thoughts.

Just to be clear, will the BadgeApp site https://bestpractices.coreinfrastructure.org/en/projects be maintained under the new OpenSSF organization (under a new domain related to OpenSSF perhaps)?

Just to be clear :-), the CII Best Practices badge is already under the OpenSSF organization. It says so directly in both the active website & the README of the code. For example, the website says:

This project was originally developed under the CII, but it is now part of the Open Source Security Foundation (OpenSSF) Best Practices Working Group (WG).

Going further...

https://www.coreinfrastructure.org/ That makes it sound like the CII is no more and the OpenSSF is something new. It does not suggest that efforts started under the CII will be transitioned to the OpenSSF.

The CII really is no more. I originally didn't want to say "everything in the CII transitioned to the OpenSSF" because the OpenSSF could decide what it wanted to take; not everything transitioned. For example, the "grants" program was a timesink & that did NOT transition. It turns out that saying "send us a request if you want money" led to a huge number of people asking for money, but the ones who most needed money often didn't ask.

But I see the current text could be confusing, I'll try to improve it. I think what I'll do it add, "Most CII work, such as the CII Best Practices badge and the research by Harvard, has been transitioned to the OpenSSF".

When you go to the site: https://openssf.org/ and search "Best Practices", there are no hits that mentions this badge program. The only mention to "Best Practices" that I can find (other than "Security Best Practices") is under the FAQ section "What is the scope of OpenSSF?" at: https://openssf.org/#faq OpenSSF is focused on improving the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It will start with a focus on metrics, tooling, best practices, developer identity validation and vulnerability disclosures best practices. ... Does this mean that a new best practices effort will be started under the OpenSSF or will the existing BadgeApp site really get transferred over to OpenSSF? Given that there have not been any comments in this GitHub Issue since Jan 27, 2021, that might seem to be a little concerning to an outsider.

If you go to the OpenSSF Best Practices WG site, here:

https://github.com/ossf/wg-best-practices-os-developers

You clearly see that the CII Best Practices badge is a part of it.

The OpenSSF FAQ covers the OpenSSF as a whole; it intentionally doesn't try to repeat what each working group is doing. However, we could make it easier. One way would be to add links (in several places) from the FAQ to the individual working groups. Then it'd be easier to follow the chain.

bartlettroscoe commented 3 years ago

the CII Best Practices badge is already under the OpenSSF organization. It says so directly in both the active website & the README of the code.

@david-a-wheeler, thanks, that is great to hear. I should have search for "OpenSSF" on the page https://bestpractices.coreinfrastructure.org/en. It is right there at the bottom of the second paragraph.

However, it is a little confusing with the big "CII" branding on that page and that site and the upper right:

image

and the first paragraph mentions the "CII" in the present tense:

The Linux Foundation (LF) Core Infrastructure Initiative (CII) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices.

At first glance that might suggest that that page is out of date when you compare it to the page https://www.coreinfrastructure.org/ which uses "CII" the past tense.

The Core Infrastructure Initiative (CII) was an effort to improve the security of open-source software.

What is confusing here is that the form page is descripting the CII Best Practices Badge in present tense while the latter page is describing the *CII (which is a different thing) is past tense.

Branding is a hard thing I guess. If you rebrand the current site/project as something other than CII Best Practices (Badge Program), then people who knew it as the "CII Best Practices (Badge Program)" will not be able to easily find it. But if you keep the CII branding, it might confusing people like it confused me and think it is part of a now-defunct initiative.

I guess my suggestion would be to play down "CII" and come up with new branding that is somewhat more generic if possible. Or, keep "CII" but don't ever spell out "Core Infrastructure Initiative" initially except to mention what it used to send for. Otherwise, I don't know.

david-a-wheeler commented 3 years ago

Yes, branding is hard. There are literally thousands of documents & sites that refer to the "CII Best Practices badge"; making that happen represents thousands of hours of effort. Renaming everything risks throwing all that work away. And we're having success getting people to use it :-).

I've modified https://www.coreinfrastructure.org/ to say:

In particular, the CII Best Practices badge work continues as part of the OpenSSF Best Practices Working Group, while the CII research conducted via Harvard continues as part of the OpenSSF Securing Critical Projects Working Group.

...with various links. I have hopes that will reduce confusion.

Modifying the enlarged badge image is harder than you think; that requires paying an artist. But it's probably a good thing to do long-term. We could then tweak it to "OpenSSF CII" instead of what's currently spelled out. But let's try to eliminate confusion right now, instead of waiting for that.

bartlettroscoe commented 3 years ago

I've modified https://www.coreinfrastructure.org/ to say:

In particular, the CII Best Practices badge work continues as part of the OpenSSF Best Practices Working Group, while the CII research conducted via Harvard continues as part of the OpenSSF Securing Critical Projects Working Group.

...with various links. I have hopes that will reduce confusion.

@david-a-wheeler, thanks, that actually helps a lot. That updated text would have set me at ease immediately with no need for further investigation.

And thanks again for the great work that you and others have done with the CII Best Practices Badge Program! I was going to be super bummed with the thought that it might not be continued. I just hope I can be successful in selling it in my little part of the world (I am working on a short article on it right now actually).

david-a-wheeler commented 3 years ago

I've made a number of additional edits to the CII website so that visitors to the CII website will quickly realize that things have transitioned over to the OpenSSF, and that the badging & research work continue. For example, I went through the FAQ and edited its entries so it's clearly past tense & points people to the OpenSSF. I think that will reduce the likelihood of confusion in the future.

david-a-wheeler commented 2 years ago

I just posted the following mail to the CII Best Practices badge mailing list and the OpenSSF Best Practices WG mailing list, with a "cc" to the OpenSSF TAC:

=====

I propose renaming “CII Best Practices Badge” to the “OpenSSF Best Practices Badge”, as discussed here: https://github.com/coreinfrastructure/best-practices-badge/issues/1515

The "CII Best Practices badge” name has a problem: the Core Infrastructure Initiative (CII) no longer exists. For example, at the last OpenSSF governing board (GB) meeting I was asked to please remove CII from the name since CII doesn’t exist any more. In addition, searching for “CII Best Practices” is likely to lead you to Best Practices of the Construction Industry Institute (CII)... which is confusing.

This project as been part of the OpenSSF Best Practices Working Group for a while, so using the OpenSSF name makes sense. I had worried that this simple name might be confused with other best practices efforts, but the other efforts have been creating names that make them easily distinguished anyway (Scorecard, SLSA, etc.). So I think the risk of confusion isn’t great.

No name is perfect. If someone has a strong objection, though, I’d like to hear it now.

Note: we’ll change the text, and later the logo. We’ll want to eventually switch to a new shorter domain, with forwarding from the current one, but that’s a separate topic.

GeorgLink commented 2 years ago

Sounds good to me.

jaltman commented 2 years ago

I propose an alternate name OpenSSF Practicing Open Source Security Badge. Both the "CII Best Practices Badge" and "OpenSSF Best Practices Badge" fail to indicate what is being practiced.

david-a-wheeler commented 2 years ago

@jaltman said:

I propose an alternate name OpenSSF Practicing Open Source Security Badge

I'm not a fan of this. The "Practicing..." phrase is pretty awkward. It looks like we're practicing on unused software so we can someday learn to be secure. This might imply that the criteria are a strict subset of security-specific criteria, but in fact we have criteria about general quality and sustainability (because low-quality or non-sustainable projects end up being driven toward poor security).

Finally, we've used the phrase "Best Practices" everywhere; keeping that phrase will make it easier for people to see a continuation (and also make it easier to find the project if they know the old name).

jaltman commented 2 years ago

@jaltman said:

I propose an alternate name OpenSSF Practicing Open Source Security Badge

I'm not a fan of this. The "Practicing..." phrase is pretty awkward. It looks like we're practicing on unused software so we can someday learn to be secure. This might imply that the criteria are a strict subset of security-specific criteria, but in fact we have criteria about general quality and sustainability (because low-quality or non-sustainable projects end up being driven toward poor security).

Finally, we've used the phrase "Best Practices" everywhere; keeping that phrase will make it easier for people to see a continuation (and also make it easier to find the project if they know the old name).

Just because "Best Practices" has been used previously doesn't make it a good name. Neither "CII Best Practices Badge" nor "OpenSSF Best Practices Badge" describes what the practices are? Are they best practices for baking chocolate chip cookies? Or best practices for project marketing? I think we can do better and name the badge in a way which indicates that its presence means that the project is "practicing" (adjective, "actively working at a profession" or "actively following a way of life or philosophy") that helps secure the open source software ecosystem.

Another suggestion: "OpenSSF Securing Open Source Badge".

bartlettroscoe commented 2 years ago

Another suggestion: "OpenSSF Securing Open Source Badge".

Just my two cents but by putting too strong an emphasis on security right in the title, you may turn off projects that are not as security critical (or don't think they are as security critical). The advantage of the current "CII Best Practices Badge" title is that it it can attract a wide range of projects and it is not until they dig deeper that they find the high emphasis on security (at which point they have hopefully seen the breath of the practices to know this goes way beyond just security). And OpenSSF stands for "Open Source Security Foundation" so listing "security" again is just redundant?

david-a-wheeler commented 2 years ago

@jaltman said:

Just because "Best Practices" has been used previously doesn't make it a good name. Neither "CII Best Practices Badge" nor "OpenSSF Best Practices Badge" describes what the practices are? ... Another suggestion: "OpenSSF Securing Open Source Badge".

I like this suggestion more.

However, the OpenSSF is itself focused on open source software security, so I think including OpenSSF in the name is enough. That doesn't make it true, but that's my thinking anyway :-).

kaywilliams commented 2 years ago

@. @.>

As stated in the issue, the primary driver of this name change is to rebrand from CII to OpenSSF. Let's stick with rebranding for now. We can discuss potential renaming in the future as we think more deeply about the relationship of Best Practices Badge, Scorecard, SLSA and other types of software 'labeling' in the future.

One step at a time.

David Wheeler, Brian Behlendorf, I recommend moving forward expeditiously with rebranding the Best Practices Badge from CII to OpenSSF. The decision to transition CII assets into OpenSSF was made more than one year ago by the OpenSSF GB, TAC and Best Practices WG. This change is non-controversial. Let's move forward.

From: David A. Wheeler @.> Sent: Friday, November 12, 2021 10:03 AM To: coreinfrastructure/best-practices-badge @.> Cc: Kay Williams @.>; Comment @.> Subject: Re: [coreinfrastructure/best-practices-badge] Rebrand from CII to OpenSSF (#1515)

@jaltmanhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjaltman&data=04%7C01%7Ckayw%40microsoft.com%7C2c30d8bc4f534d6aa3da08d9a6069de2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637723369633684810%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Guk10ugdoDTarAZmRPJ9mruFD6hwRWuOhihZkwFBkis%3D&reserved=0 said:

Just because "Best Practices" has been used previously doesn't make it a good name. Neither "CII Best Practices Badge" nor "OpenSSF Best Practices Badge" describes what the practices are? ... Another suggestion: "OpenSSF Securing Open Source Badge".

I like this suggestion more.

However, the OpenSSF is itself focused on open source software security, so I think including OpenSSF in the name is enough. That doesn't make it true, but that's my thinking anyway :-).

- You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcoreinfrastructure%2Fbest-practices-badge%2Fissues%2F1515%23issuecomment-967311150&data=04%7C01%7Ckayw%40microsoft.com%7C2c30d8bc4f534d6aa3da08d9a6069de2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637723369633694798%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=TmKU0GmolQDlh%2FENbYhRCxvMUOiiiLAxWUmBdWxYFzo%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAB3QCOEIXFMO5HR4BP4LDBDULVJD5ANCNFSM4U3GDDUA&data=04%7C01%7Ckayw%40microsoft.com%7C2c30d8bc4f534d6aa3da08d9a6069de2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637723369633694798%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3%2FzUsDNMbRrRfUYZx%2Bqz%2FZ8qoxbAFVOaONg77oo0gDk%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7Ckayw%40microsoft.com%7C2c30d8bc4f534d6aa3da08d9a6069de2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637723369633704800%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fOxqdTrIjL7CwNxpO8OcR5k4dizmgs6T9t9n930jpeM%3D&reserved=0 or Androidhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7Ckayw%40microsoft.com%7C2c30d8bc4f534d6aa3da08d9a6069de2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637723369633714793%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2BI%2Bhoo7aTMASzCpaaAUCHUhqKaMcDGQOlAb9nB8d94U%3D&reserved=0.

jaltman commented 2 years ago

@. @.> As stated in the issue, the primary driver of this name change is to rebrand from CII to OpenSSF. Let's stick with rebranding for now.

My suggestion of alternate names was in the hope there could be quick consensus. As there is not, Please move ahead with "CII" -> "OpenSSF".

TonyLHansen commented 2 years ago

OpenSSF Open Source Best Practices Badge

Gets the rebranding to "OpenSSF", and ADDS the information as to WHAT it is that the best practices are for.

bagder commented 2 years ago

OpenSSF Open Source Best Practices Badge

This gets my vote as the best one so far. :100:

david-a-wheeler commented 2 years ago

We can discuss potential renaming in the future as we think more deeply about the relationship of Best Practices Badge, Scorecard, SLSA and other types of software 'labeling' in the future.

There's little functional difference between "rebranding" & "renaming", and it's important that we do a rename exactly once and never again. There's a lot of work to rename a project like this. For example, a new logo needs to be created by a graphics designer, the new badge display has to get created & everyone who forces image sizes has to change their codes, and all the natural language translators have to make many changes. The biggest effort, though, is getting the word out. I've spent many months getting the word out using this particular name, and it will take many months of effort to get people aware of the new name. Every rename has the risk of losing people; we don't want to lose people twice.

TonyLHansen commented 2 years ago

Too bad the core infrastructure initiative wasn't just subsumed into OpenSSF as a sub-initiative. That way we could have just stamped "OpenSSF" onto the logo, added OpenSSF in front of "CII" everywhere it was already printed, and left everything else the same.

david-a-wheeler commented 2 years ago

@TonyLHansen - can't change the past :-). In any case, changing the name (even just CII to OpenSSF) is a big deal, because it's going to take a lot of work to get that information out to everyone.

bagder commented 2 years ago

If there's a lesson to be made here, isn't that to not embed the org name in the product name? Or are we in a "this will never happen again" mood?

david-a-wheeler commented 2 years ago

This discussion has become longer, but I guess that's expected.

This discussion led to several possible names:

  1. OpenSSF Best Practices Badge
  2. OpenSSF Open Source Best Practices Badge
  3. OpenSSF Securing Open Source Badge
  4. OpenSSF Practicing Open Source Security Badge

I would definitely prefer the first two names over the others. Would it be okay to put just those two out for a vote? We could include all 4, but then I'd probably want to use ranked voting and that's more complicated.

david-a-wheeler commented 2 years ago

@bagder said:

If there's a lesson to be made here, isn't that to not embed the org name in the product name? Or are we in a "this will never happen again" mood?

Ouch! Yes, that's possibly a good lesson to learn. But there's a strong desire in everyone I've at the OpenSSF I've talked to that it should include the foundation name, if nothing else because it clearly distinguishes it.

"Never again" is hard to prove :-). But I don't think a new org is likely in the forseeable future. It turns out to be really hard to get many different organizations to work together & I doubt anyone will want to re-do the work. Also, the CII had some crazy rules about unanimous agreement before some things could happen - and trust me, it's hard to get unanimous agreements about anything. The OpenSSF is imperfect, like all things involving humans, but they've avoided that & learned other lessons.

david-a-wheeler commented 2 years ago

By the way, if we name the project "OpenSSF Best Practices Badge" or "OpenSSF Open Source Best Practices Badge", we would probably have the short badge show text like this:

openssf best practices | passing

The badge is currently wide, and this would make it slightly wider, but it should still be acceptable.

bagder commented 2 years ago

it should include the foundation name

Yeah, I totally understand where that is coming from. I should probably have used some kind of tongue in cheek emoji... :grin:

kaywilliams commented 2 years ago

Option #2 feels redundant. If we were to expand OpenSSF, the name would be:

Open Source Security Foundation Open Source Best Practices Badge.

1 says the same thing as #2, but with fewer words.

My recommendation would be to go with #1 (and avoid the vote).

From: David A. Wheeler @.> Sent: Friday, November 19, 2021 9:19 AM To: coreinfrastructure/best-practices-badge @.> Cc: Kay Williams @.>; Comment @.> Subject: Re: [coreinfrastructure/best-practices-badge] Rebrand from CII to OpenSSF (#1515)

This discussion has become longer, but I guess that's expected.

This discussion led to several possible names:

  1. OpenSSF Best Practices Badge
  2. OpenSSF Open Source Best Practices Badge
  3. OpenSSF Securing Open Source Badge
  4. OpenSSF Practicing Open Source Security Badge

I would definitely prefer the first two names over the others. Would it be okay to put just those two out for a vote? We could include all 4, but then I'd probably want to use ranked voting and that's more complicated.

- You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcoreinfrastructure%2Fbest-practices-badge%2Fissues%2F1515%23issuecomment-974258178&data=04%7C01%7Ckayw%40microsoft.com%7Cc979470f82184e4999bb08d9ab80a4c5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637729391281161896%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=WFxq0W94QfTxRmzUeVRX%2F8QpSy58s8dh%2FyFSFpiZs8g%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAB3QCOHIP22N3R2OPX4X42LUM2BHLANCNFSM4U3GDDUA&data=04%7C01%7Ckayw%40microsoft.com%7Cc979470f82184e4999bb08d9ab80a4c5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637729391281171890%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Zt6h4Q7gKuL%2BN7A1Psnbi2uQknJL%2F6N3Fx0Q4CF7HFo%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7Ckayw%40microsoft.com%7Cc979470f82184e4999bb08d9ab80a4c5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637729391281181886%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5kEuIT3ngVw8nSzJKG4t%2BGueM1hfQfexn468dqML8Nc%3D&reserved=0 or Androidhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7Ckayw%40microsoft.com%7Cc979470f82184e4999bb08d9ab80a4c5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637729391281181886%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wz0MpnQp%2Fv9eZ90OTiTdQmZ%2F2Opi5RuAEWpB1iu%2BL88%3D&reserved=0.

TonyLHansen commented 2 years ago

I thought about the redundancy aspect when I suggested "OpenSSF Open Source Best Practices." Despite that, I still think it is superior. The term "open source" can be though of as an adjective used in two entirely different contexts. But the problem pointed out several times above is that we need to have something descriptive for "Best Practices", and "OpenSSF" is definitely not a good descriptor for the best practices that the badge is about.

david-a-wheeler commented 2 years ago

After thinking it over, I'd rather just have as the name "Open Source Security Foundation (OpenSSF) Best Practices Badge", aka OpenSSF Best Practices Badge. I think long names are a problem; we want a name that's short & unique. The phrase "Open Source" is part of OpenSSF; I don't think we should say it twice. Just imagine what GitHub badge would look like if we wanted to have the full name in there; it's already one of the longest in the world (yes, I know the image could be shortened, but it's easier to justify if the name isn't as long).

How strongly do some people prefer the longer name?

(Sorry I haven't been as responsive, I've been busy on the Great MFA Distribution Project.)

kaywilliams commented 2 years ago

+1 to OpenSSF Best Practices Badge

From: David A. Wheeler @.> Sent: Tuesday, December 14, 2021 3:43 PM To: coreinfrastructure/best-practices-badge @.> Cc: Kay Williams @.>; Comment @.> Subject: Re: [coreinfrastructure/best-practices-badge] Rebrand from CII to OpenSSF (#1515)

After thinking it over, I'd rather just have as the name "Open Source Security Foundation (OpenSSF) Best Practices Badge", aka OpenSSF Best Practices Badge. I think long names are a problem; we want a name that's short & unique. The phrase "Open Source" is part of OpenSSF; I don't think we should say it twice. Just imagine what GitHub badge would look like if we wanted to have the full name in there; it's already one of the longest in the world (yes, I know the image could be shortened, but it's easier to justify if the name isn't as long).

How strongly do some people prefer the longer name?

(Sorry I haven't been as responsive, I've been busy on the Great MFA Distribution Project.)

- You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcoreinfrastructure%2Fbest-practices-badge%2Fissues%2F1515%23issuecomment-993970611&data=04%7C01%7Ckayw%40microsoft.com%7C30e46fa69096401e472d08d9bf424386%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637751113598543496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4ks55mvgOCGZPazotn7DO7WmqEeNrzwu9O2koIsxzU0%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAB3QCOBIL3JB5NA2O3UM75DUQ6T3ZANCNFSM4U3GDDUA&data=04%7C01%7Ckayw%40microsoft.com%7C30e46fa69096401e472d08d9bf424386%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637751113598593473%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=BMslO0wpTTe%2BNqHmDbr5rQ3koX0GORRHPTNsz3%2BWxE4%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7Ckayw%40microsoft.com%7C30e46fa69096401e472d08d9bf424386%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637751113598593473%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FhSRHtPZItA5W%2BnbhoIN4AYZNs4PcXpC3NflMkygqY8%3D&reserved=0 or Androidhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7Ckayw%40microsoft.com%7C30e46fa69096401e472d08d9bf424386%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637751113598593473%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=t5w%2FqbnJVEMLnisoeVwKm8VLpdovHGX%2Fcb9HmwE3p0Q%3D&reserved=0.

TonyLHansen commented 2 years ago

concensus rules, Open Source Security Foundation Best Practices Badge it is. (Perhaps the badge or the "shortened form" can emphasize the "Open Source" part?)

david-a-wheeler commented 2 years ago

BTW, I definitely plan to include on the website "(formerly named the CII Best Practices badge)" so that someone looking for it will figure it out :-).

JonZeolla commented 2 years ago

+1 I definitely still agree with that