Gather data for "1-pagers" for OpenSSF projects to contextualize them for those new to OpenSSF

[webchick]

What

There's an initiative from the Marketing Committee to gather up some standard info about Who/What/Where/When/Why/How on each of the new OpenSSF projects that have launched / are launching soon, in some kind of digestible format for those new to the OpenSSF.

Here's an example "1-pager" from a similar CNCF project, supplied by Lori Lorusso:

UPDATE: Here is a REAL prototype to feedback on at https://github.com/ossf/DevRel-community/issues/35#issuecomment-2091076847 until May 16

Why

The goal is to raise awareness of these important projects to folks outside of the OpenSSF, but ideally also to attract new contributors who would have knowledge/interest in these projects.

How

Here's a Google Form of questions we want to answer available (this has already been reviewed by DEI committee for inclusive language): https://docs.google.com/forms/d/1C83x5V0lPdbH5oJemWK2-zVels0XGCo64k4_uUkUb4o/viewform?edit_requested=true

Implementation-wise, everyone is SUPER busy, so our "low-calorie" idea to get this done was for members of the DevRel committee to join these projects' meetings and ask for 5 mins of time on the call to get them answered by the folks there, and then document the answers for them in the form so they're centrally collated.

Ideally, these conversations would be recorded so we can use the exact words these folks use when talking excitedly about the "whys" of their project and what pain points it solves.

Who

List of projects and who's planning to take them:

• [ ] OpenVEX @LoriLorusso
• [x] S2C2F @Tabatha
• [x] SBOMit @katherined
• [x] Gittuf @webchick
• [ ] GUAC @Arvind644
• [ ] protobom

Future Directions

• Expand out from projects to also cover WGs
• Perhaps eventually compile these interviews into a cool short-form video like https://openssf.slack.com/files/U03TQ8QEFNW/F06F7GP3ETH/ossf_alpha-omega_1890_.mp4

[webchick]

Ok figuring this out for gittuf took a bit of time, but based on some spelunking, I figured out they have a #gittuf Slack channel on OpenSSF Slack, it looks like they meet the first Friday of every month at 9am Pacific, and from the look of their Contributor Graph, I'm going to go out on a limb and say that https://github.com/adityasaky is most likely the right person to be asking these questions. :)

I've added our thing to the agenda of that meeting on March 1 and will report back what I learn!

[LoriLorusso]

Hi! I am happy to take on OpenVex.

[Arvind644]

Hii, I am happy to take on GUAC.

[webchick]

Awesome! 😎 Thanks so much for the help! Added you both to the issue summary.

[webchick]

I've made a new 1-pager drafts folder in the DevRel Community Drive to capture these. Feel free to add your own there, too!

Here's an initial draft for Gittuf, based on notes from our discussion on the earlier Gittuf Community Meeting.

I intend to clean this up a bit and then send to the team for review before submitting the form formally. 🥁 🤣

[kdruckman]

I've added the draft for SBOMit to the above DevRel drive folder, compiled with help from the SBOMit WG (Thank you, Ian Dunbar-Hall!) and an OpenSSF blog post.

[tabathad]

I've added the draft for S2C2F to the 1-pager folder that was created from discussion during this week's S2C2F meeting, S2C1F strategy documents, and direct contribution from Adrian Diglio.

[webchick]

We met during Office Hours today to discuss this initiative. Looks like we have the content from at least 3 of the projects availalble, so @kdruckman is going to take a stab at mocking up one of these in a pretty 1-pager format. <3

[webchick]

Ok, here is @kdruckman's initial stab at the 1-pager for SBOMit! You can see the full version here: https://docs.google.com/presentation/d/1YLW0pKSVsFKXjpF4iu28C3MgP4-4O7ZoM0SaB8oddQg/edit?usp=drive_link

(Ignore the QR code for now; it'll eventually point to https://sbomit.dev/)

We'd like to time box feedback to 2 weeks (so until May 16) and would love thoughts on:

• If you were brand new to this project, does this give you enough information to quickly ascertain the "what" and the "why"?
• Are there key missing details that people new to the project might want to know?
• <any other thoughts you might have! :)>

Also see #42 which came up as we were talking.

[SecurityCRob]

Neat! I learned a lot reading this. I don't know what might be missing. MOAR please!!

[funnelfiasco]

Hii, I am happy to take on GUAC.

@Arvind644, I just joined Kusari as the Open Source Community Lead. Happy to help you with the GUAC 1-pager if you'd like (or if you don't have time, I can take on a first draft)

[jkjell]

The SBOMit 1 pager is 🤩. One of the things I really like about SBOMit, is that it builds on the in-toto and protobom projects. Those details probably don't matter for the first two bullet points above but, it might be cool to have a "related projects" callout. Also, depending on how/where the 1-pagers are shared, including the related projects could be helpful for discovery.

[funnelfiasco]

I like the SBOMit one-pager overall, and the written content is very informative. It might help to tighten up the first paragraph, though. Something like "Fortify software supply chain security by making SBOMs tamper-proof and accurate. Mitigate the risk of malicious attacks with reliable and integrityable SBOMs." ("integrityable" is not a word, but I don't think the English language has a word for it so maybe we try to find a synonym or just go with "reliable SBOMs there)

If you were brand new to this project, does this give you enough information to quickly ascertain the "what" and the "why"?

I get the what and the why, but...

Are there key missing details that people new to the project might want to know?

...it's not clear where the SBOMit file from which I derive my SBOMs comes from. Is SBOMit a tool, a format, both?

<any other thoughts you might have! :)>

This thought will depend on how these 1-pagers get published, but the links are too long to be helpful in a printed form. If it's intended to be an online document, then the links should be hyperlinks without the URL displayed. If it's intended to be printed or shown in slides, etc, a QR code would be better. (Or maybe have both so it can be used in any format?) The more I think about it, I wonder if the first two links are worth including instead of just the project website (which is listed in small font at the top), which should have links to both the repo and the docs anyway.

For the meetings, it might be helpful to link to a calendar entry instead of the Zoom URL. There's no information to tell the reader which Wednesday is "every other Wednesday" otherwise.

[webchick]

AMAZING feedback so far, folks! 🤩 Please keep it coming!