✨Creating the Scorecard Universe ✨

[justaugustus]

With the recent adoption of the Scorecard project charter, we as @ossf/scorecard-maintainers / Steering Committee have a few administrative tasks that need to be completed.

Each heading here will be broken into separate tracking issues, but consider this the umbrella issue for the Scorecard Universe (affectionately coined by @SecurityCRob).

(Note that this items are a rough copy/paste from this week's maintainer's meeting (2024-04-30) and are subject to change as we build out the governance story.)

Project & Steering Committee formation

• [x] Charter approved & posted to GH: https://github.com/ossf/scorecard/blob/main/CHARTER.md, https://github.com/ossf/scorecard/pull/4054
• [x] Add footer to scorecard.dev

  Copyright © OpenSSF Scorecard a Series of LF Projects, LLC For web site terms of use, trademark policy and other project policies please see https://lfprojects.org.

• [ ] (WIP) Stephen to pull AIs from charter, share with community, create governance project board
• [x] Create process for project adoption: https://github.com/ossf/scorecard/pull/4123
• [x] Add @jeffmendoza, and re-poll for preferred meeting time
• [x] Send Steering Committee meeting invites
• [ ] Announce
  • [x] Add Steering details to MAINTAINERS.md: https://github.com/ossf/scorecard/pull/4129

Adopting Allstar

• How do we make this official?
  • [x] Inform both WGs that Allstar is now an OpenSSF Scorecard project: https://github.com/ossf/wg-securing-critical-projects/issues/90, https://github.com/ossf/wg-best-practices-os-developers/issues/502
  • [x] Update WG readmes to reflect this state: https://github.com/ossf/wg-best-practices-os-developers/pull/504, https://github.com/ossf/wg-securing-critical-projects/pull/91
  • [x] Update project documentation to reflect this state: https://github.com/ossf/allstar/pull/517
• [x] Need to merge contributing.md and contributor_ladder.md with Scorecard; sub-projects will not necessarily have to have the same content/process: https://github.com/ossf/allstar/pull/519
• [ ] Will docs stay within sub-project repos or will there be a separate docs repo? Steering committee will decide whether there will be a community repo, docs repo, whether the info is contained on the website or stays in the main project repo, etc.

Adopting Monitor and API Visualizer

• [ ] Turn on DCO
• [ ] Relicense Monitor to Apache 2.0
• [ ] Rename repos, develop naming conventions?

OpenSSF Project Lifecycle

• [ ] Apply for appropriate status in OpenSSF project lifecycle

cc: @afmarcum

[justaugustus]

Follow-up items from today's Scorecard meeting:

• Will anyone be joining from Scorecard Monitor and Scorecard API Visualizer? Yes, once the tasks outlined in the issue are underway, those maintainers will be pulled in more.
• Approval and permissions will be separated by area of expertise (re: GitHub permissions)

[afmarcum]

Adopting Allstar How do we make this official?

From Slack discussion with @justaugustus and @SecurityCRob: Informing the WG is all that is needed.

Once the group is ready, submit issues in the Best Practices WG and Securing Critical Projects WG repos informing of the change. Probably need one in the Allstar repo too, if there isn't one already referencing this issue.

Notify operations@openssf.org to update foundation content as well.

[justaugustus]

Allstar updates:

• Inform both WGs that Allstar is now an OpenSSF Scorecard project: https://github.com/ossf/wg-securing-critical-projects/issues/90, https://github.com/ossf/wg-best-practices-os-developers/issues/502
• Update WG readmes to reflect this state: https://github.com/ossf/wg-best-practices-os-developers/pull/504, https://github.com/ossf/wg-securing-critical-projects/pull/91
• Update project documentation to reflect this state: https://github.com/ossf/allstar/pull/517