SecurityCRob
commented
5 months ago The TAC is here to help manage reputational and technical risk for the foundation (The "T" and "A" of our name [Technical Advisory Council]). Approximately two years ago the Governing Board had requested that the TAC review all of our public-facing blogs to ensure they aligned with our values, technical vision, and strategic goals. This request wasn't to add latency to the process or add additional "power" to the group, but rather was to ensure we were outputting collateral that was satisfactorily representative of our membership and added value to the broader community. We are elected or appointed to this role to help balance the needs of the community as well as our members.
No one in the TAC has objections to having a dedicated, focused presence in place like India (which has a long and deep interaction with open source communities), or any other geography that has contributors or members resident. The more people we have following good security practices and using security tools such as our foundation creates, curates, and participates in, the better off it is for the whole ecosystem. We are concerned about not being included in any type of review process or hearing about plans or status on a group that appears to be representing itself as an active member of our community and seemingly presenting a tool that no one in our group has any knowledge of nor that has gone through any of our standard Technical Initiative vetting and processes. PINNY may be an amazing tool, but as presented, it looks as if it is an approved project leveraging our brand and follows our requirements and processes, which it does not as of this time. We'd like to see some kind of report out periodically from groups like this as we have in place for all the other TIs.
I'd love it if the MAC would better collaborate with the TAC and institute some kind of mandatory review period (24-48 business hours perhaps) to allow us to perform our duty as desired by the GB and provide feedback, comments, etc. It is challenging to un-communicate things once they are public, and allowing us the opportunity to catch potential provocative wordings allows us to help manage that brand reputation and avoid as much negative public feedback as possible for us.
sevansdell
The Marketing Advisory Council (MAC) works on OpenSSF Marketing. MAC interlocks with LF and OpenSSF Staff Marketing (who attend TAC calls and have TAC time for updates). The MAC also has the ability to interlock with the Governance Committee (opportunity to get on a bi-monthly agenda) and GB (quarterly), where the TAC is represented. Given these interlocks already, what is the desired technical interlock that both the MAC and TAC should directly have together?
The background for this conversation is the introduction of a Special Initiative for India, in which OpenSSF sponsored talks could have more clear "at-a-glance" branding and communication. As an example for talking points, a YouTube video about the OSS project PINNY at first glance makes it appear that it's a paid offering, and also that PINNY is an OpenSSF project. Could it state on the video initial screen shot that PINNY is an open source tool, and that OpenSSF is hosting the talk, not the tool itself?
Would a direct MAC/TAC interlock have helped improve this marketing/technical at-a-glance branding? If so, what is the minimum interlock the two groups should have on an ongoing basis to ensure the TAC fulfills its role for OpenSSF to provide consistent technical oversight?