Open kairoaraujo opened 2 months ago
mlieberman85
commented
2 months ago I am in favor of this proposal, but be aware that at least for this year there's no interest to run public services so can you also include information on who would have access both from and Admin perspective and who the intended users on those tests might be?
kairoaraujo
commented
2 months ago @mlieberman85, RSTUF maintainers are the users. It is not intended to run a public service. If you see the current API (https://api.rstuf.kairo.dev), it requires API Key authentication.
The intended users are the RSTUF Maintainers, who will run different tests, such as updating the version to verify the consistency of the TUF metadata and releases and running processes such as key rotation, key revocation, etc.
mlieberman85
commented
2 months ago Thanks, that clarifies!
steiza
commented
1 month ago I am also in favor of this proposal! There are some promising early results on using RSTUF to secure RubyGems and Warehouse (Python) package indexes.
simi
commented
1 month ago I do support this. Current RSTUF infra is really useful for adopters (like RubyGems.org). I'm happy to help as well if needed.
steiza
commented
1 month ago We discussed this on the TAC call, but it's a good idea to document here as well. Note that this is not a request to fund a long-running service (like the Sigstore Public Good Instance). Rather, this is to fund the RSTUF development instance, while the codebase is developed. The RSTUF instances that will run after development is complete will be the operational responsibility of the package managers (like RubyGems or Warehouse), not the OpenSSF.
sevansdell
commented
1 month ago In support.
bobcallaway
commented
1 month ago SGTM
SecurityCRob
commented
3 weeks ago I do not see a specific amount being requested nor a time-boundary for the duration of the funding. I see "The entire cost here is to deploy one or two Kubernetes clusters for RSTUF.", but nothing defining what the actual request is.
sevansdell
commented
3 weeks ago I do not see a specific amount being requested nor a time-boundary for the duration of the funding. I see "The entire cost here is to deploy one or two Kubernetes clusters for RSTUF.", but nothing defining what the actual request is.
Good call. Is there an estimate, or a cap "up to" desired?
kairoaraujo
commented
3 weeks ago Hi @SecurityCRob and @sevansdell. To make it more specific, I'm requesting 1000 EUR of cloud credit. It is enough to run the project for one year.
SecurityCRob
commented
3 weeks ago Perfect, tyvm. The TAC will discuss this in our next call (11June)
sevansdell
commented
3 weeks ago I am supportive. I will miss the June 11 TAC meeting and am trying to be proactive. :)
SecurityCRob
commented
2 weeks ago +1 for me
bobcallaway
commented
2 weeks ago LGTM as well
lehors
commented
2 weeks ago +1
lehors
commented
2 weeks ago Per the 11 June 2024 TAC call, this has been approved: "recording 7 yes votes and 0 no votes and sarah said yes offline** - passes" https://docs.google.com/document/d/1-zrtagRnPd75TDT1zRxrtxE9SpMIBJdPmaolaw4woQA/edit
lehors
commented
2 weeks ago This is reflected on the dashboard: https://github.com/orgs/ossf/projects/25
hythloda
commented
2 weeks ago Thanks for the TAC recommendation.
As documented in the TI Funding Process For this level of funding the next step is the OpenSSF General Manager, @omkhar, or his delegate will review this proposal.
Problem Statement
RSTUF deployment on Cloud/K8s for demos and tests
Who does this affect?
Financial expense of RSTUF author/maintainer
Have there been previous attempts to resolve the problem?
No
Why should it be tackled now and by this TI?
RSTUF is part of the OpenSSF sandbox
Give an idea of what is required to make the funding initiative happen
Currently, RSTUF Author/Maintainer Kairo de Araujo (@kairoaraujo) spends over 1000€ a year supporting a live deployment of RSTUF that servers for tests, demos, and verification of no breaking release updates. The deployment now lives in https://api.rstuf.kairo.dev Kairo de Araujo is looking for funding to support it and move to https://rstuf.org (domain also maintained by @kairoaraujo)
What is going to be needed to deliver this funding initiative?
An account or credits to use deploy the RSTUF in a cloud service on Kubernetes
Are there tools or tech that still need to be produced to facilitate the funding initiative?
No
Give a summary of the requirements that contextualize the costs of the funding initiative
The entire cost here is to deploy one or two Kubernetes clusters for RSTUF.
Who is responsible for doing the work of this funding initiative?
Kairo de Araujo (@kairoaraujo)
Who is accountable for doing the work of this funding initiative?
Kairo de Araujo (@kairoaraujo)
If the responsible or accountable parties are no longer available, what is the backup contact or plan?
Martin Vrachev (@MVrachev)
Which technical initiative will this funding initiative be associated with, and will it report to which WG or project?
Securing Software Repositories WG
What license is this funding initiative being used under?
MIT
Code of Conduct
List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.
Kairo hopes to have this approved and deploy the cluster as soon as possible, as he pays the costs monthly.
If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.
N/A