ossf / tac

Technical Advisory Council
https://openssf.org
Other
109 stars 59 forks source link

[Technical Initiative Funding Request]: RSTUF Security Audit for 1.0.0 #379

Open kairoaraujo opened 2 months ago

kairoaraujo commented 2 months ago

Technical Initiative

Repository Service for TUF / Security Software Repositories Working Group

Lifecycle Phase

incubation

Funding amount

unknown -- help needed

Problem Statement

RSTUF is about to release the 1.0.0, we are moving close to 1.0.0-rc and before the final release we aim to have a security audit. This project is moving to staging phase in the PyPI and RubyGems repository.

Who does this affect?

Public Repository (and or Private repositories)

Have there been previous attempts to resolve the problem?

No

Why should it be tackled now and by this TI?

RSTUF is a project under wg-securing-software-repos (OpenSSF)

Give an idea of what is required to make the funding initiative happen

We require a security audit in the RSTUF projects, to help us to identify possible improvements on this aspect.

What is going to be needed to deliver this funding initiative?

A company/contractor that can run the audit and generate a report for RSTUF maintainers.

Are there tools or tech that still need to be produced to facilitate the funding initiative?

No response

Give a summary of the requirements that contextualize the costs of the funding initiative

Who is responsible for doing the work of this funding initiative?

Kairo de Araujo (@kairoaraujo)

Who is accountable for doing the work of this funding initiative?

Kairo de Araujo (@kairoaraujo)

If the responsible or accountable parties are no longer available, what is the backup contact or plan?

Martin Vrachev (@MVrachev)

What license is this funding initiative being used under?

MIT

Code of Conduct

List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.

By the end of Q4 2024 we want to have the RSTUF 1.0.0 out.

If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.

No response

steiza commented 2 months ago

Hey @kairoaraujo thanks for submitting this request! This week is the TAC review period for funding request, but we need a specific amount to review this request. Have you had a chance to reach out to folks who might perform the audit to get an idea of the amount needed?

kairoaraujo commented 2 months ago

Hey @kairoaraujo thanks for submitting this request! This week is the TAC review period for funding request, but we need a specific amount to review this request. Have you had a chance to reach out to folks who might perform the audit to get an idea of the amount needed?

Hi @steiza, I requested a quotation for the audit. I will update the issue as soon I have it.

Amir-Montazery commented 2 months ago

Hello. The Open Source Technology Improvement Fund, Inc specializes in exactly this: facilitating and managing security audits for open source projects and communities. We did the php TUF (https://ostif.org/php-tuf-audit-complete/), go TUF (https://ostif.org/go-tuf-on-bugs-ostifs-audit-of-go-tuf/), and python TUF (https://ostif.org/our-audit-of-python-tuf-is-complete-multiple-issues-found-and-fixed/) security audits. So in addition to being an ideal candidate to handle any security audit request, OSTIF has a track record for doing these specific kinds of engagements. I hope you consider engaging us for this request, as we can deliver the intended results.

riaankleinhans commented 1 month ago

/vote

git-vote[bot] commented 1 month ago

Vote created

@riaankleinhans has called for a vote on [Technical Initiative Funding Request]: RSTUF Security Audit for 1.0.0 (#379).

The members of the following teams have binding votes: Team
@ossf/tac

Non-binding votes are also appreciated as a sign of support!

How to vote

You can cast your vote by reacting to this comment. The following reactions are supported:

In favor Against Abstain
👍 👎 👀

Please note that voting for multiple options is not allowed and those votes won't be counted.

The vote will be open for 1month 11days 13h 26m 24s. It will pass if at least 70% of the users with binding votes vote In favor 👍. Once it's closed, results will be published here as a new comment.

riaankleinhans commented 1 month ago

Gitvote was added as a tool to test for stream lining the TI Funding process. The members of the GH group "TAC" can vote by commenting with an +1. -1 or eye on the Gitvote block in this issue. Until the TAC is satisfied with the process the GitVote outcome would not be binding.

Community members can show their support by also voting, however only the "TAC" GH Group's votes will count.

The current passing threshold is 70% and the committee is the TAG GH group. The vote say open fo 6 week and an announcement is sent on the GH/TAC/Discussion

All these parameters can by fine tuned or changed here Please reach out if you have any questions.

marcelamelara commented 1 month ago

I requested a quotation for the audit. I will update the issue as soon I have it.

@kairoaraujo pinging to see if you have an update on this?

kairoaraujo commented 1 month ago

@kairoaraujo pinging to see if you have an update on this?

I had one meeting with one provider yesterday (23rd Sept) and I have another one today (24th Sept). I will have an update soon on this issue.

SecurityCRob commented 1 month ago

A quorum of the TAC met on 17Sept to discuss Q3 TI Funding Requests.

The group reached consensus that pending a quote for the review that this is tentatively approved.

git-vote[bot] commented 1 month ago

Vote status

So far 33.33% of the users with binding vote are in favor (passing threshold: 70%).

Summary

In favor Against Abstain Not voted
3 0 0 6

Binding votes (3)

User Vote Timestamp
SecurityCRob In favor 2024-09-23 18:17:21.0 +00:00:00
bobcallaway In favor 2024-09-23 20:01:48.0 +00:00:00
marcelamelara In favor 2024-09-24 14:42:15.0 +00:00:00
@steiza Pending
@torgo Pending
@mlieberman85 Pending
@lehors Pending
@camaleon2016 Pending
@sevansdell Pending

Non-binding votes (1)

| User | Vote | Timestamp | | ---- | :---: | :-------: | | riaankleinhans | In favor | 2024-09-23 18:14:00.0 +00:00:00 |
git-vote[bot] commented 1 month ago

Vote status

So far 33.33% of the users with binding vote are in favor (passing threshold: 70%).

Summary

In favor Against Abstain Not voted
3 0 0 6

Binding votes (3)

User Vote Timestamp
marcelamelara In favor 2024-09-24 14:42:15.0 +00:00:00
SecurityCRob In favor 2024-09-23 18:17:21.0 +00:00:00
bobcallaway In favor 2024-09-23 20:01:48.0 +00:00:00
@steiza Pending
@torgo Pending
@mlieberman85 Pending
@lehors Pending
@camaleon2016 Pending
@sevansdell Pending

Non-binding votes (2)

| User | Vote | Timestamp | | ---- | :---: | :-------: | | riaankleinhans | In favor | 2024-09-23 18:14:00.0 +00:00:00 | | simi | In favor | 2024-09-30 17:20:43.0 +00:00:00 |
riaankleinhans commented 1 month ago

/cancel-vote

git-vote[bot] commented 1 month ago

Vote cancelled

@riaankleinhans has cancelled the vote in progress in this issue.

sevansdell commented 1 month ago

I see the vote in progress is cancelled. Is the request still open?

steiza commented 1 month ago

Is the request still open?

Yes, a quorum of the TAC approved this on September 17th: https://github.com/ossf/tac/issues/379#issuecomment-2371347503

This was one of the two issues I was asking @riaankleinhans about at the TAC meeting yesterday. On the funding project board it's sitting in Funding Approved but hasn't yet moved to Funding in Execution.

sevansdell commented 2 weeks ago

@kairoaraujo have you received the other quotes?

Amir-Montazery commented 2 weeks ago

Hello everyone, chiming in here. OpenSSF has asked OSTIF to take a look at the proposal and help with moving forward with the security audit. We will take a look and explore next steps.

riaankleinhans commented 2 weeks ago

@kairoaraujo I will send out an email for formalized the process between OpenSSF & OSTIF.