search

ossf / wg-best-practices-os-developers

The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.
https://openssf.org
Apache License 2.0
680 stars 111 forks source link

Complete crosslink between OSSF and InnerSource Commons SCM guidance #557

Open JustinGOSSES opened 2 days ago

JustinGOSSES commented 2 days ago

Hi! I want to get some feedback before submitting a PR. This is directed at the Source-Code-Best-Practices content

The InnerSource Commons (ISC) is a foundation that "is a thriving community that empowers organizations and people worldwide to apply and gain the benefits of open collaboration in their internal work."

One of the recent projects of the ISC is content related to managing InnerSource at the program level, currently being integrated into a pre-existing GitBook. Part of that effort is guidance on source code management (SCM) for internal only code platforms. Currently, only GitHub is covered but there's a GitLab version in the works. The SCM section in the Git book has a a link https://innersourcecommons.gitbook.io/managing-innersource-projects/innersource-tooling to the OSSF SCM guidance . 

We also encourage you to read the OSSF's (Open Source Security Foundation's) [Source Code Management Configuration Best Practices guide](https://best.openssf.org/SCM-BestPractices/) for a perspective focused entirely on security.

Would the ossf/wg-best-practices-os-developers repo be willing to cross link back to the ISC SCM guidance document as we have linked to yours?

There's a lot of overlap between the two guidance docs but also different perspectives taken, which I think is valuable. While OSSF's guidance focuses on individual settings and seems to imagine a scenario where a single instance is used for both public facing code and internal code, ISC's guidance focuses on layering settings and imagines a scenario where a single instance is only used for internal code.

I could imagine the cross-link being placed either in the first paragraph of the OSSF SCM guidance, similar to what is done on the ISC side, or as an additional section at the bottom of the page after all the guidance that's titled "Other perspectives" or something similar.

david-a-wheeler commented 2 days ago

Quick note, the official abbreviation for the Open Source Security Foundation is "OpenSSF" not "OSSF".

When we cite specific items (e.g., to give credit), we of course include citations.

As far as a general cross-link, we tend to hesitate if it's a for-profit organization, but it appears this is a non-profit. I'll ask & see if we have some policy against it; I don't know of one, but that probably should be checked. We have a lot of contributing organizations & we don't want to be unfair to any.

JustinGOSSES commented 1 day ago

Thanks for the quick response. I'll correct that acronym spelling on the InnerSource Commons side.

Yep, totally makes sense to check for existence of a cross-linking policy.