Open source consumption manifesto clarification: "tooling and processes that support a recall ability"

[joshuagl]

The recently merged consumption manifesto includes this action:

Adopt and develop open source consumption management tooling and processes that support a recall ability similar to those in other industries.

I don't understand what's being suggested here, especially with the reference to a recall ability. Can someone help me understand? I'd be happy to file a PR to try and clarify the statement once I understand it.

[thiswayman]

@joshuagl I think the language needs to be adjusted here slightly as we've begun to refine this idea. However, the general idea is similar to the recall notifications (notification will likely replace recall) that go out for other manufactured goods in the US.

For example, in the case of defective airbags by Takata, manufacturers send a notification to the owner (user in the case of software) of the existence of the defect along with a description of the severity of the risk and how it needs to be remedied. That could include returning the vehicle to the manufacturer in the case of physical goods. For software, this is disclosure of the inclusion of open source software identified with vulnerabilities that could impact the end user.

Happy to chat more about this in the call or whatever medium works best.

[ctcpip]

Upon reviewing this document, this was the only line that stood out to me. If it's about vulnerability disclosure, then this should be clarified. I don't grok the analogy to recall at all.

[thiswayman]

After a conversation in today's EU meeting, I rewrote this bullet based on the suggestions there. PR for this change is her: https://github.com/ossf/wg-endusers/compare/main...thiswayman:wg-endusers:patch-3.

[joshuagl]

Adopt tooling, best practices, and processes to (1) continuously track, measure, and improve the security of open source software being consumed

is the intention here to suggest that manifesto proponents/adopters are contributing to the security of the open source components they are using?

[thiswayman]

@joshuagl I don't believe the intent is to be that descriptive in the manifesto (though we could). However, deeper best practices (beyond the scope of the principles we've listed) do suggest that contribution upstream will improve security downstream, so I don't see why not.

[jonmuk]

closed - completed