The purpose of the Metrics & Metadata (formerly Identifying Security Threats) working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
I propose that the "CII Best Practices badge" project be moved into this "Identifying Security Threats" WG as a sub-project, because this WG has a strong focus on metrics. I would continue to maintain the badge project on behalf of this WG. I also propose that changes to the criteria be coordinated between this WG and the best practices WG. Finally, I propose that the next WG meeting vote on this.
The badging project was created as part of CII, but CII had a 3-year term that has since expired. The LF has continued to fund some work, such as the Best Practices badge work, because it seemed desirable to keep them going. Now that the OpenSSF exists, it seems reasonable to move such projects into the OpenSSF if the OpenSSF wants them. The OpenSSF TAC (which met today) seemed to think it was reasonable, but wanted to make sure that the "receiving" WG was okay with it. I know of nothing that prevents the LF from transferring it to some OpenSSF WG, but that WG must be okay with it!
One complication is that there are really two WGs that would be sensible OpenSSF homes for the CII Best Practices badge: The Best Practices (including education) WG and the Identifying Security Threats (including metrics) WG. I think it's important that it have a single home, and this issue proposes moving it to the "Security Threats" WG because of its metrics focus. However, it's very important that both WGs coordinate. Therefore, I recommend that proposed criteria changes be voted on by both groups (combined), to ensure that everyone's viewpoints are considered. (An alternative would be to move the CII Best Practices Badge into the Best Practices WG, and then both groups vote together. But no matter what, I think it's important to ensure both WGs work together on this, no matter what form it takes.)
I don't believe this directly affects the OpenSSF budget. It takes some money to keep the website running and do occasional maintenance (updating vulnerable libraries, responding to GDPR requests, etc.). But it's relatively small, so I believe the LF will just continue to fund it at that level. If there's a significant increase in effort (e.g., a huge new scope for the project), then that would need a separate discussion.
Alternative approaches welcome!
@kaywilliams @rhaning - I believe this issue, along with others I'm filing, meets the assignment to me at the TAC meeting today 2020-09-22.
Note that this issue partially supports Strategy committee #8 and TAC issue #26, and is consistent with the proposal to the GB that I developed on how to integrate CII work into the OpenSSF should the OpenSSF choose to do so.
kaywilliams
commented
4 years ago
I propose that the "CII Best Practices badge" project be moved into this "Identifying Security Threats" WG as a sub-project, because this WG has a strong focus on metrics. I would continue to maintain the badge project on behalf of this WG. I also propose that changes to the criteria be coordinated between this WG and the best practices WG. Finally, I propose that the next WG meeting vote on this.
As many of you know, the CII Best Practices badge (website, repo) identifies a set of best practices for open source software (focusing on security) and provides badges to projects meeting various criteria. There are over 3,300 particiapting projects and over 400 projects with a badge.
The badging project was created as part of CII, but CII had a 3-year term that has since expired. The LF has continued to fund some work, such as the Best Practices badge work, because it seemed desirable to keep them going. Now that the OpenSSF exists, it seems reasonable to move such projects into the OpenSSF if the OpenSSF wants them. The OpenSSF TAC (which met today) seemed to think it was reasonable, but wanted to make sure that the "receiving" WG was okay with it. I know of nothing that prevents the LF from transferring it to some OpenSSF WG, but that WG must be okay with it!
One complication is that there are really two WGs that would be sensible OpenSSF homes for the CII Best Practices badge: The Best Practices (including education) WG and the Identifying Security Threats (including metrics) WG. I think it's important that it have a single home, and this issue proposes moving it to the "Security Threats" WG because of its metrics focus. However, it's very important that both WGs coordinate. Therefore, I recommend that proposed criteria changes be voted on by both groups (combined), to ensure that everyone's viewpoints are considered. (An alternative would be to move the CII Best Practices Badge into the Best Practices WG, and then both groups vote together. But no matter what, I think it's important to ensure both WGs work together on this, no matter what form it takes.)
I don't believe this directly affects the OpenSSF budget. It takes some money to keep the website running and do occasional maintenance (updating vulnerable libraries, responding to GDPR requests, etc.). But it's relatively small, so I believe the LF will just continue to fund it at that level. If there's a significant increase in effort (e.g., a huge new scope for the project), then that would need a separate discussion.
Alternative approaches welcome!
@kaywilliams @rhaning - I believe this issue, along with others I'm filing, meets the assignment to me at the TAC meeting today 2020-09-22.
Note that this issue partially supports Strategy committee #8 and TAC issue #26, and is consistent with the proposal to the GB that I developed on how to integrate CII work into the OpenSSF should the OpenSSF choose to do so.