Adopt the Alpha-Omega 10k critical OSS Projects list under this WG

[JLLeitschuh]

The @ossf/alpha-omega team has collected a list of the top 10k OSS projects which we are using as a target for security scanning, vulnerability reporting, and, in the future, as a list of projects that any automated bulk PR generation campaign is required to report vulnerabilities privately to.

We'd like to propose that this list be owned by this WG, both to avoid confusion between your lists, and the one @ossf/alpha-omega uses, and also because it seems like the right fit.

https://docs.google.com/spreadsheets/d/1fgj0DOoNC-HpHhokN75AfXk9m02mZDpFt1jpkacohus/edit#gid=0

[bureado]

Very interesting! Just to state the obvious, the list has a mix of critical and popular repos. And, while a much minor consideration, there are also duplicates, e.g., homebrew's two virtualenv packages are likely the same as pypi's virtualenv package which is likely the same as github's virtualenv repo. Stating this so that it's a bit more clear whether the definitions here or in a-o are changing as a result of this (doesn't look like this is what you're proposing, just making it more clear)

[scovetta]

Yep, the purpose of this was to get something that's "correct" to a first approximation. Since 10,000 is a Big Number, we can easily add/remove over time with a relatively low barrier to entry. When we find dupes, we can just remove one of them, and if we want to add others, we can just do it.

Basically, this should be a "living" list that changes over time and without a lot of process. At least, that's how I've been thinking about it.

[nathan-menhorn]

@JLLeitschuh What's the best way to request a project get added to the list? I would suggest adding https://github.com/DMTF/libspdm if possible as the SPDM standard and this lib is widely used across the data center industry. Thanks.

[scovetta]

Thanks @nathan-menhorn! While I'm in favor of very low barriers to entry for this list, libspdm has an ominous statement in their README that suggests that folks shouldn't actually be using it in production:

This package is only the sample code to show the concept of SPDM and should not be considered fit for production.

But to the larger point -- if you or anyone else has a project that you think should be added, it should be very easy to get it added. IMHO.

[david-a-wheeler]

@scovetta - can we please have a short "key" for the spreadsheet entries? E.g., when it says "criticality_score", what does that mean? I presume that means "it's the top X project as measured by the OpenSSF Criticality Score as of DATE".