This charter describes operations as an OSSF Technical Initiative. The Focus section below describes what is in and out of scope, and Governance section describes how our operations are consistent with OSSF policies with links to more detailed documents.
Source. Randall Munroe. Licensed under CC BY-NC 2.5 |
Open Source Software has long suffered from a "tragedy of the commons" problem. Organizations large and small make use of OSS every day, but many projects are struggling for the time, resources and attention they need.
This is a resource allocation problem - and we can help solve it together. We need ways to connect critical projects we all rely on with organizations that can provide them with support.
Whether it is dedicated help from specialized experts or simply grant money or cloud credits, we recognize that no two projects are the same, and support can come in many shapes. We intend to work with upstream maintainers to understand what help and support they need, and then develop scalable processes to make this help available.
To the best of our efforts, the goals of the working group are:
For more details, see our MVSR
Securing Critical Projects: List of Critical Open Source Projects, Components, and Frameworks is our current (in progress) list of critical OSS projects.
For our purposes, a critical OSS project is an OSS project that can have an especially large impact if it has a significant unintentional vulnerability, or if it is subverted in either its source repository or distribution package(s). There are literally millions of open source software (OSS) projects today, making it difficult to create a focused list of "critical OSS projects".
The list of critical OSS projects was developed for the Great MFA Distribution Project by the OpenSSF Securing Critical Projects Working Group (WG). This OpenSSF working group has been specifically working on this problem!
There are many ways to identify "critical" projects, so the Securing Critical Projects WG combined the results of several different analyses (the analyses are also called "Selection Criteria"), The WG then used human group review of this combined set of top candidates to create a final defensible list. The analyses ("selection criteria") for identifying candidate critical OSS projects included:
Every method for identify critical OSS projects has its strengths and weaknesses; we believe the combination of analysis combined with human review is better than trying to do any one of them. For example, high criticality score tends to emphasize very busy projects; human review can remove projects that are busy but for whatever reason are less critical. Some projects are very important yet not active; by using other measures (not just the OpenSSF criticality score) we can still identify them.
We have no doubt that other OSS projects will be added to the critical OSS projects list over time. If you're interested in helping to do that, please join the working group.
WG-Securing-Critical-Projects operations are consistent with standard operating guidelines provided by the OSSF Technical Advisory Committee TAC.
Meetings will all be published on the OSSF Community Calendar.
We have a public email list available here: https://lists.openssf.org/g/openssf-wg-securing-crit-prjs
You can also join us for day-to-day conversations on slack: https://openssf.slack.com/messages/wg_securing_critical_projects
Meeting Notes and Agendas are available on Google Drive.
Meeting Recordings are available on Youtube at: https://www.youtube.com/playlist?list=PLVl2hFL_zAh-cAfx6y4k-fODfbHeQzb_O.
This group is chaired by Amir Montazery (OSTIF) and Jeff Mendoza (Kusari).
Full details of process and roles are linked from governance README.
See information on identifying critical projects
Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.
Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.