From a551b41ae6d2e8f8537026b2a2e6cae107eb1ebf Mon Sep 17 00:00:00 2001 From: Dana Wang Date: Thu, 11 Jul 2024 13:41:56 -0500 Subject: [PATCH 1/5] Create security_baseline_sandbox_stage.md Signed-off-by: Dana Wang --- .../security_baseline_sandbox_stage.md | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 process/sig-lifecycle-documents/security_baseline_sandbox_stage.md diff --git a/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md b/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md new file mode 100644 index 00000000..9fabea07 --- /dev/null +++ b/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md @@ -0,0 +1,35 @@ +## Creation of a new Special Interest Group (SIG) at Sandbox stage + +### Proposed focus, intent, goals, and/or deliverables + +The goal of this SIG is to evolve [OpenSSF security baseline](https://github.com/ossf/tac/blob/a90b9838739ac18df43197fdd89f045c1a1e4dc3/process/security_baseline.md) for Linux Foundation wide adoption. + +### List SIG Lead(s) +The SIG must have a minimum of 1 Lead + * Eddie Knight, OpenSSF Security Insights lead, Sonatype, GitHub ID: eddie-knight + * Michael Lieberman, OpenSSF GUAC lead, Kusari, GitHub ID: mlieberman85 + +### List of interested individuals +The SIG have a minimum of 3 members with 2 different organizational affiliations. + * Adolfo "Puerco" GarcĂ­a Veytia, CNCF kubernetes SIG Release Technical Lead, OpenSSF Protobom, OpenVEX maintainer, Staklock, GitHub ID: puerco + * Justin Cappos, CNCG TUF, in-toto, Uptane, OpenSSF gittuf maintainer, New York University. GitHUb ID: JustinCappos + * David Wheeler, OpenSSF Best Practice Badge maintainer, OpenSSF, GitHub ID: david-a-wheeler + * Dana Wang, OpenSSF security baseline maintainer, OpenSSF, GitHub ID: danajoyluck + +### Governing Body +SIGs may report to an existing OpenSSF Working Group or directly to the TAC as their governing body. The SIG commits to providing the governing body quarterly updates on progress. + * Security Best Practices Working Group + +### SIG References +The SIG should provide a list of existing resources with links to the repository, and if available, website, a roadmap, demos and walkthroughs, and any other material to showcase the existing breadth, maturity, and direction of the SIG. +| Reference | URL | +|---------------------|-----| +| Repo | | +| Meeting Agenda | | +| OSSF Calendar Entry | | +| Website | | +| Security.md | | +| Roadmap | | +| code-of-conduct.md | | +| Demos | | +| Other | [OpenSSF security baseline](https://github.com/ossf/tac/blob/a90b9838739ac18df43197fdd89f045c1a1e4dc3/process/security_baseline.md) | From d563c44926d1077afcc3b129de7da13d6b95216d Mon Sep 17 00:00:00 2001 From: Dana Wang Date: Fri, 12 Jul 2024 14:03:43 -0500 Subject: [PATCH 2/5] Update security_baseline_sandbox_stage.md to address feedback from @sevansdell Signed-off-by: Dana Wang --- .../security_baseline_sandbox_stage.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md b/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md index 9fabea07..de738c1a 100644 --- a/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md +++ b/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md @@ -4,6 +4,10 @@ The goal of this SIG is to evolve [OpenSSF security baseline](https://github.com/ossf/tac/blob/a90b9838739ac18df43197fdd89f045c1a1e4dc3/process/security_baseline.md) for Linux Foundation wide adoption. +This SIG creates a venue for other participating foundations to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects. The group will define the right level of risks that the baseline is applicable for, the effectiveness measurement of the baseline, and the adoption path of the baseline at the minimum. + +Members of this group will be from various Linux foundations and entities outside of Linux FOundation. Reducing duplicate effort and achieving a higher level of security across Linux FOundation participating foundations is the starting focus of this group. + ### List SIG Lead(s) The SIG must have a minimum of 1 Lead * Eddie Knight, OpenSSF Security Insights lead, Sonatype, GitHub ID: eddie-knight @@ -20,6 +24,8 @@ The SIG have a minimum of 3 members with 2 different organizational affiliations SIGs may report to an existing OpenSSF Working Group or directly to the TAC as their governing body. The SIG commits to providing the governing body quarterly updates on progress. * Security Best Practices Working Group +CRob and Dana Wang had conversations about this inititve. CRob has agreed to be the sponsor of this SIG and welcome the group to join Security Best Practices Working Group. + ### SIG References The SIG should provide a list of existing resources with links to the repository, and if available, website, a roadmap, demos and walkthroughs, and any other material to showcase the existing breadth, maturity, and direction of the SIG. | Reference | URL | From d0bf83bed1b156f197cab4e1a7eb4136e247567e Mon Sep 17 00:00:00 2001 From: Dana Wang Date: Fri, 12 Jul 2024 18:07:13 -0500 Subject: [PATCH 3/5] Update security_baseline_sandbox_stage.md updated the goal Signed-off-by: Dana Wang --- .../security_baseline_sandbox_stage.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md b/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md index de738c1a..5df42c52 100644 --- a/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md +++ b/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md @@ -4,9 +4,12 @@ The goal of this SIG is to evolve [OpenSSF security baseline](https://github.com/ossf/tac/blob/a90b9838739ac18df43197fdd89f045c1a1e4dc3/process/security_baseline.md) for Linux Foundation wide adoption. +For OpenSSF adoption of the security baseline, there needs to be a home for tracking the adoption, for maintainers to raise issues to achieve the objectives of the baseline, and for OpenSSF to develop the roadmap for refining the baseline and future roadmaps. The pilot adoption builds the foundation for wider adoption of the baseline in OpenSSF and in Linux Foundation. + This SIG creates a venue for other participating foundations to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects. The group will define the right level of risks that the baseline is applicable for, the effectiveness measurement of the baseline, and the adoption path of the baseline at the minimum. -Members of this group will be from various Linux foundations and entities outside of Linux FOundation. Reducing duplicate effort and achieving a higher level of security across Linux FOundation participating foundations is the starting focus of this group. +Members of this group will be from various Linux foundations and entities outside of Linux Foundation. Reducing duplicate effort and achieving a higher level of security across Linux FOundation participating foundations is one of the goal of the group. + ### List SIG Lead(s) The SIG must have a minimum of 1 Lead From dad64c843b0fb05b61208f81cbff0e26897f0b3f Mon Sep 17 00:00:00 2001 From: Arnaud J Le Hors Date: Sat, 13 Jul 2024 13:28:31 +0200 Subject: [PATCH 4/5] Update process/sig-lifecycle-documents/security_baseline_sandbox_stage.md Signed-off-by: Arnaud J Le Hors --- .../sig-lifecycle-documents/security_baseline_sandbox_stage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md b/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md index 5df42c52..5f4741e0 100644 --- a/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md +++ b/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md @@ -27,7 +27,7 @@ The SIG have a minimum of 3 members with 2 different organizational affiliations SIGs may report to an existing OpenSSF Working Group or directly to the TAC as their governing body. The SIG commits to providing the governing body quarterly updates on progress. * Security Best Practices Working Group -CRob and Dana Wang had conversations about this inititve. CRob has agreed to be the sponsor of this SIG and welcome the group to join Security Best Practices Working Group. +CRob and Dana Wang had conversations about this initiative. CRob has agreed to be the sponsor of this SIG and welcome the group to join Security Best Practices Working Group. ### SIG References The SIG should provide a list of existing resources with links to the repository, and if available, website, a roadmap, demos and walkthroughs, and any other material to showcase the existing breadth, maturity, and direction of the SIG. From 05ff0edbe29a5e9f0792e87fad90668d3114e8ee Mon Sep 17 00:00:00 2001 From: Dana Wang Date: Mon, 15 Jul 2024 13:34:46 -0500 Subject: [PATCH 5/5] Update security_baseline_sandbox_stage.md goals added more detailed based on discussion with GUAC maintainers to expand the goals of the SIG. Signed-off-by: Dana Wang --- .../security_baseline_sandbox_stage.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md b/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md index 5f4741e0..7f252c63 100644 --- a/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md +++ b/process/sig-lifecycle-documents/security_baseline_sandbox_stage.md @@ -4,11 +4,11 @@ The goal of this SIG is to evolve [OpenSSF security baseline](https://github.com/ossf/tac/blob/a90b9838739ac18df43197fdd89f045c1a1e4dc3/process/security_baseline.md) for Linux Foundation wide adoption. -For OpenSSF adoption of the security baseline, there needs to be a home for tracking the adoption, for maintainers to raise issues to achieve the objectives of the baseline, and for OpenSSF to develop the roadmap for refining the baseline and future roadmaps. The pilot adoption builds the foundation for wider adoption of the baseline in OpenSSF and in Linux Foundation. +For OpenSSF adoption of the security baseline, there needs to be a home for tracking the adoption, for maintainers to raise issues to refine the security baseline, merge the baseline back to TAC lifecycle, and for OpenSSF to develop the roadmap for the security baseline. It will provide a venue for early adopters to share their reusable code and findings with other maintainers. The pilot adoption builds the foundation for wider adoption of the security baseline in OpenSSF and in Linux Foundation. -This SIG creates a venue for other participating foundations to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects. The group will define the right level of risks that the baseline is applicable for, the effectiveness measurement of the baseline, and the adoption path of the baseline at the minimum. +This SIG creates a venue for other participating foundations to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects. The group will define the right level of risks that the security baseline is applicable for, the effectiveness measurement of the security baseline, and the adoption path of the security baseline at the minimum. -Members of this group will be from various Linux foundations and entities outside of Linux Foundation. Reducing duplicate effort and achieving a higher level of security across Linux FOundation participating foundations is one of the goal of the group. +Members of this group will be from various Linux foundations and entities outside of Linux Foundation. Reducing duplicate effort and achieving a higher level of security across Linux FOundation participating foundations is one of the goals of the group. ### List SIG Lead(s)