Apply to donate vuln-reach to the OpenSSF

[louislang]

We are applying to donate vuln-reach to the OpenSSF. We believe this meets the criteria for a sandbox submission. This project aims to commoditize determining whether or not a vulnerability is reachable in a given codebase.

[SecurityCRob]

Has the group been speaking with our Security Tooling WG, and that group endorses this motion? We'll want to see evidence of public meetings and minutes as the project would move over to the foundation.

[louislang]

Yes, we've been having discussions with the Security Tooling WG. This project was presented to the group on 2024-08-09 and is in the meeting notes under the bullet Phylum for static reachability project.

[steiza]

Thanks for making this pull request! In this pull request can you also add vuln-reach to the Projects table on https://github.com/ossf/tac/blob/main/README.md#projects?

Is development of this project primarily happening on https://github.com/phylum-dev/vuln-reach in the main branch, or elsewhere? There doesn't seem to be a lot of recent activity.

To be clear, recent activity isn't a requirement for becoming a sandbox project, but sometimes people think "oh, I'll donate this to the OpenSSF, and they'll figure out how to get contributors!" and I just want to make sure we're on the same page - projects are responsible for figuring out how to get community participation.

[mlieberman85]

Craig is listed as a maintainer but according to GitHub he has never contributed to the project. Can you go into more detail what he's a maintainer of?

Beyond that I do think this project is good for openssf.

[louislang]

Thanks for making this pull request! In this pull request can you also add vuln-reach to the Projects table on https://github.com/ossf/tac/blob/main/README.md#projects?

Yes, of course.

Is development of this project primarily happening on https://github.com/phylum-dev/vuln-reach in the main branch, or elsewhere? There doesn't seem to be a lot of recent activity.

We began this work some time ago as part of our proprietary product. We got it to a steady state for Javascript/Typescript, before shifting our core product focus a bit. We recently decided to open source this.

Craig is listed as a maintainer but according to GitHub he has never contributed to the project. Can you go into more detail what he's a maintainer of?

I wasn't personally involved with the initial presentation to the WG, so I'm just going with what was passed along to me. As I understand it, Craig was interested in supporting the project. I will follow up with our team to get a better understanding on this specifically.

[ware]

I wasn't personally involved with the initial presentation to the WG, so I'm just going with what was passed along to me. As I understand it, Craig was interested in supporting the project. I will follow up with our team to get a better understanding on this specifically.

I think there are two things being conflated here. Let's break them up.

1. @craigmcl volunteered to be the ST:WG sponsor. There were some further discussions that were supposed to take place between Craig and Aaron Bray but don't know if they took place. If Craig is unable to be that sponsor, I will go ahead and be the sponsor so I don't think this is a hangup.
2. I don't know that Craig has signed up to be a maintainer but invite him to clarify. I'm not sure it meets the spirit of the Sandbox Entry Requirements to list someone as a maintainer that has not made any contributions though I invite TAC comment.

[SecurityCRob]

I wasn't personally involved with the initial presentation to the WG, so I'm just going with what was passed along to me. As I understand it, Craig was interested in supporting the project. I will follow up with our team to get a better understanding on this specifically.

I think there are two things being conflated here. Let's break them up.

1. @craigmcl volunteered to be the ST:WG sponsor. There were some further discussions that were supposed to take place between Craig and Aaron Bray but don't know if they took place. If Craig is unable to be that sponsor, I will go ahead and be the sponsor so I don't think this is a hangup.
2. I don't know that Craig has signed up to be a maintainer but invite him to clarify. I'm not sure it meets the spirit of the Sandbox Entry Requirements to list someone as a maintainer that has not made any contributions though I invite TAC comment.

Thanks Ryan. Re: #2 correct. We want to ensure that as projects develop and grow that they have a thriving community around to support them (hence the desire to house them within a like-minded/focused working group). Having multiple maintainers is critical to the long-term viability of a project as it allows for things like code reviewing, dual-control, etc., and helps share the ongoing burden that maintenance and community engagement. We also prefer those maintainers to be from different organizations to help weather any challenges that could arise from organizational changes that impact the maintainer (that in fact is a requirement at higher levels within the TI lifecycle).

[sevansdell]

Please identify additional maintainers based on comments about engagement from Craig at Stacklock. Are there any blockers the TAC can provide in helping you navigate this?

[marcelamelara]

+1 To needing to address the diverse maintainership requirement.

@louislang Some ideas to potentially engage some more folks from the community: 1) put out a call for contributors in the OpenSSF Slack channels (#general,#wg-security-tooling and #wg-dei might be good options), 2) give an updated presentation at the ST:WG or other WGs for the added visibility.