Add Alpha-Omega Q4 Update #410
Conversation
Signed-off-by: Michael Scovetta <[email protected]>
|
|
||
| Some key opportunities to engage: | ||
|
|
||
| * Our next monthly report is due out around July 5th. |
There was a problem hiding this comment.
It's hard to follow the timeline in this section. It's unclear if this is part of a previous update that wasn't merged or if this section is incorrect.
There was a problem hiding this comment.
Sorry @mlieberman85, copy-paste error from Q2, fixed.
Signed-off-by: Michael Scovetta <[email protected]>
marcelamelara
added
the
TI Update
There was a problem hiding this comment.
Thanks so much for the update @scovetta ! I left a couple of discussion questions :)
| discussing next steps, and will share details when we're able to. | ||
|
|
||
| * **Engagement**: We recently expanded our engagement with Node.js to cover OpenJS, started an engagement with | ||
| Trail of Bits of improve PyPI's project-level lifecycle functionality, and kicked off a new type of engagement ("Beach Cleaning") |
There was a problem hiding this comment.
small typo
| Trail of Bits of improve PyPI's project-level lifecycle functionality, and kicked off a new type of engagement ("Beach Cleaning") | |
| Trail of Bits to improve PyPI's project-level lifecycle functionality, and kicked off a new type of engagement ("Beach Cleaning") |
| |**O2: The top 10,000 open source projects are free of critical security vulnerabilities**|| | ||
| |KR 2.1: Drive adoption of key security processes, including static analysis, credential scanning, the use of private vulnerability disclosures, structured metadata (Security Insights) and the use of multi-factor authentication by maintainers of 500 critical projects from the top 10,000 by the end of 2024.|Not Started| | ||
| |KR 2.2: Independently scan, triage, and notify maintainers when critical vulnerabilities are found in 2,000 projects, chosen from the top 10,000 by the end of June 2024, with emphasis on clearing a "section of the beach" by focusing on the top PyPI packages.|On target| | ||
| |KR 2.3: Publish in a machine readable format the attestations for all packages from 2.2 that returned no vulnerabilities and those that found vulnerabilities which were subsequently fixed and verified.|On target| |
There was a problem hiding this comment.
This is more out of curiosity: What's the format you're using for these attestations? Is it in-toto, or some other format?
|
|
||
| ## Additional Information | ||
|
|
||
| Here's a selection of recent news and blogs referring to Alpha-Omega's work and impact: |
There was a problem hiding this comment.
I really appreciate this list!
| We'll be at the Linux Foundation Member Summit next week, sponsoring a Happy Hour for OpenSSF Governing Board and TAC | ||
| on 11/17 from 5-6 PM at the Mansion Bar & Terrace (at the Silverado Resort). We hope to see you there. | ||
|
|
||
| We continue to hold monthly public meetings (on the OpenSSF community calendar). |
There was a problem hiding this comment.
How well attended are these meetings, i.e., how many folks beyond the core team attend regularly?
| We've received $5M in funding in 2024 and are on target to spend over $6M by the end of the year. | ||
|
|
||
|
|
||
| ### Up Next |
There was a problem hiding this comment.
Were there any actionable next steps coming out of the roundtable in Vienna? If yes, I think it'd be great to note those here.
No description provided.