Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / Diagrammers Society / 23 Mar 2023
OpenSSF / Diagrammers Society / 23 Mar 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: OpenSSF Diagrammers Society (March 23, 2023)

Description

Meeting minutes: https://docs.google.com/document/d/14i9v7WuQcLzWpvLe9B0sl-kf90JLwxNwrZkRXLWmEdQ/edit#heading=h.9m0zi4b0wnne

A

Hello, everybody I posted a link to our agenda in the zoom chat. If you would like to mark your attendance, if you have any items to discuss today, please add those under the opens. We'll get started in a few minutes.

A

All right do I have anyone that is interested in helping us take notes. Today.

A

Okey-Doke I'll do my best to talk and type, but I would appreciate anyone's assistance to collaborate on those notes. Do we have any new friends today that wanted to say hello and introduce themselves to the group.

B

uh Now I'm Victor I'm not really new to the community, but first time joining this call. The reason is: I've been watching this. The video on YouTube um one thing I liked, if possible, um I know that this diagram is not finalized, yet I think it'd be great to still go over it. um You know just just like, like a short presentation, just a couple minutes this way when I watch the video online I know what's going on latest. uh You know information about that, but the diagram.

A

Sure we certainly can do that one and welcome. Thank you.

C

Hey it's um sanket I'm new to the community, so I'm just listening and um attending various meetings and just just thinking observing trying to learn.

D

Great.

A

All.

D

Right.

A

Does anyone have any topics to discuss today? If not uh David gave me some homework that we can uh take a look at.

A

All right, he is interested in a presentation, ready diagram and has provided us a Google doc with which to collaborate together. On give me a minute and I will.

A

Throw that out there.

A

Foreign.

A

Can everybody see my screen with the diagram.

A

All right, so this is an update. We did based off of the CI CD version, two uh graphic that is in our git repo and what we did is we took a CI, CD, workflow and overlaid the assorted projects of the foundation across the different pieces, and we've shared this with a couple: different communities, and so far this has gotten us uh very good response. I see I gotta tidy up a couple things like space, basic alignment; oops, that's not what I wanted to do.

A

um It's got to tidy up some alignment, but, aside from that, this is what our most recent uh collaboration looked like. So does anyone have any uh thoughts or comments on this particular style of illustrating the foundation.

B

Yeah I think this is. This is very good uh just if I need to take this slide and and explain to someone else in one or two minutes, how should I go through the content uh either getting that flow.

A

Well, that is something we have not uh strategized on, yet the actual execution of uh delivering it. um You might have seen we did a town hall uh last week and uh David wheeler shared this and kind of briefly walked through it, but we have not yet kind of uh had a chance to regroup to talk about kind of what next steps might be, how you know, potentially writing a script or speaker notes, but the idea is that we would have this slide available as a resource that anybody could utilize and drop into a presentation.

A

Yeah, let's see if I have the ability to edit things or not.

A

It's a little squirrely.

A

Any other uh plots um do we want to maybe think about writing that script. Kind of giving some outline of how somebody might take this and describe the uh interesting story of the uh Foundation.

A

All right, uh as always, you are able to uh make comments or have a conversation in our slack Channel or on our mailing list. uh We also can open up issues and PR's. If there's things we need more involved conversation on, we want to make sure we get documented.

A

Does anyone have any other suggestions of alternate ways? We might be able to share this story.

B

Matt is this close to being finalized, or is it still being is still going to be dynamic? I know from I believe I've watched last week's.

C

Meeting and.

B

It was said that a student needs to be verified by each individual group right.

A

I need volunteers to go to each of these working groups and validate with those teams. Is this an accurate representation of their work and their kind of placement on the Spectrum so that that has not been done yet? So this is not the final.

B

I know David already gave that presentation, I.

E

Think David wheeler yeah yeah.

B

Yeah I think he gave the um presentation about this slide in the town hall. um So do you mind maybe going through now and probably just just by doing that over and over again probably can automatically get a script ready just how to talk about this slide.

A

Certainly uh before we do that Matt did you have a question.

E

Oh no I was making it earlier on. I was making I was going to make an observation, um so very happy that this turned out. You know always been supportive of the CI CD View um I just want to let you know that I I did create my own view of this and I super. Basically, what I did was I superimposed, some salsa considerations and I basically divided into source and build their left side and the right side just just interesting. It was just an interesting exercise in in terms of communicating attack.

E

Vectors to you know, Salsa Salsa end users want such the same diagram, so I find that very useful. Do.

A

You have an example, you would maybe share just to kind of show us what you were thinking.

E

Well, yeah I actually presented it I'm doing this education internally in my company. um Let me see if I can do a quick share to see what shape that should. I did hold on sure yeah I'll. Stop sharing here, desktop one all right. So this is what I did for salsa.

E

Basically um so anyways I just thought it was. It was useful. I don't have the actual feedback loop of the s-bomb, as presumably the s-bomb going back, but uh yeah yeah or evidence General evidence going back so helpful, yeah.

A

Very much so and I know that the end user working group is looking at actually doing a formal uh reference architecture based off of a couple different personas, like a small software development, firm and then I'll right now, a large software development, firm and I think they were thinking about taking this CI CD or potentially documentation from salsa to start their uh assessment there, and then they wanted to threat model it, which I thought was interesting kind of see how we can break it.

E

Yeah yeah, so I was also I. Think I volunteered to take this. This career, tooling work group, so I think that actually happens next Tuesday, so I'll multitask here and put myself in the agenda for sure that'd be awesome. Thank you.

A

Cool cool and Jay says he still has a outstanding AI uh and we'll uh hopefully get some folks. So if anyone participates in any of these uh working groups, it'd be wonderful to try to get this particular thing on the docket there to start that discussion. So we can refine and make sure we have things accurately placed, as opposed to just kind of David and I, giving a semi expert guess.

A

But how this would be uh shared.

A

All right again, can you see my screen.

D

Yes, awesome.

A

So, from a high level talking about creation and curation of software, starting it's a never-ending Circle, but starting with a developer, we have many different uh projects, special interest groups and initiatives within the foundation that are directly useful to developers. Things like our secure coding, fundamentals, class tool, Hands-On lab tools like the security knowledge framework, but we also have ways uh things around uh developers being able to get machine, readable, common requirements through tools like cre.

A

We also have more prescriptive guidance where we have several concise guides and best practices, documents that are available for developers to kind of understand how to not only create more secure code, but also how to select a little bit more secure code.

A

Then, after the developer, starts their journey and creates some software and move over to the source box, and that's where things like the great MFA distribution where we went through and gave away, multi-factor tokens to developers to help try to prevent account and identity takeover attacks. That's where things like that come into effect, but then also as we have source code, we can use tools like the developer, best practices badge to actually demonstrate.

A

These are the good practices, this project exhibits and get an electronic badge, so they can brag a little bit and kind of show the quality of their work and then, as we move from source to build, we feel that there's an awesome tool called the scorecard and the openssf scorecard, has many different aspects of good security and management practices that is automatically run and provides a numeric score so that any consumer of Open Source could take a look at that scorecard to understand kind of the security, qualities and practices of those projects.

A

Moving more directly into the build phase, we have a whole Sig dedicated towards security, tooling, that can help developers as they're going through the creation and build process.

A

We have relevant work with a project called All-Star which again provides some more prescriptive, automated scoring of code as it's going through a build pipeline, and then we have Frameworks like something like a salsa where that and during the build phase, helps you understand how software is built and managed, and ultimately As you move into the packaging phase. Things like Fresca apply just different Frameworks and standards that are relevant to these different phases of the pipeline.

A

uh We also have, as you get to the packaging phase and you're ready to sign, uh digitally sign your artifacts. We have a project called Sig store that allows to uh for a statement on you on this day. This developer signed this code and it has been untampered with, and it's in a kind of block stain, shot, Block Chain style repository that anyone can view publicly and kind of understand a little bit more pedigree and provenance information of that package.

A

Then thinking about the consumer end, we have Frameworks like S2 c2f, which is a supply chain framework for consumers of Open Source, but we also have things like a taxonomy for so consumers can understand how Supply chains can be attacked and also we're developing a reference architecture around that. So again, consumers can understand how they can apply. Some of this tooling across the foundation um hopping back to the build phase quickly under dependencies.

A

We have projects things like s-bomb everywhere, where we're looking to help, understand and inventory all the different uh open source tools that help provide s-bomb manifest information. We also have tools like open sort, the OSS fuzzing project.

A

We have uh different assortment scanning tools that can be run on these dependencies, so you understand you're, bringing in quality packages into your build environment, and then we also have uh projects like the secure and critical projects working group where they have a list of you know the top uh 200-ish open source projects and um providing some assertations some assertions around how those how those projects are being maintained and developed, and so we can help Focus resources on it.

A

So, ideally, things on that critical list are getting attention through projects like Alpha and Omega or through they're, benefiting from the work of like scorecards, so that you can make sure that as you're pulling dependencies into your build pipeline, that you're getting quality and secured materials.

A

We also have assorted projects within the foundation where we can help uh developer choose packages. You know providing them information around different insights around that particular project. We also have a we're developing a risk dashboard again as we're a value. Is the developers evaluating those dependencies they'll have the ability to have kind of a risk assessment on you know how frequently this packed product this package is updated and kind of what the security aspects are and what's uh give you an assessment of risk potentially of using those packages.

A

We also have a couple Tools around package feeds and Analysis, and all this information provided to the developer so that, as they are, writing and composing their application and building it they'll have all this information available to them and then kind of the tail end. The maintenance aspect of this is typically kind of vulnerability, management, vulnerability, information and we have many different initiatives within the foundation. They're focused on providing that information getting that fed into tools so that again, as developers are working through their pipeline, they'll have access to this.

A

So we have guides on how vulnerabilities are disclosed. We are have a prototype project around creating an open source security incident response team that can help provide this information and help evaluate and hopefully correct- maybe some of these dependencies in the pipe, and we also have tools like the open source, vulnerability schema, which is a kind of similar system to cve or GSD. So it's another way that a lot of projects publish vulnerability information and also leverages those other ecosystems like CV and GSD.

A

We also have oh David's, got a typo there's a group of folks working on squashing, false positives within open source scanning tools, so they have a specification and they work on that to try to help make as scanners find problems. The results are ideally more actionable and meaningful to the developer, and we also have the cve benchmarking Sig, which is working on evaluating cve data and in a nutshell, that summarizes all the different projects that are going on across the foundation So to that kind of help. Your understanding, Victor.

B

Yeah, definitely that's great uh I'm gonna go back, go back and watch the recording uh again again, so one thing I think probably will help. Maybe uh may not be even to be recorded as each individual work group might might come with a one or two person to give a presentation uh using this slide and they'll probably figure out where whether the group is part of a particular stage, for example, with the best practices right just looking at the the blue uh squares they're, not uh they're, only at the beginning.

B

So that probably means it's all related to developers open source developers. So best practices is now for a consumer which is the the the the like why S2 c2f is probably it's especially best practice for Consumer right users, um so yeah I, I think probably um because I I still don't know a lot of details. So I cannot really talk, uh but for the group um the lead they probably can when, when talking through the slide, they can probably see whether uh their their group is missing out some squares or maybe in the wrong location.

A

Yeah and then there's a a wide diversity of things going on across the foundation, and uh so, for example, there actually is a concise guide for consumers for selecting and evaluating uh open source software, and it's just uh ideally that stuff will get sussed out, as we continue to refine this, and and the ultimate goal is uh both in the uh the kind of table below and also the boxes above is that everything would be hyperlinked so that somebody could jump right into a project or working group's body of knowledge and be able to see kind of activities.

A

What's going on with the project right now,.

B

Yeah yeah: this is really really good, so for you for most people who don't really kind of contribute to the code or the in-depth knowledge, um this is actually good enough and then uh just need to be uh yeah. I guess go over over again until uh yeah just get familiar with the landscape.

A

Yeah and I think ultimately we're looking to have um my dear friend uh Gunner used to call it a walking around deck, but our dream is, we would have a a uh a presentation deck that we could very quickly uh bring out and share this information that way can be consistently shared by any member or kind of anyone within the foundation be able to kind of articulate what's going on.

A

So that's another kind of objective that eventually we'll we'll get into, but this is like kind of David's uh Alpha uh draft of what this could look like.

E

Matt yeah yeah, so I mean I enjoyed the layout so much or the past couple weeks or whatever um that I, never really, as you were talking and walking through from left to right all the things I just noted how expansive this Creator group was in terms of number of cigs yeah, uh but unless I was in a coma besides, the fuzzing and the s-bomb everywhere, Sig I haven't seen all the other cigs on and actually all the three years I've been there.

E

I haven't seen any other cigs like the, unless these are new ones, but they're not even I've, been I was in the last several meetings, but these are not even talked about or there's no status.

A

Right, um these are all represented in each of the working groups. uh Github repositories I have added in the notation of uh Sig or Project based on. If something is uh code related or a kind of documentation related and uh like we had talked about when you first shared the Mind map with us is we have a lot of inconsistencies and we need to do a significant amount of cleanup. So a further step when we go to these working groups would be validating. You know it. Is there any activity on like The, cve, Benchmark, I.

E

Mean is that something that's still violent yeah, if you can't, if you scan yeah, like I, said if you scan for the meeting now, it's going back for even a couple years, you'll see very little you'll see no mention of right.

E

A lot of these things are never cigs they're, just even before the 2.0 version of openssf they're just documents. You know a few people to threw together before we were even officially open, ssf yeah.

A

Well and again, the the designate. There are uh three things within the foundation that something can be. uh You can be a project. If you have code, you can be a Sig if you uh work on kind of process or documentation, and then they have kind of a special uh special product. Associated projects, which is kind of something outside of the general working group model.

E

The square pegs and the round holes that are available but but I think it's disingenuous to represent these things as six they've never met as an independent group so and.

A

Our definition of Sig is that this is something that could be short or long term, so it and I talking with Josh and the tooling guys. We need to basically documentation cleaned up. Are these still active things or are they retired uh archived? So we need to go through and do that work.

E

Yeah, a lot of these are just documents that you know: they've never been a separate group or sick they've, never had meeting minutes calling themselves a Sig. You know they just been. You know: markdown files.

A

The Sig was inherited through the attack PR 112, where we forced renamed everything they might have called it a project or initiative back in days of yore, but the nomenclature today would designate.

D

That, as a Sig.

A

It doesn't necessarily mean that they're active or not and that's another aspect we could definitely share. Oh.

E

That's one more about is, like we say, a Sig I want to find a calendar entry. What do these people meet and that doesn't exist? Yep yeah.

A

We should go talk to them and get them to fix their Docs yeah.

B

Yeah another thing: I noticed.

D

I.

B

Know there's some additional effort, maybe not a class or group they're like in memory. The new new group they're also like a repository.

B

They may not belong to the diagram, but it'd be great, probably have some additional sliders to mention where they belong fall in the picture.

A

um The the software repos is uh AG again. The I can't edit the document to move the box to make it more visible, but the the repos are the securing software repos is there. They only have right now, one kind of thing that they list doing uh again. This is a a starting step that there's a lot of work that needs to go through to verify the accuracy of this and get things uh cleaned up and I. Welcome everybody on the call to help us with that.

B

Okay, what I mean is uh like, for you know, um yeah. Sometimes uh it sounds like it's. The best way to to understand, which is an expert in that area, is kind of kind of in shooting, uh not helping so I feel that if there's a this helps me as a newcomer to just watch this diagram to see what's going on and and know where Things Fall um and then I can just base down this.

B

This understanding of this diagram uh go watch the corresponding YouTube videos, cool yeah, so that this will help a lot good and.

A

Like to Matt's uh comment like security tooling, uh that has essentially been transformed into the s-bomb everywhere Sig. That is almost exclusively the work that they're doing today uh and if there's value- and you know kind of keeping those artifacts uh those historic artifacts there or do we need to uh retire them. Yes, future conversations make sure that this is as accurate and useful as possible.

A

Any other uh questions, comments or feedback on the the slide here.

A

All right do we have any uh other topics we'd like to discuss today.

A

All right, friends uh with that I will give some time back. I appreciate your time and attendance and comments. Today we will meet again in two weeks and hopefully we'll have uh some updates to the diagram to get it more accurate. So thank you all and enjoy the rest of your day. All right. Thank you.

A

Foreign.