Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / TAC / 13 Jun 2023
OpenSSF / TAC / 13 Jun 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: OpenSSF TAC (June 13, 2023)

Description

Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0

https://github.com/ossf/tac

A

Foreign.

B

Folks,.

B

I'm going to be off camera and off keyboard today, as I'm getting ready for a keynote yeah happy to still be able to participate.

A

Hello.

C

Foreign.

C

We have more lfers than others, oh well, that changed.

D

Spoke too soon.

C

Everyone could Mark your attendance that would be super groovy, we'll wait. A few minutes to gather attack, Quorum and we'll get started.

E

Thank.

A

You.

C

Yes, two exciting presentations today and then a full docket of other items to talk about.

C

We have four of our seven Tech members here. Is that correct? Am I counting correctly.

C

Right so I believe we have Quorum uh can I ask. Is there a volunteer to help us take notes today, a very vital role for the foundation, our members there's Mr coway, look at that. We have five.

C

So if we have a volunteer that would help us scribe.

F

Yeah I'll give it a bash awesome.

C

Thank you, Jacques I appreciate that.

C

uh All right well, folks, we will get started. Welcome to the June 13th edition of the open, ssf's technical advisory committee call. uh We do have Quorum today with five members present. So far, uh a quick uh question for the tack. We had an email from our friends over in the supply chain, Integrity working group and they have put together a fancy document outlining their 2023 desired priorities and direction.

C

So I was curious. Would we like to invite them in to like the next call to talk about that? Or do we want to extend their time? They are already slated to come in and do a working group report. We could just extend their time. So what does the attack prefer around? That.

C

Don't everybody talk at once.

G

I would say just extend their time.

C

Any other thoughts.

H

I.

B

Have no strong preference either way.

C

Awesome all right well, I will I'll extend their time as they come in and I will let those folks know they have a really nice documents. So I would encourage the tech to review that ahead of time. So we can have a very fruitful conversation on the 11th.

C

All right today we have two groups presenting giving us an update of status, uh the identifying security threats, I, see Mr scovetta here and then we have securing critical projects with Amir and, let's see if Jeff was on so great uh gentleman, Mr scovato, why don't you uh take it away? Your first authors, Jeff.

I

Sounds good um I thought I was second so, but we're just gonna make this work uh so hi everybody maximum um I, uh Jennifer fernick, is listed as a CO -lead. uh She hasn't been involved in the working group in a very long time. She's awesome I would love to have her back, but um I'm not sure where that source is coming from. So as a takeaway, we should update that Source uh so identifying security threats um uh again.

I

Our our mission is to give uh stakeholders informed confidence in the security of the open source uh in the ecosystem by collecting data and providing it back out. um uh We're an active working group. We meet twice a month eight to ten people. Each month we do have multiple active projects going on the metrics dashboard is the one that uh is currently moving the fastest uh with uh with separate meetings each week um going on led by Jay.

I

uh So with that uh the purpose metrics dashboard is to replace and be better than the proof of concept. One that's been out there for um an embarrassingly long long time, uh but this metrics.open ssf.org um purposes to provide enough information to Consumers of Open Source so that they understand you know what they're getting into uh both developers: engineering teams who need to aggregate the stuff and Engineering Management. That wants to look at an org level view. uh So, as I mentioned, Jay and a bunch of others are are working on this actively.

I

uh There is code. There is a some front end work. They are scheduled to demo uh later next I thought it was this month, but it's either, but it's probably July at this point uh where we will see a demo um and um we don't actually need help at this time. But at some point there will be a funding question because collecting all this data is more than than a trivial amount of um compute needed.

I

um So there's active discussions going on with LFX and other things to figure out. uh What's what's going on there so more to come? There.

I

Rights risk and threats, risks and mitigations. This is the paper that we wrote back in 2020 I, believe um the world has changed slightly since 2020, so we're thinking about whether or not we should update this Luigi's kind of taking the um taking the reins on this.

I

um If we do a major revision, it would be really nice to have it all branded nice and and pretty as um as open ssf so having creative Services uh do their thing and publish this out as kind of a you know, a major kind of kind of rev I think makes sense. uh It is still pretty cited.

I

um You know in terms of a comprehensive view of like what are all the things that you need to worry about. um You know from like fundamentals.

I

Security insights is a machine, readable spec for communicating security metadata, for example. um This project is uh bug fixes, and you know critical patches. Only um I do static analysis myself, but there's nothing in the repo to indicate it. We've done a threat model here is a link to it. Things that, like security, scorecards, wouldn't be able to figure out easily automatically.

I

um So it's intended to supplement that uh Jeff your hand is up.

J

uh Thank you uh just uh on the prior slide. You mentioned the paper and um sorry for the delay, but the follow-up question I had on that is that uh what is the plan to get the paper more noticed or promoted and or more um broadly distributed, because one of the things I think we're continuing to struggle with? Is not just your working group or this uh organization, but the open ssf at overall and security? It's a common problem right, it's like if tree falls in the forest and no one's there.

J

Yep um education is the thing that I think will do the most to move the needle.

I

I I think I'm. So to answer a question like if we like go down the path of like updating it, she'll probably take a couple months to to get it in. uh You know: 2023 2024 shape uh and creative services. Does it does its thing and makes it all all pretty nice having you know?

I

Obviously, like the blog, you know, the open, ssf blog is a reasonable way of getting things out, but I think there's a more fundamental problem, which is that, like every day, there are there's like people jockeying for attention for like new security things and like this, this paper in particular I'm, not sure, is something that a million people need to read in order to be successful.

I

This is a you know for folks that are thinking about this problem level, setting them and making sure that they have a comprehensive understanding of the landscape means that they make better decisions. So really the audience is actually us, so I would count it as a win.

I

If you know everybody who is, let's say, making decisions or meaningfully like invested in in openssf peruse the paper um if we get if we get stuff, you know, readers outside I think that that is amazing, um but I wouldn't count that, as the the only sign of success Ava.

A

Thank you. Thank you.

B

Jeff's question I would imagine that the audience for this includes um everyone who leads a security related effort in other foundations, uh folks who maintain hack repositories like Pi, Pi and npm, and a lot of large project maintainers again outside of our immediate Inner Circle of the open, ssf maintainers Wow have I missed something because it seems like you're saying that's, not the audience. No.

I

No, no, no sorry, I'm, sorry, I'm getting a pekko um I, don't think that, like individual project, obviously I think it's well, I wrote it so I think it's like an amazing paper, but uh I I think that um um individual maintainers I think are going to get less from it than folks that are responsible for either broadly the security of an ecosystem or want to see the full left to right, View or so so. Yet, yes and certain maintainers at large projects or foundations or Like Us in other.

I

You know in parts of government or whatever uh totally makes sense. I think there are probably dozens to hundreds of those people around and I would love it for them to get value out of the paper.

I

um I'm, not sure that a broad um they're not pushing back like we want to make it make it a broad thing, with lots of readers. That's wonderful, um but but I think that the um having a more targeted audience maybe and I mean we just need to think about I. Think about that that hard yeah.

B

When this comes back up, you're asking for um creative support, I would also want to push this in front of marketing and Outreach to figure out not how to get in front of a million eyes, but how to get in front of the right thousand dollar bills.

I

Yeah that sounds awesome. We'll do we'll do great, hey.

A

Security.

I

Insights, um so again, so so this is a spec. It's a yaml, spec uh Luigi leaves this work. um As I said, you know, I I, do these things out of band that you can't discover just from looking at my repo, but they are security relevant.

I

um So this has been out there for a while it has had a ton of uptake, particularly in openssf. So we really would like us to like Doug through this ourselves, um and um you know push for this. You know either as an org level security policy where this gets pushed down to repos uh or just um pull requests and actually gather like you know, you know feedback, and if this, if this provides value, if it doesn't provide value, we'd like to know either way, um uh silence is kind of the the worst.

I

um So that's where that one's going uh Security reviews this has been out there for a couple years. This is a repo of Security reviews uh conducted against open source packages, so you know things that we've done things that other organizations have done. Usually we just link to it, uh but it's intended to be a One-Stop shop of you know. Hey does anybody know anything about npm left pad? Oh here's, a review, you know, Joe did it and here's what he said.

I

It doesn't there's a whole bunch of like hand, wavy caveats on, like you know, there's no guarantees and things like that. um We're looking to see what you know, it's already integrated into the current um proof of concept. Dashboard uh we probably want to do. You know continue that that integration for the new one uh one alpha omega as we scan and review things. We would like to somehow get that into here.

I

We're trying to think about what makes sense there um and- uh and we actually just want it to be used more because we think it's a valuable resource. um We don't need any particular help from Tac at this point. It's just uh uh just the amount of energy units we have in moving things forward and um it's a little slow going at this point.

I

uh I think it's the last one disclosure check is a tool that we wrote for uh to help AO and we I'm, like I, wrote it so I'm not even sure what what Circle I'm I'm in right now. But um the purpose of this is to identify the best way to privately disclose the vulnerability to a to a to a package: maintainer meaning it'll parse Out, Security, MD, it'll, look for like emails and commits or package metadata or Tide, lift or like whatever it can.

I

It can find and gives you a ranked list of you know here's the best way to to report it privately. The purpose is for AO to use this when we are uh doing automated um disclosure to find the top top ways of reporting and doing it. That way um we have a little bit of cleanup stuff. This is moved into the ossf uh Slash disclosure Dash check, repo um bug fixes better docs uh I. Do this one I do I would like to get.

I

um uh You know, get a blog post um out, because I think this is a good General use tool that anybody can use anybody doing the stuff at scale or even not at scale um could benefit by this, uh but I do plan to hone this in AO as opposed to the working group.

I

So I probably won't come back here for this working group to talk about this, um and but if there's anyone that uh would knows anyone that would like to maintain this like this is, like you know, kind of a an interesting tool that I would think someone would would like to drive. uh But if, if not, we will, we will continue ourselves.

I

uh Sorry, one more slide.

C

And we are past time, if you could damn.

I

It okay, I'm gonna, skip this one, because this is really more AO. The only question I have for TAC are there things that we should be thinking about that we are not. If so, please engage. We really would like feedback from outside of our working group to see the things that are uh important to us. Thank you all very much appreciate your time.

C

As folks have questions, please uh type them into the chat, we'll try to address them there and in the meeting notes and uh let's move on to Amir with his presentation.

E

Oh, thank you. Everybody and I just want to thank Jeff for also being here today to present to you, um I think I will share my screen. Then I I did receive that um the June 2023 attack update um slideshow, um so I will go ahead and share that one.

A

Up.

E

um I have to do this first.

E

The best and.

A

um

A

We'll make this gold.

E

I need to hide this.

F

You had slideshow it'll go full screen there, you go. Okay, thank.

E

You.

F

uh That button on the top right all.

A

Right.

E

Okay, sorry about that, okay, um so I'll start us off with our new updates. um So we're really excited to announce that, after a couple months of curation discussion um within the working group, uh we did finish our second iteration of the set of identified critical projects. We have a link to the Roth document there very uh happy about that.

E

Thank you to everyone who participated in the many Lively discussions we had about this, so um very excited to share that with you all next steps on that are to prepare the step for publishing or to announce in some way to promote this. uh This that uh that we came up with um as well as developing a system for accepting feedback and suggestions.

E

So this will tie into our ask of the attack as well in in in thinking about how to go about this, because we do want to be a very Community Driven Community curated process. So it's not just, for example, Jeff and myself. You know populating uh or identifying sets of critical projects.

E

It's a more of a Community Driven effort um and another new update um from Associated efforts, um ostiff open source technology Improvement fund uh last month um and in late April, um published results or three security audits of simple Json, lib cap, MC Aries, and these were funded or sponsored by Amazon web services.

E

So thank you very much to them. For that.

E

um Yeah, so with the set of critical projects, um you know this came up a number of times throughout the exercise of getting to a v1.1 and iterating on that first set that we had of you know what is the purpose of this? You know why. Why do we care about this, then um I think it. It came up in a number of times, as we were doing it, um so we thought to kind of help um to be more efficient, um just kind of writing down what we thought.

E

The purpose of this, or we think the purpose of this set of critical projects is feedback on this.

E

The wording and the messaging is certainly welcome from the attack and everyone else, um and then yes, current status, the finished uh version 1.1 um and then next, as a as I mentioned in the last slide, preparing for for announcing and Publishing that, um as well as developing and implementing a system for accepting feedback and suggestions um which brings me into the you know what help we could uh use from the talk is just any thoughts or Insight on how to best curate and further Analyze This set, as I mentioned.

E

We would like to do it in a way that obviously require that that does require a manual element um that requires a Community, Driven curation element, but also in a way where, again, it doesn't just fall on, for example, Jeff and myself to um to come up with critical projects to uh to recommend for for the work. So if any thoughts immediately come up um uh some contexts, we have talked about and I think we even have some preliminary work done.

E

I know Randall's been working on it of doing certain of of porting this really to GitHub and using GitHub either or to do that kind of curation piece and that nomination piece and then the feedback piece, but.

A

Yeah any.

E

Thoughts on um from the attack would be would be greatly appreciated here. If there are other things that we can maybe draw from. You know other types of similar structured efforts where we can maybe draw from influence from that would be. That would be very helpful.

E

um Okay, so next I will pass it on to Jeff for All-Star updates.

D

um Yeah, so no major updates with All-Star just um fixing bugs with production, adding features. You know um cutting releases that kind of stuff uh it is. This is a tool for administering GitHub organizations.

D

um So I noticed that there's been some recent efforts on. You know: formalizing the administration of the open, ssf org. So if there's any help that we could do on automation there, uh let us know happy to chat next slide.

D

uh Criticality score same thing, kind of more more development B2 and then you know struggling with GitHub uh rate limits there uh and yeah. It's criticality score continues to be a like very useful metric for us when we determine the critical projects next slide and then package analysis uh is no updates here, but we wanted to include a slide.

D

Make sure that you all know all of our projects uh continue on yeah, so jumping back on the you know, wrapping up the update um again well yeah, so one that we've covered is thoughts on like how to how to you know how to do the the set, um but the main another thing that we saw when we were doing a lot of the work on the set.

D

Is um you know we we come and meet uh twice a week, I mean sorry twice a month and um a lot of the the members kind of don't know how we fit into the rest of the open ssf. So they really want to see. How is this being used?

D

You know, I I come up with there's Alpha Omega, there's the thing that we did a couple years ago with uh the great MFA project, um but we want you know our our community members want to also see how how it fits in with the greater open ssf.

D

um So we're looking to do. We have some ideas ourselves of doing like a road show now that we have a new version for all the other working groups. Just you know say here: it is. How can this help you out, um but if there's any kind of uh communication that can help with on letting everybody know that we do have like if, if they're hearing something about somebody's doing, you know wants to Target the top projects.

D

Let them know that we've got this Set uh and that we can use it and that you know connects the dots there so that we can get any new requirements or feedback on the set to help us with the next iteration uh talk to me or anything. You want to add there.

E

um No I, don't believe so yeah that that really is kind of the the main thing is um yeah I think you brought up a great point of how it fits with with other efforts how it can be used.

E

um um I I know for for a fact that you know we can use this uh data for uh determining which projects could use. You know third-party help, uh independent um security audit stuff like that um and then, as well as the thought on, essentially continue how to best manage and curate this set, because um you know it because I I think that was that ties into kind of the the issue itself is that you know, because this can be used in a lot of ways.

E

um You know I, think that should be factored into how we kind of manage and curate this uh this set, so I would definitely love some feedback. There.

C

We'll have a few moments for questions. Does anyone have anything for Jeff or Amir.

G

Zach.

K

uh Yes, I was thinking, but we we've also been talking about the marketing, and uh you know the open, ssf looking for uh blog posts. That could be a really good way to get the word out about um this list of critical projects and engage people both inside and outside of the open ssf.

C

Or no.

H

Yeah uh first I'm all for.

C

You.

H

Know eating your own dog food so, following up to what Michael was saying earlier as well, I think we should definitely try to leverage those tools for ourselves and show Best in Class, because otherwise you know, if we don't live by All gospel, then it's kind of weakens all the whole premise, but uh on the on the set of critical projects, I wanted to know, have you guys reached out to all these different projects? Maintainers?

H

Do they know that they're on this list, because it was part of the MFA distribution project and I, was baffled that you know when I reached out to some of these people they're like what I'm on what to at least.

A

And.

H

It was a bit embarrassing.

D

Yeah uh yeah, we make the list and then again like we, we don't say like what to do with it. It's it's. This is, you know to fuel other efforts.

E

Yeah.

A

And yeah we haven't.

E

Yeah we haven't yeah as part of this. There hasn't been an element to actually contact the project. Maintainers um I could definitely see that as a maybe a potential logical, Next Step, um but as far as what we've currently done, yeah, it's been about more um being able to justify the uh the the the projects themselves to to Warrant being on this set of projects.

E

Is it currently stands, um it's just been more about um getting people or getting uh projects identified. uh David E.

L

Yeah, exactly again, you know been participating on this with uh mirror and Jeff and Jacques, and so you know thanks very much and David wheeler and many others who've. You know come in various times, so so thanks very much for this great work in creating this, the set I mean exactly I know, as you were, uh you know asking about. You know. One of the issues is that we've created this and it's it's. You know it's been.

L

The the initial list of projects was proposed in multiple different ways. I mean some of this was individuals nominating some of this was sort of semi-automated and looking for large numbers of uh you know stars and projects and GitHub. So there's been a lot of different ways in which we've tried to get that initial list, which is uh somewhat arbitrary against this list of group of people that have been uh that they mentioned that.

L

Are you know on this list asking about you know trying trying to fathom humanly about you know what are the critical projects and in some consistent way, but exactly as I may mentioned this. The question is: how do we take this information and include this in a broader pipeline for open ssf and make this consistent and okay? We have this list and not and I completely agree with you. I know publicizing it, but additionally, to publicizing to these teams. Part of it could be publicized it, but we don't have. You know other than okay.

L

We created this list and it's a list. We as the securing critical projects and as the open ssf in general attack, don't have a broader Arc or story about what this information is going to be used for. So yes, we can go to a project and say you're on the list is like okay, you know that, and you know five dollars will get you a lot to add Starbucks, or maybe it's 10 now or whatever it was like. Okay, so look you're on the list. Congratulations next, so I mean part of this question.

L

I mean I. Think that we're brought up is okay. How can we, you know with the tack, actually create a pipeline and be able to utilize this? Okay? We created this information. You know, and we've also were in coordination with Alpha Omega. They have their their 10 000 projects and maybe about uh our our group sort of owning that. But how does this speak? You know trying to create a a broader uh you know pipeline for this information, a consumer and also understanding better for this group.

L

Who are the potential Upstream consumers of this and what would be more useful? How could they consume what we've already created and what would be more useful information for them to consume? How can we better curate this list or create a a you know better, so that there's sort of a holistic sense of all these individual cigs that originally populated the open ssf, and now that we've got this this broader organization?

L

uh And how can we have a more consistent messaging and method for how Allison information is going to be consumed and utilized within the organization and the various sigs, as opposed to our creating this list, and then somebody else who needs to again Alpha Omega, you know fund organization, but they create their own lists. I mean there's right now. How is this all going to work, and so are those questions is really apropos?

L

um You know the broader questions is: how do we utilize this.

A

I.

C

Want to thank uh Amir and Jeff for coming and talking, and thank you to Michael to wrap this particular conversation up. I, see two uh outcomes, so we can directly address the ask from both groups. uh Omkar is in the is starting to kind of document what his uh vision and kind of what our kind of marching orders are going to be for the foundation in the next year.

C

So I think we definitely need to include things like the critical projects list and considering things that need to be done like at a foundation level like everyone having a security, MD, yada, yada, so um I think there's definitely opportunity for us to work and specifically I think we should make an issue either in the tech or in um you know the critical list repo.

C

uh So we don't lose track of this and start a dialogue between the attack and the team working on the list to see kind of brainstorming ideas of how we might be able to socialize. This get this better penetrated throughout the organization and kind of start to make some plans and then eventually, let's set up a call or a series of calls to uh start to formulate the plan to take action on how we can start to leverage this great work again. Thank you to our speakers today. I really appreciate that.

C

uh Let us thank you so much.

E

Yeah, thank you. Corbin. Everybody I just wanted to quickly also address uh Ava's question, um so it is currently public or open the to access this uh set of projects in terms of any external orgs relying on it today, um I, don't know of any I would say specific examples, um but I do know. For example, um us at ostiff are using data points like this to um when, when folks ask us, you know hey what projects would you or what projects should we go out and audit?

E

We can point to you, know some kind of data or not not just some kind of data, but multiple data points, and this being one of them so we're hoping at least that's kind of how I'm seeing it as well as it's not necessarily meant to be a prescriptive thing.

E

It's something that people will build, Insight off of or feed into kind of their uh their analyzes, so um yeah I, just I, don't want to take up any more time, but I do see Jacques, pandas up and then I'm uh I think I'm done with our updates. So thanks again, everyone I'm.

F

Very quickly, uh while the US government is probably not looking at it now, um this is a legislation if it gets passed, uh requires cisa to build basically the same thing and I will not be surprised if they show up and do a copy and paste to get started so indirectly, I think we'll have an impact there.

C

Actually good observation, Jack I will ask my friends from the open, ssf staff I, see I. Think it's Jennifer put a note about openssf day EU yep.

M

I did I dropped that in there. If you would like to speak at opennesssf day in Bilbao later this year, please submit uh to the cfp, that's open now, and you know let everyone know within your working groups and colleagues who might want to submit um and then I'll just mention. One other comment that we're here for you in terms of marketing com support. So whenever there's something that needs to be shared broadly or to specific audiences I'm here to support. So just let me know, and I can work with you on that.

C

Awesome any questions about EU open ssf day I encourage everyone to submit and I hear uh that the city itself is quite beautiful to visit, not that that goes into travel budgets at all. Let us move on to the issues we uh slated to talk about today. Let's talk about Tac issue, 172. uh Michael, put together a very well uh put together a thing for us to review about guac and I will yield the floor to Michael. You have about 10 minutes, sir.

N

uh Sure um so we're looking to and by we I mean the guac maintainers are looking to contribute um guac to the open ssf. If, uh if you'll have us um and uh yeah I, hopefully filled out the application uh correctly I know, there was um I know that we have some open questions about what the due diligence actually is on that front and we'll we're prepared to run through any process on that end, but I think beyond that um uh we're.

N

um You know, uh I hope we fill out the application correctly um and yeah we're interested in contributing guac. We think, um based on some conversations with both the end user group, as well as the supply chain, Integrity group and some other folks within the open, SF we've been chatting with about guac and and demoing to guac.

N

uh We believe it might be a good fit for for open, ssf and um I know at least right now, according to the governance, it's we come to here, first to sort of submit the application, and then we go to the actual individual um working groups if it fits under there. uh But we have had some conversations with the supply chain.

N

Integrity group, that did sort of say you know it sounded like there was some interest on in on that front, that if we did get accepted that they might be interested in um having us fall under there, uh so that for folks uh who are not super aware, um you know so guac is a and we've given um a couple of demos uh on it and they're all up on the um YouTube and and uh on the open, ssf YouTube, but we've been um uh developing it for about the past, uh give or take uh so it started.

N

Actually around this time. We we sat down with some folks, um a bunch of us between kusari Google, Purdue, University, City and some other folks had went and sat down um and sort of sketched out some stuff. We've been writing the code uh more or less. Since you know, uh summer of last year and um yeah, we've had a release of like a V 0.1 Beta release.

N

um Guac is sort of intended to be a knowledge graph of where we ingest stuff, like s-bombs and osv and depths.dev, and all sorts of other metadata, salsa, attestations and all that sort of stuff uh to sort of help.

N

Give folks a better understanding of their supply chain, while also sort of still associating that data with the sort of like where it came from and that sort of stuff so that you have an idea of um you know who's, making sort of claims about the different pieces on your supply chain um and uh yeah we're it's intended to be a supply chain sort of Knowledge Graph, and uh hopefully um you know uh useful to folks from the perspective of like helping actually dive in and figure out. Okay, hey I.

N

Have all these s-bombs I have all these Souls attestations? What do I do with them? How can I build a better understanding in my supply chain? Well, we can ingest all that data and um you know I can run queries, use it as the basis for you know, policy and and all that good stuff, and so on that front as well, we've been you know, working with a lot of folks within the community, um so we have folks like from Red, Hat and and guidewire and um uh Yahoo and there's a hedge fund.

N

uh That's also been looking at it and also we have um in a couple of community meetings. There's actually a law firm that seemed interested in guac because we're also keeping track of license information and they seemed interested in. You know, taking a look at that as well.

N

So that's just the quick explanation of guac but I wanted to um open it up to questions.

C

All right, friends, I'll start off, so from your perspective, um how it feels like this would probably land in the supply chain, Integrity group um looking at the existing projects within there. How do you see guac, uh complimenting or adding value to things like salsa and S2 c2f.

N

Sure yeah, so um in a couple of ways one is so we ingest salsa metadata. So one of the things is is, um and we've we've sort of built out a couple of pocs for this as well, but we can sort of ingest salsa metadata to help sort of sort out. Whether or not you know does this, like you know, be able to hit those high level questions like does this? uh Does this package have a salsa attestation? If, yes, you know like what is the information we can glean out of that salsa attestation?

N

Did it come from? um You know, a source that we trust and so on, and then, in addition to that, you know when it comes to sort of the s2c2f stuff, so that's kind of more on the consumption end, and so we would sort of assume that, like if you're trying to do S2 c2f, you could use salsa metadata. Sorry, not you know you could use the metadata.

N

That's coming out of guac-like s-bombs, all this other stuff to help you sort of determine, like am I, doing the right things from the s2c2f standpoint, and then um you know when we look at something like uh Fresca right, you can have like the you could have like a build and that build is generating your s-bombs and salsa and and all sorts of other metadata that can then easily be ingested right into guac.

N

So.

C

That's that's kind.

N

Of how we see it, yeah.

C

I appreciate that or no.

H

So I have actually two questions. The first one is: if I understand this correctly. There is two paths to this. There is the actual piece of software. You.

M

Guys.

H

Developed but there's also an instance, that's so it's a bit similar to what we have with Sixto and what you're contributing I assume is the software part, but I wonder what happens with the instance.

N

Yeah, so um there's still discussion on what exactly that instance would look like, but there is um some folks, especially on the Google side that seem to be interested in in um and and we're interested as well as like, creating something like a public guac service um for like the top one percent or so of let's say you know, um open source packages to help folks get a better understanding of what relies on what and and stuff that kind of goes above and beyond the s-bomb.

N

uh So we're you know, there's uh some interest there to kind of create a public service on on that front, uh and it would kind of you know, be similar to something like Dev, stop, devs, OSB um and six door, and that kind of thing, but currently there's nothing that that exists. Yet right.

H

No, but that's: okay, thanks and so did my other question. We heard from Michael earlier that they're working on this dashboard to other developers that go watch out, adding a dependency that they have, that level of security. You know uh posture and, and so there seems to be some kind of connection there. There should be there is there anybody who talks about this is my.

N

Question so so no there there hasn't been, but I think uh uh uh you know great minds, think alike, I guess um you know, I I, think that you know this sort of thing when we look at also stuff, like that, the thing formerly known as Sterling tool chain and everything else. um You know there's a lot of folks who are are looking at like hey now that we are generating all this supply chain metadata. What do we do with it? How do we analyze it and how do we actually make decisions based on it?

N

And so, um if there is a dashboard on that front and that we can integrate with? That would be great, um especially if those folks are better front-end developers than us back-end folks, because uh you know it's it's a dashboard. Only a mother can love it. Yeah.

H

It's okay, we agree. There's at least you know it's worth investigating. Yes,.

N

Yes, absolutely.

H

Thanks, damn.

O

um Myers perked up when I heard about running a guac service similar to devs.dev, um one of the things that I'm have been talking to various people in openness stuff about is about data licensing and the fact that um so I would just encourage you to think about data licensing at the beginning of that project, rather than everybody else who seems to have forgotten about it and isn't interested in talking about it, but I'm interested in talking about it, yeah so I'm going to keep talking about it.

O

Data licensing is important, please think about it at the beginning. Thank you. Yes,.

N

Yes, so um on that front we are very you know. Actually that was one of the key design things in our design, doc, um both from a data licensing perspective, as well as a pii perspective. We want to not have to like get into pii sorts of situation where we're ingesting data. We also don't like from a safety perspective. We don't want to potentially be ingesting data that and and doing analysis that could give folks like unmasked Anonymous folks.

N

We don't want to do any of that as well, um and so that's definitely a key thing. That's.

O

Important for us, but I I, that's important I was also talking about the outward outward licensing so like. If you expose a data set through an API, make sure you clearly signpost what the data license is, for instance, cc0, so that people know that they can use it right, because this is becoming a problem. It's a separate issue, but it's a it's something that I'm that I've been talking to. Folks, for instance, about the scorecard API about. Oh.

K

Jack.

F

uh Related to that is the license of the incoming documents um that only just occurred to me as as a potential nightmare, uh I, I guess. One of the things in in guac, though, is the design is that it explicitly has a relatively subjective like it has a concept of the subject. Who is testing, so we can probably attach to that that this person has has granted a license.

N

Yeah and so on that front um right now we're keeping track of the source like where it came from, as well as um it's in the works to use stuff like uh you know who signed this um or what rather like, not necessarily like literally who signed it, but more just hey, there's a this is there's this key. This key signed it or this six store and it can be backed by this oidc or or whatever um I think that there's stuff on that front, that that we're um interested in in exploring a bit more.

F

You can at least just go into the details briefly, you can at least make it a condition of entry for incoming documents that they adhere to a particular license. Yes,.

N

Yes, public.

F

Instance, at least.

N

Yes, absolutely yeah and, and that I think is, is something that we're uh interesting and actually that's something that I know a bunch of different groups have begun to discuss uh it's slightly tangential to this, but real quick is just a lot of folks are starting to ask the question of great distribution of supply chain metadata so like if guac is ingesting all this stuff. How are folks actually still Distributing it from their package?

N

Maintain you know, Pi, Pi, gem, uh you know, npm I know different folks are doing different things, but but I think there's stuff on that front. That uh I think a lot of folks are very interested in figuring out how to um help uh the community solves.

C

So to my friends on the tack, do we have any other questions? How do we feel about the proposal to uh incubate uh guac, so we can have some. You know incubate those avocados Ava.

B

As a project and a code base, I think it's incredibly useful I've been following their work from a distance for a while. uh If it went to a vote to move to sandbox I would absolutely thumbs up it. For incubation I would discuss a little more.

B

uh The public service aspect of it I think needs much deeper consideration before we approve.

C

Approve it. Thank you any other thoughts from the TAC.

H

I I'm also in favor I, just wanted to point out. Unfortunately, we have a process which does not followed. There is a technicality we can talk about it later but, like you need to create a PR. If you go to the process section of the talk, Project Life Cycle the instructions on how to do this.

C

Thank you. Yes,.

N

Oh okay, sorry I I only saw the one thing that said, create an issue: I must have missed the the prps okay.

C

And there's also a part of that is uh like legal review like an IP transfer, type review assessment that needs to be conducted, uh Zach and then Bob.

K

Well, I agree with uh Ava on the on the uh uh delineation, between the the project of the service uh and also that I think that this is a great candidate for sandbox um I want to apologize on the messiness of the process, we're working on cleaning it up um and in that theme I was wondering. Do we need a specific uh tax sponsor for this to move forward or like what else does this need in order to move forward.

C

We would need a tax sponsor. Yes,.

C

uh Bob.

G

Yeah so plus one to Ava's comment, I think the other plus one.

M

As well from.

G

Zach um I, don't know um I'm happy to be the tech sponsor as well.

C

Excellent I also agree: there's a lot of value in continuing to explore this um any other uh I think Dustin. Any thoughts from you, sir.

P

I'm in favor all.

C

Right, so uh let us mark down that the attack is agreeable to the idea of moving this in. There are some procedural things we need to do. The pr and whatnot and Mr callaways generously agreed to help uh Shepherd you and provide you as uh Sage wisdom as we move forward.

C

So uh let's get that documented in the issue and get the pr set, and we look forward to continuing to explore this idea and uh to Ava's statement Let's uh see if we can get some more details around the potential Public Service I think that would also be useful to get described and start to think through, because there will be a cost to that any other thoughts or statements for um attack or The Observers.

N

Great, oh, the only thing is just yeah I, just posted in chat but yeah. If somebody can just point me to the instructions for the pr stuff, I'll I'll work on that right after this excellent.

C

Well, not right after this, because we have.

A

Oh yes,.

C

All right well, uh thank you, I'm, looking forward to seeing more good stuff from guac. uh Let us talk uh in our last nine minutes about the uh contributor ladder we had some uh dialogue here on uh the issue. Amon wish to kind of report out status and uh share with the group where we are with that.

P

Dustin yeah I think I can do that. So you know we have some folks who are interested in becoming maintainers of scorecard, and uh there was a request by Justin Augustus couple uh over a year ago now for a contributor ladder, because the process is somewhat undefined of like what do you need to do at what point? Do we make someone a maintainer give them the commitment that kind of thing um in that process contributed Liars drafted, which is mostly derived from the six-door contributor ladder which already exists, uh and the thought was well like.

P

Maybe it makes it uh makes sense for all openssf projects to have contributor ladders in order to make sure that all projects have a path towards maintainership.

P

um I. Think that if I, if I, can try to summarize the discussion is generally there's a lot of detail in there there's a lot of detail in the six door ladder. um It might be too much as a template for kind of nascent projects to have to adopt.

P

um I think we could mitigate this by making it very clear that this is just a suggestion or a template, but we could also tone it down and we could also not provide a template and just sort of say, here's some examples of other projects and open ssf that have ladders. That's.

A

Kind of my general.

P

Thoughts but interested to hear from others as well.

C

We will open that up. Thank you for that summary. What thoughts or questions do we have I will say, as a working group lead having a template would be super useful, because we get lots of questions from members of how do I participate and kind of. If there's ever comes to a vote, it's nice to have kind of that process laid down um so I wouldn't mind a template. Let's start with our no.

H

So I you know, I tested and I had discussed. We did quite a bit on the issue, but uh to repeat a little bit: I mean where I stand is. You know, I think this. There is value in doing this, but we need to make it. You know the minimal requirement needs to be very minimal because uh you know I mean you're. Talking about the template. I agree.

H

A template is very useful, but, for instance, we are the template for working groups that has a TSC when most working groups don't need the TSC, but because it's in the template everybody has a TSC in the charter which they don't really know what to do with and I don't want to have that situation here. uh I think it's critical to document who the maintainers are and how somebody becomes a maintainer that should definitely be.

H

We should be transparent about this and I think it there's value in having a standard policy across the organization, but all the different layers that are being talked about, the different walls seem to be a bit of a well coming to me and my my concern is that we make it so complicated that you know somebody who wants to contribute look into it and they're like oh, my God. Forget it there's too many.

H

You know hurdles to get to maintainer I'm not going to bother, so we have to find the right way to present it so that you know we keep the simple, simple.

C

Our newest sponsor.

A

Yeah.

G

I guess my short comment on this is I. I am in total favor of mandating that projects within the foundation need to have a ladder so that it's very clear that how a contributor can move to a maintainer I would simply just go to Dustin's earlier point of linking to some examples: um I, don't I think the template thing can be overwhelming and I think. Let's not let perfect beginning the enemy of good enough here, um but I think it is part of a mature organization. I.

G

Think making sure that folks think about that very early on is a very important uh Dynamic for inclusive uh communities.

C

Excellent points, thank you, Bob. uh Any additional comments on this foreign.

C

We haven't resolved this, so I expect we'll come back at a future date. Maybe um if we can continue the conversation, if we need to schedule any kind of uh working group session to kind of have some real-time conversation, but I would ask that we come back at some point in the future, with the results and kind of recommendations from how we want to see this play out and get uh implemented. Is that sound, fair.

C

All right, we are out of time, so we will not be able to get to the taxonomy. So maybe next time we can do we'll start off after our working group update with the taxonomy and um if anyone has any uh updates, please communicate as part of the issue there we're trying to get these documents. We can have that transparent dialogue, Zach.

K

Yeah my one minute plea is: please read the issue. Please read the link Google doc um I might try to spend some time between now and the next tech meeting, putting together a more concrete proposal. If that's something you're interested in please reach out to me awesome. Thank you appreciate.

C

That all right team I appreciate everyone that contributed weather presentations or conversation today, uh good talk, uh looking forward to seeing our newest potential adoption of guac watching that ripen. uh Thank you all enjoy your days and, if anyone's interested in the security tool belt, we talk about that in just a few minutes, cheers all.

J

Thank you.