Make getting/staying involved in TIs easier

[marcelamelara]

Several TIs have reported much lower participation than usual lately. While there are many external factors that are affecting participation at the moment, there's a general sense that there are several barriers to a sustained level of participation in TIs:

• The barrier to entry: There are a lot of TIs, meetings and resources to choose from, which is great! But it also makes prioritization more daunting for newcomers especially, and sustained participation difficult because it's challenging to keep up with everything that's going on.
• Time/resource constraints: As priorities shift, many long-time and new participants don't always have the capacity to engage heavily. This also places a heavier burden on the smaller number of contributors who are able to prioritize a particular TI. So there need to be more options to engage and contribute in smaller ways, and more clarity around how/which small-scoped contributions might actually help TIs.
• Consumption or adoption of TI outputs: Many TIs aren't designed or scoped to allow for more incremental adoption, which would enable consumers of OpenSSF/adjacent technologies and frameworks to make steady progress towards implementing OSS security practices.

Some proposed ways to begin to lower these barriers:

• Complete the TI lifecycle assessment for each TI, including a broader "health check" with support of the GC
• Provide guidance for TIs related to accepting contributions outside of meetings/async and differently-scoped tasks
• Advertising areas where community contributions are needed, including "Good First Issues"

These are comments/thoughts summarizing a discussion on the #tac Slack channel with @sevansdell @steiza @SecurityCRob and @mlieberman85 . Please add anything I might have missed from our original conversation, or any new concerns/ideas not mentioned yet.

[marcelamelara]

Thanks for linking #169 @sevansdell ! There's a lot of fantastic input in that issue that we can incorporate into the outcomes of this one.

[sevansdell]

Seems related: #316

[Danajoyluck]

Will the architecture PR in security-baseline in some ways help with this issue? Plan to have another document on vulnerability management and incident response. had discussion with @sevansdell about the document location and review process #361

[marcelamelara]

@Danajoyluck Good question! I don't think this issue is related to the security baseline or vuln management. This issue is about helping developers get involved and contributing to TIs, because it can be hard for contributors to know what are the open tasks or issues that a TI needs addressed in their code or spec. Practices like tagging issues as "Good first issue" are what's needed to address this issue.

[sevansdell]

@marcelamelara are there any open items we should be completing to address this issue?

[marcelamelara]

This is something I want to drive through the DEI WG in the coming year. I can open a PR over there that references this one.

[marcelamelara]

The only action item that falls under the TAC's purview is: "Complete the TI lifecycle assessment for each TI, including a broader "health check" with support of the GC"

Where do we stand on this?

CC @SecurityCRob @sevansdell

[sevansdell]

@marcelamelara No action on my part. This could be verbiage we put in the lifecycle application that asks for a get involved/first contributions needed page?