Q4 2024 Best Practices WG TAC Update #423
Conversation
Signed-off-by: Georg Kunz <[email protected]>
There was a problem hiding this comment.
Thank you for sending this @gkunz ! I see several TODOs in the doc, should we convert this into a draft PR until it's ready for review?
|
Hi @marcelamelara! Good idea, just marked it as draft. |
Co-authored-by: Thomas Nyman <[email protected]> Signed-off-by: Georg Kunz <[email protected]>
Co-authored-by: Thomas Nyman <[email protected]> Signed-off-by: Georg Kunz <[email protected]>
Co-authored-by: Daniel Appelquist <[email protected]> Signed-off-by: Georg Kunz <[email protected]>
Co-authored-by: David A. Wheeler <[email protected]> Signed-off-by: Georg Kunz <[email protected]>
Co-authored-by: Daniel Appelquist <[email protected]> Signed-off-by: Georg Kunz <[email protected]>
Co-authored-by: Daniel Appelquist <[email protected]> Signed-off-by: Georg Kunz <[email protected]>
Co-authored-by: Daniel Appelquist <[email protected]> Signed-off-by: Georg Kunz <[email protected]>
gkunz
force-pushed
the
best-practices-wg-update-q4-2024
branch
from
7583f03 to
0219623
Compare
Co-authored-by: David A. Wheeler <[email protected]> Signed-off-by: CRob <[email protected]>
Co-authored-by: David A. Wheeler <[email protected]> Signed-off-by: CRob <[email protected]>
Co-authored-by: David A. Wheeler <[email protected]> Signed-off-by: CRob <[email protected]>
Co-authored-by: David A. Wheeler <[email protected]> Signed-off-by: CRob <[email protected]>
Co-authored-by: Eddie Knight <[email protected]> Signed-off-by: CRob <[email protected]>
Co-authored-by: Eddie Knight <[email protected]> Signed-off-by: CRob <[email protected]>
Adding update for Python Coding Guide. Signed-off-by: Georg Kunz <[email protected]>
Co-authored-by: Avishay Balter <[email protected]> Signed-off-by: Georg Kunz <[email protected]>
Co-authored-by: Avishay Balter <[email protected]> Signed-off-by: Georg Kunz <[email protected]>
Co-authored-by: Avishay Balter <[email protected]> Signed-off-by: Georg Kunz <[email protected]>
Signed-off-by: Georg Kunz <[email protected]>
There was a problem hiding this comment.
@gkunz — Here are the OpenSSF Scorecard updates.
@spencerschrock — Thanks for getting the draft going!
@raghavkaul @jeffmendoza — Feel free to add anything we might've missed.
Signed-off-by: Stephen Augustus <[email protected]>
Signed-off-by: Georg Kunz <[email protected]>
There was a problem hiding this comment.
This is a great update - there is a lot happening in the Best Practices Working Group!
I have a bunch of minor questions, mostly in the theme of what web resources we should point people to, linking those web resources from various places, onboarding / getting started documentation, etc. We have a lot of great content that we've already made or are putting finishing touches on for 2025. Like we say in this update, a great theme for 2025 would be publishing resources, writing onboarding guides, and talking about this content externally.
In particular, it looks like https://best.openssf.org/ is due for an update. Some of the linked guides seem like they are no longer being maintained (which is fine, but we should probably at least say that) like https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md, and other content we've created hasn't been linked yet (like Python hardening or baseline - although it isn't clear to me if we're ready to point people at that content yet or if we're still getting ready for initial release).
| #### Purpose | ||
|
|
||
| - The goal of this SIG is to evolve OpenSSF security baseline for Linux Foundation wide adoption. | ||
| - For OpenSSF adoption of the security baseline, there needs to be a home for tracking the adoption, for maintainers to raise issues to refine the security baseline, merge the baseline back to TAC lifecycle, and for OpenSSF to develop the roadmap for the security baseline. It will provide a venue for early adopters to share their reusable code and findings with other maintainers. The pilot adoption builds the foundation for wider adoption of the security baseline in OpenSSF and in Linux Foundation. |
There was a problem hiding this comment.
What do I point a project that wants to adopt baseline to, for them to understand what they need to do?
Digging in the repo, I stumbled on https://baseline.openssf.org/, but that isn't linked from https://github.com/ossf/security-baseline or https://best.openssf.org/.
I think adopting baseline involves creating a baseline.yml file in my repository? We could definitely use some onboarding or getting started docs with more hand-holding!
There was a problem hiding this comment.
Right now the baseline is not ready for release, and the web page is a preview only.
After the criteria are complete and the webpage is prod-ready, we'll definitely want to start linking to it as suggested. There is also a proposal to publish a whitepaper / guide to accelerate project adoption.
baseline.yml is a development asset unique to the definitions themselves, and there is no user equivalent. However, a security-insights.yml will be part of the recommended adoption path.
|
|
||
| #### Current Status | ||
|
|
||
| - The group is working on adding more content for a broad range of CWE rules. The status is being tracked in issue [531](https://github.com/ossf/wg-best-practices-os-developers/issues/531). |
There was a problem hiding this comment.
I found https://best.openssf.org/Secure-Coding-Guide-for-Python/, but it isn't linked from https://best.openssf.org/ or https://github.com/ossf/wg-best-practices-os-developers. Should I point people at this content? Or is it considered pre-release in its current form?
There was a problem hiding this comment.
Yes, @steiza, it is considered pre-release and therefore not yet linked on best.openssf.org. All content in the doc directory of the repo gets automatically rendered to https://best.openssf.org/Secure-Coding-Guide-for-Python/, so it shows up there, but is not linked on purpose.
TI-reports/2024/2024-Q4-BEST-WG.md
Outdated
|
|
||
| - #### Up Next | ||
|
|
||
| - Investigate potential use of the best practices badge with baseline. Both have a set of leveled criteria for OSS projects. However, baseline has a different set of requirements, and at the time of writing tends to assume OSS projects have many developers (most OSS projects have 1 developer), so exactly how this will work is to be determined. |
There was a problem hiding this comment.
This assumption is not captured accurately—baseline Level 1 is intended to be fully compatible with single maintainer projects.
There was a problem hiding this comment.
@eddie-knight thanks for the clarification. I propose then to remove the second sentence and just keep the statement that baseline and the badge intend to investigate alignment of requirements.
| #### Purpose | ||
|
|
||
| - The goal of this SIG is to evolve OpenSSF security baseline for Linux Foundation wide adoption. | ||
| - For OpenSSF adoption of the security baseline, there needs to be a home for tracking the adoption, for maintainers to raise issues to refine the security baseline, merge the baseline back to TAC lifecycle, and for OpenSSF to develop the roadmap for the security baseline. It will provide a venue for early adopters to share their reusable code and findings with other maintainers. The pilot adoption builds the foundation for wider adoption of the security baseline in OpenSSF and in Linux Foundation. |
There was a problem hiding this comment.
Right now the baseline is not ready for release, and the web page is a preview only.
After the criteria are complete and the webpage is prod-ready, we'll definitely want to start linking to it as suggested. There is also a proposal to publish a whitepaper / guide to accelerate project adoption.
baseline.yml is a development asset unique to the definitions themselves, and there is no user equivalent. However, a security-insights.yml will be part of the recommended adoption path.
Co-authored-by: Avishay Balter <[email protected]> Signed-off-by: Georg Kunz <[email protected]>
There was a problem hiding this comment.
Thanks @gkunz ! Great to see all of the really good work happening in the BEST WG.
|
|
||
| <img align="top" src="https://github.com/ossf/wg-best-practices-os-developers/blob/main/img/OpenSSF%20Dev%20Best%20Practices%20Projects%20Relations.png"> | ||
|
|
||
| The group continues to be active and is working on several simultaneous projects aligned with our Mission & Vision. Attendance generally is down, and several former key contributors no longer attend meetings. |
There was a problem hiding this comment.
Has this lower attendance posed a problem, or is the WG generally able to continue all planned activities?
There was a problem hiding this comment.
Activity is down compared to previous levels, yet the activities included in this update are all ongoing and under active development and/or maintenance. So there is still plenty going on and the WG is able to continue.
Co-authored-by: Stephen Augustus <[email protected]> Signed-off-by: Georg Kunz <[email protected]>
Hi @steiza. Thanks a lot for the feedback. That's a good point. Access to our material should be straightforward and consistent. Currently, there are indeed multiple different places consumers can end up: the GitHub repo, the OpenSSF WordPress page, and https://best.openssf.org/. We should definitely pick this up in the WG and discuss if and how we want to improve this. The Python guide is currently not yet linked because we are working towards a first release. |
marcelamelara
added
the
TI Update
Signed-off-by: Georg Kunz <[email protected]>
This is the Q4 2024 readout to the TAC of the Best Practices WG.