WG Resources #43
Comments
|
For existing things that were merged in, there are probably a number of rebranding / marketing exercises we need to go through. For example, CII Badges should be rebranded to OSSF Badges in a number of places. |
|
@kimsterv - Rebranding the CII Best Practices badge is totally expected. However, it's also time-consuming & expensive, so it's important that it only happen once. See here for the proposal/discussion on rebranding the CII Best Practices Badge: coreinfrastructure/best-practices-badge#1515 - comments welcome! |
|
We talked about potentially wanting more help with PR/publication for white papers during the vulnerability disclosure meeting today. @MarcinHoppe can add more detail. |
|
We are indeed planning to put together a white paper about OSS vulnerability disclosure. It would be great to know what kind of support we can get from OpenSSF / LF. If we could get assistance or funds for things like graphic design, it would be pretty sweet. |
|
Hello. As part of 2022 backlog grooming, each open TAC issue is being reviewed for applicability/completeness. Has this request been completed? If so, can that be noted in a comment please. If not, what actions need taken to continue moving this issue to completion? Is this an item that the TAC needs to address in 2022? If we do not here back from you within two weeks, this issue will be closed (23March2022). Thank you. |
|
Is this issue still relevant, or will it be covered by 2022 TAC review of WGs? |
|
No activity in over a year. Closing. |
Based on @jenniferfernick's comment here: #41 (comment)
I decided to take a quick look at what "resources" WGs are currently using and what they might want/need.
I'm probably missing some, but let's use this as a place to collect a "wishlist" to take to the GB as they consider budgets. We might even be able to get some member companies to kick in help in the meantime. If I missed anything, let me know in the comments and I'll merge back up into this list.
Vulnerability Disclosures
Nothing was obvious from scrolling through the meeting notes/repo.
Security Tooling
The CVE benchmark repo is in a separate GitHub org. It's unclear if this has been properly merged into the OSSF yet, but that's tracked here: #35
Looks like they have some other stuff going on in personal repos/other orgs that might need to be moved over here eventually: (I don't know the actual intent, just guessing based on conversations I skimmed)
Best Practices
Badges
SKF
Scorecards
Identifying Security Threats
Securing Critical Projects
Criticality
This is run manually right now I think, so no real infrastructure. The results got published on GCS, but it's just a few small text files that could easily be moved to anywhere.
Package Feeds
Nothing is really setup here yet. I was going to try running it in a GKE cluster once we get a little farther along.
General Funding
I've funded a few efforts (ISRG, etc.) directly from Google that have presented or asked in these meetings. We'll get a lot more of these requests, and I won't be able to keep up forever. That's working as intented :)
Digital Identity
The main assets here are the awesome presentations hosted on Youtube. I think there's a "round up" blog post coming soon to summarize all of these from Gavin and @kimsterv
There's also talk of a few other whitepapers/publications that could just be hosted out of the repo and linked to from openssf.org.
The text was updated successfully, but these errors were encountered: