[Technical Initiative Funding Request]: RSTUF Security Audit for 1.0.0 #379
Comments
|
Hey @kairoaraujo thanks for submitting this request! This week is the TAC review period for funding request, but we need a specific amount to review this request. Have you had a chance to reach out to folks who might perform the audit to get an idea of the amount needed? |
Hi @steiza, I requested a quotation for the audit. |
|
Hello. The Open Source Technology Improvement Fund, Inc specializes in exactly this: facilitating and managing security audits for open source projects and communities. We did the php TUF (https://ostif.org/php-tuf-audit-complete/), go TUF (https://ostif.org/go-tuf-on-bugs-ostifs-audit-of-go-tuf/), and python TUF (https://ostif.org/our-audit-of-python-tuf-is-complete-multiple-issues-found-and-fixed/) security audits. So in addition to being an ideal candidate to handle any security audit request, OSTIF has a track record for doing these specific kinds of engagements. I hope you consider engaging us for this request, as we can deliver the intended results. |
|
/vote |
Vote created@riaankleinhans has called for a vote on The members of the following teams have binding votes:
Non-binding votes are also appreciated as a sign of support! How to voteYou can cast your vote by reacting to
Please note that voting for multiple options is not allowed and those votes won't be counted. The vote will be open for |
|
Gitvote was added as a tool to test for stream lining the TI Funding process. Community members can show their support by also voting, however only the "TAC" GH Group's votes will count. The current passing threshold is 70% and the committee is the TAG GH group. All these parameters can by fine tuned or changed here |
@kairoaraujo pinging to see if you have an update on this? |
I had one meeting with one provider yesterday (23rd Sept) and I have another one today (24th Sept). |
|
A quorum of the TAC met on 17Sept to discuss Q3 TI Funding Requests. The group reached consensus that pending a quote for the review that this is tentatively approved. |
github-project-automation
bot
moved this to Submitted
in OpenSSF TI Funding Project Board
riaankleinhans
moved this from Submitted
to Funding Approved
in OpenSSF TI Funding Project Board
Vote statusSo far Summary
Binding votes (3)
|
| User | Vote | Timestamp |
|---|---|---|
| riaankleinhans | In favor | 2024-09-23 18:14:00.0 +00:00:00 |
Vote statusSo far Summary
Binding votes (3)
|
| User | Vote | Timestamp |
|---|---|---|
| riaankleinhans | In favor | 2024-09-23 18:14:00.0 +00:00:00 |
| simi | In favor | 2024-09-30 17:20:43.0 +00:00:00 |
|
/cancel-vote |
Vote cancelled@riaankleinhans has cancelled the vote in progress in this issue. |
|
I see the vote in progress is cancelled. Is the request still open? |
Yes, a quorum of the TAC approved this on September 17th: #379 (comment) This was one of the two issues I was asking @riaankleinhans about at the TAC meeting yesterday. On the funding project board it's sitting in |
|
@kairoaraujo have you received the other quotes? |
|
Hello everyone, chiming in here. OpenSSF has asked OSTIF to take a look at the proposal and help with moving forward with the security audit. We will take a look and explore next steps. |
|
@kairoaraujo I will send out an email for formalized the process between OpenSSF & OSTIF. |
riaankleinhans
added
the
TI Funding Request
riaankleinhans
moved this from Funding Approved
to Under TAC review
in OpenSSF TI Funding Project Board
Technical Initiative
Repository Service for TUF / Security Software Repositories Working Group
Lifecycle Phase
incubation
Funding amount
unknown -- help needed
Problem Statement
RSTUF is about to release the 1.0.0, we are moving close to 1.0.0-rc and before the final release we aim to have a security audit. This project is moving to staging phase in the PyPI and RubyGems repository.
Who does this affect?
Public Repository (and or Private repositories)
Have there been previous attempts to resolve the problem?
No
Why should it be tackled now and by this TI?
RSTUF is a project under wg-securing-software-repos (OpenSSF)
Give an idea of what is required to make the funding initiative happen
We require a security audit in the RSTUF projects, to help us to identify possible improvements on this aspect.
What is going to be needed to deliver this funding initiative?
A company/contractor that can run the audit and generate a report for RSTUF maintainers.
Are there tools or tech that still need to be produced to facilitate the funding initiative?
No response
Give a summary of the requirements that contextualize the costs of the funding initiative
Who is responsible for doing the work of this funding initiative?
Kairo de Araujo (@kairoaraujo)
Who is accountable for doing the work of this funding initiative?
Kairo de Araujo (@kairoaraujo)
If the responsible or accountable parties are no longer available, what is the backup contact or plan?
Martin Vrachev (@MVrachev)
What license is this funding initiative being used under?
MIT
Code of Conduct
List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.
By the end of Q4 2024 we want to have the RSTUF 1.0.0 out.
If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.
No response
The text was updated successfully, but these errors were encountered: