Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apply to donate vuln-reach to the OpenSSF #388

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

louislang
Copy link

@louislang louislang commented Sep 26, 2024

We are applying to donate vuln-reach to the OpenSSF. We believe this meets the criteria for a sandbox submission. This project aims to commoditize determining whether or not a vulnerability is reachable in a given codebase.

@louislang louislang requested a review from a team as a code owner September 26, 2024 16:34
@SecurityCRob SecurityCRob added vote Next Meeting Submission Request TI Lifecycle Issue/PR related to TIs' lifecycle status. Needs 5 approvals, 10d review. labels Sep 26, 2024
@SecurityCRob
Copy link
Contributor

Has the group been speaking with our Security Tooling WG, and that group endorses this motion? We'll want to see evidence of public meetings and minutes as the project would move over to the foundation.

@louislang
Copy link
Author

Yes, we've been having discussions with the Security Tooling WG. This project was presented to the group on 2024-08-09 and is in the meeting notes under the bullet Phylum for static reachability project.

Copy link
Member

@steiza steiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making this pull request! In this pull request can you also add vuln-reach to the Projects table on https://github.com/ossf/tac/blob/main/README.md#projects?

Is development of this project primarily happening on https://github.com/phylum-dev/vuln-reach in the main branch, or elsewhere? There doesn't seem to be a lot of recent activity.

To be clear, recent activity isn't a requirement for becoming a sandbox project, but sometimes people think "oh, I'll donate this to the OpenSSF, and they'll figure out how to get contributors!" and I just want to make sure we're on the same page - projects are responsible for figuring out how to get community participation.

@mlieberman85
Copy link
Contributor

Craig is listed as a maintainer but according to GitHub he has never contributed to the project. Can you go into more detail what he's a maintainer of?

Beyond that I do think this project is good for openssf.

@louislang
Copy link
Author

Thanks for making this pull request! In this pull request can you also add vuln-reach to the Projects table on https://github.com/ossf/tac/blob/main/README.md#projects?

Yes, of course.

Is development of this project primarily happening on https://github.com/phylum-dev/vuln-reach in the main branch, or elsewhere? There doesn't seem to be a lot of recent activity.

We began this work some time ago as part of our proprietary product. We got it to a steady state for Javascript/Typescript, before shifting our core product focus a bit. We recently decided to open source this.

Craig is listed as a maintainer but according to GitHub he has never contributed to the project. Can you go into more detail what he's a maintainer of?

I wasn't personally involved with the initial presentation to the WG, so I'm just going with what was passed along to me. As I understand it, Craig was interested in supporting the project. I will follow up with our team to get a better understanding on this specifically.

@ware
Copy link
Contributor

ware commented Oct 8, 2024

I wasn't personally involved with the initial presentation to the WG, so I'm just going with what was passed along to me. As I understand it, Craig was interested in supporting the project. I will follow up with our team to get a better understanding on this specifically.

I think there are two things being conflated here. Let's break them up.

  1. @craigmcl volunteered to be the ST:WG sponsor. There were some further discussions that were supposed to take place between Craig and Aaron Bray but don't know if they took place. If Craig is unable to be that sponsor, I will go ahead and be the sponsor so I don't think this is a hangup.
  2. I don't know that Craig has signed up to be a maintainer but invite him to clarify. I'm not sure it meets the spirit of the Sandbox Entry Requirements to list someone as a maintainer that has not made any contributions though I invite TAC comment.

@SecurityCRob
Copy link
Contributor

I wasn't personally involved with the initial presentation to the WG, so I'm just going with what was passed along to me. As I understand it, Craig was interested in supporting the project. I will follow up with our team to get a better understanding on this specifically.

I think there are two things being conflated here. Let's break them up.

  1. @craigmcl volunteered to be the ST:WG sponsor. There were some further discussions that were supposed to take place between Craig and Aaron Bray but don't know if they took place. If Craig is unable to be that sponsor, I will go ahead and be the sponsor so I don't think this is a hangup.
  2. I don't know that Craig has signed up to be a maintainer but invite him to clarify. I'm not sure it meets the spirit of the Sandbox Entry Requirements to list someone as a maintainer that has not made any contributions though I invite TAC comment.

Thanks Ryan. Re: #2 correct. We want to ensure that as projects develop and grow that they have a thriving community around to support them (hence the desire to house them within a like-minded/focused working group). Having multiple maintainers is critical to the long-term viability of a project as it allows for things like code reviewing, dual-control, etc., and helps share the ongoing burden that maintenance and community engagement. We also prefer those maintainers to be from different organizations to help weather any challenges that could arise from organizational changes that impact the maintainer (that in fact is a requirement at higher levels within the TI lifecycle).

Copy link
Contributor

@sevansdell sevansdell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please identify additional maintainers based on comments about engagement from Craig at Stacklock. Are there any blockers the TAC can provide in helping you navigate this?

@marcelamelara
Copy link
Contributor

+1 To needing to address the diverse maintainership requirement.

@louislang Some ideas to potentially engage some more folks from the community: 1) put out a call for contributors in the OpenSSF Slack channels (#general,#wg-security-tooling and #wg-dei might be good options), 2) give an updated presentation at the ST:WG or other WGs for the added visibility.

Copy link
Contributor

@sevansdell sevansdell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please work with Ryan Ware to identify a TAC sponsor. I am comfortable with this being a sandbox stage project with active engagement from a TAC member and the Security Tooling WG. I would also like the TAC sponsor/Security Tooling WG lead/vuln reach maintainers to discuss a timeline to progress to incubating stage, and after that time expires, if there is no activity, to archive the project. This is an arbitrary deadline however, and if the team is actively working on the project making progress towards sandbox, the deadline can certainly be discussed with the TAC sponsor/Security Tooling WG lead to extend to another milestone date.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Next Meeting Submission Request TI Lifecycle Issue/PR related to TIs' lifecycle status. Needs 5 approvals, 10d review. vote
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants