Issue to track naming
Dan Lorenc
Kay Williams
Hi Dan, would you consider the following suggestion to streamline decision making?
1. Make a call for proposal for a new name _and_ objective for the working group. The objective should be a one paragraph summary of the purpose and deliverables related to the name.
2. Set a date for all proposals to be submitted.
3. Create a forum for discussion and clarification of the proposals.
4. Put the reviewed proposals up for a vote of working group members.
Here is an example proposal:
*Supply Chain Attestation and Verification* Provide guidance and tooling to support the automated governance of software along end-to-end supply chains. This work supports both developers and users. Developers can seamlessly create cryptographically verifiable metadata about software creation, components, quality, security assessments, license, and other factors. Users (including downstream developers) can seamlessly verify metadata against policy to accept, reject or mitigate software according to security and compliance needs.
Thoughts?
Kay
--
You received this message because you are subscribed to the Google Groups "ossf-wg-developer-identity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ossf-wg-developer-i...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossf-wg-developer-identity/CAD%3DtRbg7VQt94pBHRHJ7zVqoSPf%3DC3MXE7rYuUc%2B5bxxrR0usg%40mail.gmail.com.
Dan Lorenc
Hi Dan, would you consider the following suggestion to streamline decision making?
1. Make a call for proposal for a new name _and_ objective for the working group. The objective should be a one paragraph summary of the purpose and deliverables related to the name.
2. Set a date for all proposals to be submitted.
3. Create a forum for discussion and clarification of the proposals.
4. Put the reviewed proposals up for a vote of working group members.
Here is an example proposal:
*Supply Chain Attestation and Verification* Provide guidance and tooling to support the automated governance of software along end-to-end supply chains. This work supports both developers and users. Developers can seamlessly create cryptographically verifiable metadata about software creation, components, quality, security assessments, license, and other factors. Users (including downstream developers) can seamlessly verify metadata against policy to accept, reject or mitigate software according to security and compliance needs.
- I'm not a huge fan of the phrase "governance". I realize it's a widely used term here, but it also conveys things like "open source governance", which is completely different.
- This also starts to go further into the policy space than I was hoping to get. In my head there are two big, decouple-able aspects here. The generation and organization of verifiable supply-chain metadata, and then the definition/application of policy against this. Policy is a huge space by itself, and I'm at least personally more interested in the first part. I want to make it so anyone can apply whatever policy they want, in a secure manner.
- This seems to lose some of the focus we've started converging toward in the issue around identity/recognition/provenance/origination/whatever the term is, to the point where I have to squint to even see it maybe inside the "software creation" phrase. I think this would benefit from a bit of clarification.
--
Thoughts?
Kay
From: 'Dan Lorenc' via ossf-wg-developer-identity <ossf-wg-devel...@googlegroups.com>
Sent: Friday, September 18, 2020 8:16 AM
To: ossf-wg-developer-identity <ossf-wg-devel...@googlegroups.com>
Subject: Issue to track naming
I opened this issue to track discussions on this topic: https://github.com/ossf/wg-developer-identity/issues/19
I'm terrible at naming, and hereby waive my rights to complain about whatever the group wants to do :)
Dan Lorenc
--
You received this message because you are subscribed to the Google Groups "ossf-wg-developer-identity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossf-wg-developer-i...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossf-wg-developer-identity/CAD%3DtRbg7VQt94pBHRHJ7zVqoSPf%3DC3MXE7rYuUc%2B5bxxrR0usg%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "ossf-wg-developer-identity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossf-wg-developer-i...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossf-wg-developer-identity/MWHPR21MB1561260794E15F14F3EEAEBBC53F0%40MWHPR21MB1561.namprd21.prod.outlook.com.
Luke Hinds
Kay Williams
It might be helpful for me to share some context.
The OpenSSF GB Strategy Committee (https://github.com/ossf/gb-strategy-committee) is working toward a planning milestone of 10/30/2020. A key deliver able of that planning milestone is a Press Release, our second for the OpenSSF – the first was our initial announce on August 3. More information about the planning milestone, press release, and planned announcements are available in this GitHub project (https://github.com/orgs/ossf/projects/1).
One of the items planned for the press release is a list of technical initiatives (https://github.com/ossf/gb-strategy-committee/issues/13).
As some of you may know, in the first OpenSSF press release, the Developer Identity Verification working group was not listed. Several members of the founding committee expressed reservations about the focus of the working group, including concerns about developer privacy, and also about how the effort will be perceived by the press and open source community. These concerns remain, and have been echoed again at subsequent Governing Board meetings as well as by members of the TAC.
Some of you may feel the concerns about how the charter of this group will be received by the press and community are overblown. Nonetheless, the concerns have been raised frequently enough, by a sufficiently broad audience, that the Governing Board and TAC generally desire to address.
Some of you may feel that this issue is a distraction from the main work of the group. Viewed from another perspective, the aim is to mitigate the issue so that the group can continue without further distraction.
Some of you may feel that only a change in name is necessary. This does not address the broader communication needs for the OpenSSF where as part of the planning milestone we will be asking all WGs to provide a short paragraph description of the working group’s objective. See the ‘Identifying Security Threats WG’ for an example (https://github.com/ossf/wg-identifying-security-threats). Such an objective does not yet exist for the Developer Identity Verification working group.
To address some of the specific questions below:
- A single paragraph objective is sufficient. See the ‘Identifying Security Threats’ and other working groups for examples. Note, however, that the objective statements are currently inconsistent across working groups. Again this is something we hope to address for the current planning milestone.
- I suggested the proposals include name and objective only because the objective can help clarify what is intended for the name. Up to the group what to decide.
- Timing – the press release deadline for content submission is 10/15. Preferably content submission would happen in early October to make life easier for our PR team.
- Wordsmithing - perhaps a name/objective combination can be selected first, and wordsmithing can occur thereafter. Just a thought.
Another possibility, if the group prefers, is to again remove it from the list of WGs discussed in the press release. This would remove time pressure and allow the group to decide on name and scope as they complete exploration and threat evaluation.
Hopefully this helps to clarify.
Kay
Luke Hinds
It might be helpful for me to share some context.
The OpenSSF GB Strategy Committee (https://github.com/ossf/gb-strategy-committee) is working toward a planning milestone of 10/30/2020. A key deliver able of that planning milestone is a Press Release, our second for the OpenSSF – the first was our initial announce on August 3. More information about the planning milestone, press release, and planned announcements are available in this GitHub project (https://github.com/orgs/ossf/projects/1).
One of the items planned for the press release is a list of technical initiatives (https://github.com/ossf/gb-strategy-committee/issues/13).
As some of you may know, in the first OpenSSF press release, the Developer Identity Verification working group was not listed. Several members of the founding committee expressed reservations about the focus of the working group, including concerns about developer privacy, and also about how the effort will be perceived by the press and open source community. These concerns remain, and have been echoed again at subsequent Governing Board meetings as well as by members of the TAC.
Some of you may feel the concerns about how the charter of this group will be received by the press and community are overblown. Nonetheless, the concerns have been raised frequently enough, by a sufficiently broad audience, that the Governing Board and TAC generally desire to address.
Some of you may feel that this issue is a distraction from the main work of the group. Viewed from another perspective, the aim is to mitigate the issue so that the group can continue without further distraction.
Some of you may feel that only a change in name is necessary. This does not address the broader communication needs for the OpenSSF where as part of the planning milestone we will be asking all WGs to provide a short paragraph description of the working group’s objective. See the ‘Identifying Security Threats WG’ for an example (https://github.com/ossf/wg-identifying-security-threats). Such an objective does not yet exist for the Developer Identity Verification working group.
To address some of the specific questions below:
- A single paragraph objective is sufficient. See the ‘Identifying Security Threats’ and other working groups for examples. Note, however, that the objective statements are currently inconsistent across working groups. Again this is something we hope to address for the current planning milestone.
- I suggested the proposals include name and objective only because the objective can help clarify what is intended for the name. Up to the group what to decide.
- Timing – the press release deadline for content submission is 10/15. Preferably content submission would happen in early October to make life easier for our PR team.
- Wordsmithing - perhaps a name/objective combination can be selected first, and wordsmithing can occur thereafter. Just a thought.
Another possibility, if the group prefers, is to again remove it from the list of WGs discussed in the press release. This would remove time pressure and allow the group to decide on name and scope as they complete exploration and threat evaluation.
Hopefully this helps to clarify.
Kay
Dan Lorenc
To view this discussion on the web visit https://groups.google.com/d/msgid/ossf-wg-developer-identity/CAKrSGQRkDC9AZY-gzGYjw8DEzNjWrsKbMCSVtTaDGPeP1R%2BUjA%40mail.gmail.com.
Luke Hinds
Kim Lewandowski
Dan Lorenc
Digital Identity Attestation
Developer Identity Management
Supply Chain Attestation and Verification
Kay Williams
Perhaps ‘Preventing Malicious Code’?
The description might be something like the following (but we could wordsmith this later if this was the direction the WG wanted to go).
“The Preventing Malicious Code working group provides tools, guidance and resources for identifying and averting the injection of malicious code in open source projects. (plus another sentence or two describing how we might go about this…)”
Just adding ideas to the mix.
Kay
Luke Hinds
Dan Lorenc
Gavin Hindman
Kim Lewandowski
To view this discussion on the web visit https://groups.google.com/d/msgid/ossf-wg-developer-identity/4e96f271-045e-4371-a5d2-875253055e50n%40googlegroups.com.