Okay to create new project(s) on GitHub to capture some past critical project work?
16 views
Skip to first unread message
David A. Wheeler
Jun 16, 2021, 9:39:02 PM6/16/21
to wg-securing-critical-projects
All:
I’d like to create 1 or 2 new projects on GitHub, under this working group, to capture some past work to identify critical OSS projects needing investments.
Is it ok to do that? I think I primarily need an okay from one of the facilitators (Dan Lorenc, Kim Lewandowski, or Amir Montazery), but confirmation from others (or general acclaim) would be great.
The code is under the MIT license. The goal is to share that code so that others can use it & build on it if they wish to do so. I’ve already shared it directly with Harvard, but I thought others might find it useful. Details below.
--- David A. Wheeler
=== DETAILS ===
Back in 2017 I some work for my former employer to try to identify critical projects that might most need investments. Details are in the paper "Core Infrastructure Initiative (CII) Open Source Software Census II Strategy” by David A. Wheeler & Jason Dossett (October, 2017), IDA document: D-8777, https://www.ida.org/research-and-publications/publications/all/c/co/core-infrastructure-initiative-cii-open-source-software-census-ii-strategy
As part of that work we created some prototype code. It’s not a lot of code, but it did things like determine the transitive dependencies from direct dependencies. Such code doesn’t take much, but it turns out there are many ways to do that & some more efficient than others (our first version took more than a week, our final revision took less than an hour to determine this from a database of “all” open source software). This kind of analysis seems useful when trying to determine “what is critical” - so sharing code to do it seems appropriate.
Dan Lorenc
Jun 16, 2021, 9:42:22 PM6/16/21
to David A. Wheeler, wg-securing-critical-projects
Approve!
--
You received this message because you are subscribed to the Google Groups "wg-securing-critical-projects" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wg-securing-critical...@googlegroups.com.
To post to this group, send email to wg-securing-cr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wg-securing-critical-projects/657C4CB4-2135-4677-8D39-F18D9F388B17%40linuxfoundation.org.
For more options, visit https://groups.google.com/d/optout.
David A. Wheeler
Jun 16, 2021, 10:06:35 PM6/16/21
to Dan Lorenc, wg-securing-critical-projects
On Wed, Jun 16, 2021, 8:39 PM David A. Wheeler <dwhe...@linuxfoundation.org> wrote:All:I’d like to create 1 or 2 new projects on GitHub, under this working group, to capture some past work to identify critical OSS projects needing investments.Is it ok to do that? I think I primarily need an okay from one of the facilitators (Dan Lorenc, Kim Lewandowski, or Amir Montazery), but confirmation from others (or general acclaim) would be great.
On Jun 16, 2021, at 9:42 PM, Dan Lorenc <dlo...@google.com> wrote:Approve!
Excellent!
I’m in the process of posting the code here: https://github.com/ossf/oss-analysis-census2-prototype
It’s currently a private repo. I plan to switch it to public soon unless someone objects or there’s some unexpected problem.
It’s a small amount of code. But it’s surprisingly tricky to scale up computing indirect dependencies, since some ways take a lot longer than others.
--- David A. Wheeler
David A. Wheeler
Jun 16, 2021, 10:11:38 PM6/16/21
to Dan Lorenc, wg-securing-critical-projects
Quick note on licensing: I think it’s all consistent with OpenSSF guidance.
In this released material, all material is released under the [MIT license].
All material that is not executable, including all text when not executed,
is also released under the
[Creative Commons Attribution 3.0 International (CC BY 3.0) license](https://creativecommons.org/licenses/by/3.0/) or later.
This project was actually created under the CII, but I think it’s better to share it directly under the OpenSSF.
--- David A. Wheeler
In this released material, all material is released under the [MIT license].
All material that is not executable, including all text when not executed,
is also released under the
[Creative Commons Attribution 3.0 International (CC BY 3.0) license](https://creativecommons.org/licenses/by/3.0/) or later.
This project was actually created under the CII, but I think it’s better to share it directly under the OpenSSF.
--- David A. Wheeler
David A. Wheeler
Jun 17, 2021, 10:58:15 AM6/17/21
to wg-securing-critical-projects, Dan Lorenc, Jason Dossett
All:
As previously discussed, I’ve now publicly posted some prototype OSS analysis code on GitHub:
This is the prototype implementation described in the IDA paper "Core Infrastructure Initiative (CII) Open Source Software Census II Strategy” by David A. Wheeler & Jason Dossett (October, 2017), IDA document: D-8777, https://www.ida.org/research-and-publications/publications/all/c/co/core-infrastructure-initiative-cii-open-source-software-census-ii-strategy
As I said earlier:
> It’s not a lot of code, but it did things like determine the transitive dependencies from direct dependencies. Such code doesn’t take much, but it turns out there are many ways to do that & some more efficient than others (our first version took more than a week, our final revision took less than an hour to determine this from a database of “all” open source software). This kind of analysis seems useful when trying to determine “what is critical” - so sharing code to do it seems appropriate.
--- David A. Wheeler
Reply all
Reply to author
Forward
0 new messages