Critical project identification - proposed next steps

[David A. Wheeler]

All: thanks for your hard work in identifying critical projects.
This first cut successfully met our sudden stringent time deadlines,
but it also revealed problems in our process that I think should be improved.

I think we will need to do another round to identify more critical OSS projects.
Before we do, let's try to improve the process.

We had little time to discuss candidates in our meeting, leaving things rushed & not giving
as much time as we would have wanted for people to share their knowledge.
I suggest adding columns for people who wish to asynchronously comment on the candidates (a column for
each person) where they could say YES/NO followed by a rationale (including URLs I hope).
We could then automatically accept candidates with at least 1 or 2 yeses and no "no"s (for example),
quickly handling "no-brainers" and giving us more information to discuss the rest.
We *WANT* people to discuss these!

FYI: The "Great MFA Distribution Project" created a copy of the critical OSS projects list
and is adding process information (e.g., who will be contacting each project, etc.).
You can see that copy here:
https://docs.google.com/spreadsheets/d/1sO_tJ_B7_2I-TUx23pnBoIRJIqaOm8yBnKAwqs7DwBw/edit#gid=0
and more general information here:
https://github.com/ossf/great-mfa-project
Since the Great MFA Project will use this separate spreadsheet, I removed the "MFA Notifier"
column from the document created by this critical projects WG.

One issue: there was a note that boot-time software wasn't included in the list.
I added that as a new row that "needs discussion" so that it can, well, be discussed :-).

--- David A. Wheeler

[Appu Goundan]

Hey Everyone,

I wanna try to get some keys out before the end of the year and this current google store code set expires (Dec 31st). Do we have a set of finalized projects that I can send them out to -- is it just whatever is in the spreadsheet?

Appu

--
You received this message because you are subscribed to the Google Groups "wg-securing-critical-projects" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wg-securing-critical...@googlegroups.com.
To post to this group, send email to wg-securing-cr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wg-securing-critical-projects/8FFBF009-5E29-4039-B5AC-E85EEF14926C%40linuxfoundation.org.
For more options, visit https://groups.google.com/d/optout.

[Marta Rybczynska]

Hello Appu,

This has already started in the Best Practices group. You can see the status in the spreadsheet you link to, basically all projects have been contacted already.

Kind regards,

Marta

To view this discussion on the web visit https://groups.google.com/d/msgid/wg-securing-critical-projects/CAPydpTPzSyuGWBhUmw2RKDkvQE9wfQ7zrMuqj1iaCn%2BNA849Cw%40mail.gmail.com.

[David A. Wheeler]

We told projects that they had to respond by the end of the day today. I think we should probably give them 1 extra day,
then start sending out the codes. But yes, the point of the spreadsheet is to identify
which projects get how many.

The original plan was to create a mail merge to each project, using the data we've collected.
The form we intended to use is here:
https://github.com/ossf/great-mfa-project/blob/main/coupon_sending.md
We haven't set up the mail merge yet; the task is small enough that it might
be easier just to do it manually.

It wouldn't be insane for Google to send out its codes, and for someone else (GitHub?)
to send out their codes separately. The goal is to minimize the number of people
who see the codes, especially the entire list of codes. However, if Google sends them out separately,
I think Google should still use the form we developed at:
https://github.com/ossf/great-mfa-project/blob/main/coupon_sending.md

Thoughts?

--- David A. Wheeler

[Appu Goundan]

Yeah, once it's finalized, I can send it the Google codes directly