All: thanks for your hard work in identifying critical projects.
This first cut successfully met our sudden stringent time deadlines,
but it also revealed problems in our process that I think should be improved.
I think we will need to do another round to identify more critical OSS projects.
Before we do, let's try to improve the process.
We had little time to discuss candidates in our meeting, leaving things rushed & not giving
as much time as we would have wanted for people to share their knowledge.
I suggest adding columns for people who wish to asynchronously comment on the candidates (a column for
each person) where they could say YES/NO followed by a rationale (including URLs I hope).
We could then automatically accept candidates with at least 1 or 2 yeses and no "no"s (for example),
quickly handling "no-brainers" and giving us more information to discuss the rest.
We *WANT* people to discuss these!
FYI: The "Great MFA Distribution Project" created a copy of the critical OSS projects list
and is adding process information (e.g., who will be contacting each project, etc.).
You can see that copy here:
https://docs.google.com/spreadsheets/d/1sO_tJ_B7_2I-TUx23pnBoIRJIqaOm8yBnKAwqs7DwBw/edit#gid=0
and more general information here:
https://github.com/ossf/great-mfa-project
Since the Great MFA Project will use this separate spreadsheet, I removed the "MFA Notifier"
column from the document created by this critical projects WG.
One issue: there was a note that boot-time software wasn't included in the list.
I added that as a new row that "needs discussion" so that it can, well, be discussed :-).
--- David A. Wheeler