I think out of where our priorities overlap (OSTIF and OpenSSF) we should:
(as a workgroup) Continue refining and improving our criteria to help
identify and, most importantly, prioritize critical projects. One of
the key problems we face with these ideas is that we can build many
lists and justify why certain projects are members of that list, but
with very limited resources we have to admit to ourselves that we only
have the budget to work on 20-50 projects in a significant capacity.
We have to identify who needs the most help among the projects that
are the most critical to the ecosystem in order to maximize our
impact.
(as openssf) Direct alpha-omega on prioritization of projects for
review. In my opinion repos, compilers, and interpreters should have
supply chain security reviewed as a priority, and should be the first
in line for things like free yubikeys and free security consulting.
(as OSTIF) Continue to secure funding to review projects that are
identified as high priority by this working group.
Derek Zimmer
Executive Director
Open Source Technology Improvement Fund
> --
> You received this message because you are subscribed to the Google Groups "wg-securing-critical-projects" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
wg-securing-critical...@googlegroups.com.
> To post to this group, send email to
wg-securing-cr...@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/wg-securing-critical-projects/0B6DB9E1-9A6F-42FC-9F3E-08CA5920BDCE%40linuxfoundation.org.
> For more options, visit
https://groups.google.com/d/optout.