[Proposal] Skill "Tags" as code for easier search and mapping

[rficcaglia]

Description: what's your idea?

Derivative from #142 discussion:

We we discussing if assessment volunteers need certain skils, for example:

• crypto expertise
• distributed protocol expertise
• kernel implementation experience
• network protocol expertise
• mathematical proofs
• whitehat/blackhat experience
• secure code reviews
• etc

and allow volunteers to self-identify with those skills via some tangible evidence:

• a public/published article on the topic
• public commits or GHIs to another open source project
• a verifiable (or at least identifiable) recommendation via a GHI or PR from the recommender
• a vuln/CVE report in their name
• etc

then it becomes more of a mapping exercise of selecting a review team with members that cover the specific skills needed, >recognizing that very few will have all the necessary (deep) domain expertise for a given review.

Idea here is to generalize that for any project effort. Any volunteer who wishes to map their skills to a defined catalog (eg. NIST NICE which is security focused, but any others, too) of skills "ontology" can do so, such that it is easier (automatable?) to search and match people to projects and vice versa.

Impact: Describe the customer impact of the problem. Who will this help? How will it help them?

Projects, WGs, SIGs and other community members can both showcase their skills, map their journeys, seek mentorships or mentor others, find projects, be found, and "tag" themselves as SMEs.

Scope: How much effort will this take? ok to provide a range of options if or "not yet determined" for initial proposals. Feel free to include proposed tasks below or link a Google doc

TBD. If automated tool, could be a few sprints. If just a markdown doc pointing to something like NICE, could be 30 min :)

Anti-Goals:

• fully opt-in NEVER required (but will it lead to shaming?)
• not a high level "badge" system that is too high level to be useful for project task matching (eg the assessment items discussed above)
• should not be too static, ie should be based on contributions in github repos, PRs, blog posts, comments, etc. not static or passive only (though that might be part of it for things like hardware, classified or "closed source" domains, or pre-github skills/domain expertise)

TO DO

• SIG Representative
• Project leader(s)
• TBD

[lumjjb]

I think this is going to be helpful with governance as well, being able to better match members to projects. Would also help the new member experience (#666). This used to be done early days when meetings were small and we spent a good 15-30 mins having kind of like an introduction round at the start of every meeting, this could help fill that gap as the group gets bigger.

tagging @IAXES who may be interested in the assessment aspects of it

[IAXES]

^^ Thanks Brandon.

[rficcaglia]

one thought was maybe just github API for user gists and users voluntarily add a gist for their skills in some agreed upon format rather than some file in the TAG repo that we have to manage and will change too frequently.

only downside I see is that I don't think you can label gists so it would have to be an agreed upon filename convention like:
cncf-tag-security-skills.json

so when we pull via rest api we can ignore all other public non-related gists.

thoughts?

[stale]

This issue has been automatically marked as inactive because it has not had recent activity.

[TheFoxAtWork]

Recommend closing this issue in favor of outside social professional networking solutions. concurrence?

[lumjjb]

Agree - i just closed #115 as well due to inactivity. Think this sits in the same boat.