Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

We need a process flow for specs to become standards #305

Open
camaleon2016 opened this issue Apr 2, 2024 · 12 comments
Open

We need a process flow for specs to become standards #305

camaleon2016 opened this issue Apr 2, 2024 · 12 comments
Labels
Content Updates/additions to TAC content/process. Must include a changelog entry. Needs 3 approvals. documentation Improvements or additions to documentation Next Meeting

Comments

@camaleon2016
Copy link
Member

We need a process for a spec created in a Project to become a standard. We can build out what this looks like, but there should a way for the TAC to be kept in the loop properly as spec go before any standards process.

@lehors
Copy link
Contributor

lehors commented Apr 2, 2024

To be clear: this is about submitting an OpenSSF specification to a formal standards body such as JTC1.
I agree that we should decide what approval this requires. I don't know that we need to have a complicated process but this should at least have the approval from the TAC.

@SecurityCRob SecurityCRob added documentation Improvements or additions to documentation Content Updates/additions to TAC content/process. Must include a changelog entry. Needs 3 approvals. labels May 15, 2024
@sevansdell
Copy link
Contributor

related: #337? two opportunities for improving tac process documentation related to specs.

@SecurityCRob
Copy link
Contributor

has there been any progress on this issue?

@SecurityCRob
Copy link
Contributor

Jory will be visiting us on 3Sept to discuss this and how we can move forward together on Standardization!

@SecurityCRob
Copy link
Contributor

There are currently 4 specs that we should consider going through the standardization process:
1.) SLSA - https://github.com/slsa-framework/slsa
2.) sigstore - https://github.com/sigstore/
3.) OpenVEX - https://github.com/openvex
4.) OSV - https://github.com/ossf/osv-schema

@david-a-wheeler
Copy link
Contributor

The EU typically prefers international standards. The EU's CRA has given many organizations an extra reason to be interested in formal standards.

So... I think we're going to see more interest in the days ahead in implementing these processes to convert specifications into international standards. Jory is exactly the right person to talk to about this.

@david-a-wheeler
Copy link
Contributor

The Linux Foundation's Joint Development Foundation (JDF) specifically exists to help turn specifications into international standards. You don't need to re-invent that part (and you don't want to :-) ).

Getting the TAC's agreement that it's ready for the process seems valuable.

@sevansdell
Copy link
Contributor

@camaleon2016 I propose we close this out with a new process TAC page linking to Jory Burson's talk given on 9/3/24 Deck presented. https://docs.google.com/presentation/d/15UDIo_lkf-KO0bU-pA5gAne0IOwy6e96KK057a3HWpg/edit#slide=id.p Will this address this issue?

@lehors
Copy link
Contributor

lehors commented Oct 16, 2024

@camaleon2016 I propose we close this out with a new process TAC page linking to Jory Burson's talk given on 9/3/24 Deck presented. https://docs.google.com/presentation/d/15UDIo_lkf-KO0bU-pA5gAne0IOwy6e96KK057a3HWpg/edit#slide=id.p Will this address this issue?

I don't think so. Jory's slides are useful in that they give a good idea of the path to standardization once we decide to move one of our specs down that way but they do not address the main question this issue is about: how do we come to make the decision that a spec should gone done that path?

I think we need to develop a minimal process establishing how a TI can request to the TAC approval for a spec to be submitted for standardization.

And when I say "minimal" I really mean it. For all I know it might be as simple as saying somewhere in our documentation that TI should put the request before the TAC for approval. :-)

@sevansdell
Copy link
Contributor

@lehors agreed! @camaleon2016 would you be willing to propose some very lightweight decision process language in a PR? Where might this best live in our TAC repo?

@david-a-wheeler
Copy link
Contributor

I propose a simple mechanism: "The OpenSSF TAC votes to convert a spec into a standard". A WG (or project/SIG directly under the TAC) can ask the TAC for such a vote. If the TAC votes "yes", then the OpenSSF is pursuing creating a formal standard.

Creating a standard can be valuable, but is time-consuming, so the TAC should make that call. There's already a process for raising issues to the TAC. This is how we handle other major technical decisions.

@lehors
Copy link
Contributor

lehors commented Oct 29, 2024

Agreed! That fits my definition of "minimal process". :-)
I think we should go one step further and specify that such request should be made by opening an issue in the TAC repo. Once a majority of the TAC members have approved we can close the issue and proceed.
Note: explicitly relying on GitHub for this makes it possible to run such a process outside the calls.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Content Updates/additions to TAC content/process. Must include a changelog entry. Needs 3 approvals. documentation Improvements or additions to documentation Next Meeting
Projects
None yet
Development

No branches or pull requests

5 participants