Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Technical Initiative Funding Request] - S2C2F PAS Submission Funding Request #328

Closed
1 task done
camaleon2016 opened this issue May 15, 2024 · 18 comments
Closed
1 task done
Assignees
Labels
administration For Review gitvote Next Meeting TI Funding Request Quarterly TI requests for funding. Needs 5 approvals, 7d review.

Comments

@camaleon2016
Copy link
Member

Problem Statement

S2C2F requires 4k in funding to pay the JDF contracted ISO Editor to help form the correct language in the S2C2F Specification in preparation for ISO PAS submission.

Who does this affect?

Without this necessary step the spec will not be in proper form for PAS submission and will not be balloted.

Have there been previous attempts to resolve the problem?

No. S2C2F is requesting funding through the OpenSSF for the first time and as a first course of action.

Why should it be tackled now and by this TI?

S2C2F Project is ready and has been accepted by the JDF to begin the process for PAS submission

Give an idea of what is required to make the funding initiative happen

Funding will cover the JDF contracted ISO Editors work in total.

What is going to be needed to deliver this funding initiative?

The JDF contracted ISO Editor is all that is required.

Are there tools or tech that still need to be produced to facilitate the funding initiative?

NO.

Give a summary of the requirements that contextualize the costs of the funding initiative

4k will cover the JDF contracted ISO Editor requested 3-5k requirement for proper formatting of the S2C2F spec into a ballotable ISO Standard

Who is responsible for doing the work of this funding initiative?

JDF contracted ISO Editor. Contact in the JDF is Seth Newbury [email protected]

Who is accountable for doing the work of this funding initiative?

Jay White, Adrian Diglio, Tom Bedford

If the responsible or accountable parties are no longer available, what is the backup contact or plan?

JDF - Seth Newbury, Jory Burson

Which technical initiative will this funding initiative be associated with, and will it report to which WG or project?

S2C2F Project under the SUpply Chain Integrity WG

What license is this funding initiative being used under?

Community Specification License 1.0

Code of Conduct

  • I agree to follow the OpenSSF's Code of Conduct

List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.

Balloting is currently TBD, but we are anticipating finalizing the process by Jan 2025. 4k in funding will only be used to pay the JDF contracted ISO Editor to prepare the spec for entering the PAS Balloting process.

If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.

JDF issues the contract.

@camaleon2016 camaleon2016 added administration For Review TI Funding Request Quarterly TI requests for funding. Needs 5 approvals, 7d review. labels May 15, 2024
@SecurityCRob
Copy link
Contributor

The TAC will review this at our next meeting (28May). I encourage everyone to review & comment beforehand

@SecurityCRob
Copy link
Contributor

SecurityCRob commented May 17, 2024

@camaleon2016 @adriandiglio can you add a bit of context here as to why making s2c2f an ISO standard is beneficial. What will achieving that enable for the group and consumers of the framework? If this is NOT funded, what is at risk?

@camaleon2016
Copy link
Member Author

camaleon2016 commented May 17, 2024 via email

@torgo
Copy link
Contributor

torgo commented May 23, 2024

This seems like a reasonable use of TAC funding to me and in line with our discussions. 👍🏻

@steiza
Copy link
Member

steiza commented May 28, 2024

I would love for @camaleon2016 / @omkhar to summarize here what they mentioned at today's TAC meeting about how ISO standardization helps with OpenSSF's engagement with EU public sector on the Cyber Resilience Act (and possibly other public / private sector conversations?)

That said, this seems like a good way for the OpenSSF to start exploring turning community specifications into standards, and seeing what opportunities that unlocks. +1 from me.

@omkhar
Copy link
Contributor

omkhar commented May 29, 2024

@steiza sure things!

In standards land, there are broadly two kinds of standards:
( from our good friend Wikipedia)

In law and government, de jure (/deɪ ˈdʒʊəri, di -, - ˈjʊər-/, Latin: [deː ˈjuːre]; lit. 'by law') describes practices that are legally recognized, regardless of whether the practice exists in reality.[1] In contrast, de facto ('in fact') describes situations that exist in reality, even if not formally recognized.

De jure standards typically bear a mark or recognition that the standard has been through an official standardization process. Ex: ISO/IEC 27001:2013 went through the JTC1 standardization process. De facto standards (S2C2F as an example)
don't have a current mark nor has it been through the standardization process, even though it may be used extensively.

The goal of putting a de facto standard through the de jure process is two fold:

  1. When recognized as a de jure standard, we can more easily apply it to regulatory or governance standardization efforts like the EU CRA. If the standards body see that S2C2F is an ISO recognized standard, it makes it much easier to adopt.
  2. Commercially, when transacting with governments or regulatory agencies, declaring that a particular product/procedure/method is conformant with an international standard allows you to attest conformance with a requirement.

Overall, I think it's a Good Thing (tm) and something which we may wish to consider for other OpenSSF work (ex SLSA) if the TAC should choose.

@SecurityCRob SecurityCRob changed the title S2C2F PAS Submission Funding Request [Technical Initiative Funding REquest] - S2C2F PAS Submission Funding Request Jun 6, 2024
@SecurityCRob SecurityCRob changed the title [Technical Initiative Funding REquest] - S2C2F PAS Submission Funding Request [Technical Initiative Funding Request] - S2C2F PAS Submission Funding Request Jun 6, 2024
@SecurityCRob
Copy link
Contributor

Is this ask for $4000 or "$3000-$5000"? or both?

@camaleon2016
Copy link
Member Author

camaleon2016 commented Jun 6, 2024 via email

@sevansdell
Copy link
Contributor

I will be out for the TAC meeting, but don't have any additional questions, and support this TI funding request. If this comment of support could be counted as a vote if needed, please use it.

@marcelamelara
Copy link
Contributor

Having this reviewed this ask, it's not a huge $ amount for an outcome that seems overall beneficial and may pave the trail for other OpenSSF specs. Can @camaleon2016 or @adriandiglio please comment on the impact to the project if the funding request isn't approved in Q2?

@marcelamelara
Copy link
Contributor

Since we're getting close to the decision deadline, and I'm still on the fence about supporting this request in Q2, my vote is to defer this request.

@riaankleinhans
Copy link
Contributor

/vote

Copy link

git-vote bot commented Sep 23, 2024

Vote created

@riaankleinhans has called for a vote on [Technical Initiative Funding Request] - S2C2F PAS Submission Funding Request (#328).

The members of the following teams have binding votes:

Team
@ossf/tac

Non-binding votes are also appreciated as a sign of support!

How to vote

You can cast your vote by reacting to this comment. The following reactions are supported:

In favor Against Abstain
👍 👎 👀

Please note that voting for multiple options is not allowed and those votes won't be counted.

The vote will be open for 1month 11days 13h 26m 24s. It will pass if at least 70% of the users with binding votes vote In favor 👍. Once it's closed, results will be published here as a new comment.

@riaankleinhans
Copy link
Contributor

Gitvote was added as a tool to test for stream lining the TI Funding process.
The members of the GH group "TAC" can vote by commenting with an +1. -1 or eye on the Gitvote block in this issue.
Until the TAC is satisfied with the process the GitVote outcome would not be binding.

Community members can show their support by also voting, however only the "TAC" GH Group's votes will count.

The current passing threshold is 70% and the committee is the TAG GH group.
The vote say open fo 6 week and an announcement is sent on the GH/TAC/Discussion

All these parameters can by fine tuned or changed here
Please reach out if you have any questions.

@riaankleinhans riaankleinhans self-assigned this Sep 25, 2024
Copy link

git-vote bot commented Sep 30, 2024

Vote status

So far 0.00% of the users with binding vote are in favor (passing threshold: 70%).

Summary

In favor Against Abstain Not voted
0 0 0 9

Binding votes (0)

User Vote Timestamp
@steiza Pending
@torgo Pending
@mlieberman85 Pending
@bobcallaway Pending
@lehors Pending
@SecurityCRob Pending
@marcelamelara Pending
@camaleon2016 Pending
@sevansdell Pending

1 similar comment
Copy link

git-vote bot commented Oct 7, 2024

Vote status

So far 0.00% of the users with binding vote are in favor (passing threshold: 70%).

Summary

In favor Against Abstain Not voted
0 0 0 9

Binding votes (0)

User Vote Timestamp
@steiza Pending
@torgo Pending
@mlieberman85 Pending
@bobcallaway Pending
@lehors Pending
@SecurityCRob Pending
@marcelamelara Pending
@camaleon2016 Pending
@sevansdell Pending

@lehors
Copy link
Contributor

lehors commented Oct 7, 2024

This request was actually withdrawn so closing.
/cancel-vote

@lehors lehors closed this as completed Oct 7, 2024
Copy link

git-vote bot commented Oct 7, 2024

Vote cancelled

@lehors has cancelled the vote in progress in this issue.

@git-vote git-vote bot removed the vote open label Oct 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
administration For Review gitvote Next Meeting TI Funding Request Quarterly TI requests for funding. Needs 5 approvals, 7d review.
Projects
Status: Needs Refinement
Development

No branches or pull requests

9 participants