Add Q3 update for the BEST WG #499
Conversation
Signed-off-by: balteravishay <[email protected]>
balteravishay
force-pushed
the
avbalter/bp-tac-update
branch
from
3232946 to
93d9560
Compare
Co-authored-by: Georg Kunz <[email protected]> Signed-off-by: Avishay Balter <[email protected]>
There was a problem hiding this comment.
Lots of good stuff in here - I love all the guides and the courses we're working on.
This isn't a problem to solve today, but the answer to "what practices does OpenSSF recommend I follow to secure my project?" is starting to get quite complicated with the Best Practice badge, Scorecard, and the upcoming Baseline. These projects do serve different audiences and tools - I love how the Best Practice badge lets you explain how you meet a security capability even if it isn't one we can automatically detect - but we need some combination of convergence and / or explainers to point people in the right direction.
Something like: "Are you an open source maintainer? Check out Best Practices badge! Are you an OSPO or a consumer of open source? Use Scorecard. Are you in a foundation / trying to meet a compliance framework? Check out Baseline." That's a bit off the cuff and may not be 100% correct, but imagine how confusing this is for people who are completely outside the OpenSSF!
Co-authored-by: Arnaud J Le Hors <[email protected]> Signed-off-by: Avishay Balter <[email protected]>
Signed-off-by: Arnaud J Le Hors <[email protected]>
marcelamelara
added
the
TI Update
| #### **Status Update** | ||
|
|
||
| * Continued maintenance and security updates. | ||
| * Resolved subtle problem that was preventing ONAP from earning a gold badge. |
There was a problem hiding this comment.
Pardon my ignorance, what is ONAP?
|
|
||
| #### **Status Update** | ||
|
|
||
| * LFD121 labs are being translated into Japanese\! |
There was a problem hiding this comment.
This is great! Not directly related to the BEST WG, but I'm curious whether this translation work is being done by a contractor or if this being driven by a community member? The SLSA spec has received a few localization requests (incl. Japanese), and it would be great to continue the trend of having OpenSSF resources be available in multiple languages.
| * A way to formally declare maintenance/production level intent for OSS project | ||
| * How to handle freshness of dependencies? | ||
| * Guidance about testing for OSS projects. | ||
| * Guidance on how to ensure that executables match their putative source code. |
There was a problem hiding this comment.
This sounds like a potential collaboration opportunity with SLSA.
Co-authored-by: Marcela Melara <[email protected]> Signed-off-by: Zach Steindler <[email protected]>
Update TAC with the great work done in the BEST practices WG