Skip to content

First initial commit for the Malicious Package application #500

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Aug 19, 2025
Merged

First initial commit for the Malicious Package application #500

merged 12 commits into from
Aug 19, 2025

Conversation

6mile
Copy link
Contributor

@6mile 6mile commented Jul 7, 2025
edited
Loading

This is my initial draft doc for the TAC requirement to create a separate OpenSSF project for Malicious Packages.
The intent is to create a Malicious Packages project under the Securing Critical Projects WG.

calebbrown
calebbrown suggested changes Jul 8, 2025
View reviewed changes
Copy link

@calebbrown calebbrown left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Paul! I've added some minor comments.

@6mile 6mile requested a review from calebbrown July 8, 2025 23:02
@6mile 6mile marked this pull request as ready for review July 12, 2025 03:38
@6mile 6mile requested a review from a team as a code owner July 12, 2025 03:38
@marcelamelara marcelamelara added the Major / New TI Changes to Charter/Technical Strategy/TI Lifecycle process, new TI. Needs 7 approvals, 15d review. label Jul 15, 2025
@marcelamelara
Copy link
Contributor

Who will be the hosting group for this new project? Is Malicious Packages meant to be hosted under a particular WG or report directly to the TAC? Either way, ensuring there's a TAC and/or WG sponsor would be really helpful.

@6mile
Copy link
Contributor Author

6mile commented Jul 18, 2025

Who will be the hosting group for this new project? Is Malicious Packages meant to be hosted under a particular WG or report directly to the TAC? Either way, ensuring there's a TAC and/or WG sponsor would be really helpful.

Hi @marcelamelara I've updated the application to show that the sponsor is the Securing Critical Projects Working Group.

@lehors
Copy link
Contributor

lehors commented Jul 21, 2025

The intent is to spin Malicious Packages out of the Securing Critical Projects WG and into its own project.

I don't think that's the right way to put it because with few exceptions, projects report to a WG. So, they is no spin-out in this case. I think you should rather say:

The intent is to create a Malicious Packages project under the Securing Critical Projects WG.

@gkunz
Copy link
Contributor

gkunz commented Jul 21, 2025

Hi @6mile. Thanks for putting the application together. Purely out of curiosity and to understand the dynamics and needs of the OpenSSF community better: why would you like to create a separate project under the WG (e.g., spin the project out of the WG)?

@6mile
Copy link
Contributor Author

6mile commented Jul 22, 2025

The intent is to spin Malicious Packages out of the Securing Critical Projects WG and into its own project.

I don't think that's the right way to put it because with few exceptions, projects report to a WG. So, they is no spin-out in this case. I think you should rather say:

The intent is to create a Malicious Packages project under the Securing Critical Projects WG.

Done!

@6mile
Copy link
Contributor Author

6mile commented Jul 22, 2025

Hi @6mile. Thanks for putting the application together. Purely out of curiosity and to understand the dynamics and needs of the OpenSSF community better: why would you like to create a separate project under the WG (e.g., spin the project out of the WG)?

Good question. There are several reasons to make Malicious Packages its own project. First, the Securing Critical Projects WG has a number of work streams and projects under its umbrella:

Securing Critical Projects: List of Critical Open Source Projects, Components, and Frameworks

criticality_score(https://github.com/ossf/criticality_score/blob/main/Quantifying_criticality_algorithm.pdf)

Census II Preliminary Census II

package-feeds

package-analysis

The Malicious Packages repository and its associated work is lost right now in that noise. If its not its own stand alone project, where does it fit? I routinely talk to people who want to participate but who can't find it in the OpenSSF universe of "things".
Ironically, the malicious packages non-project gets a disproportionate amount of visibility outside of the OpenSSF in terms of the GitHub repository itself, and its utility. But doesn't get a lot of visibility inside the OpenSSF.
The idea in promoting it is to help grow its priority and visibility in the OpenSSF, so that it matches its importance outside. And frankly, to bring more people into the core contributing group.

steiza
steiza approved these changes Jul 22, 2025
View reviewed changes
Copy link
Member

@steiza steiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense to formally recognize that Malicious Packages is operating as a Project inside of Security Critical Projects Working Group.

When we were defining TI types (and lifecycles), we wrote:

This document describes the Open Source Security Foundation (OpenSSF) lifecycle process for Technical Initiatives (TI) which include Working Groups (WG) (non-software and non-specification focused), Projects (developing code or specifications), and Special Interest Groups (SIG).

If a TI is primarily producing code and specifications, it should be a Project.

6mile
6mile commented Jul 22, 2025
View reviewed changes
Copy link
Contributor Author

@6mile 6mile left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

heya @calebbrown I think I've addressed the changes you requested. Can you verify and if so, approve? Thanks!

@gkunz
Copy link
Contributor

gkunz commented Jul 23, 2025

Thank you @6mile for the explanation of your motivation. The TI lifecycle process is the tool to support TIs in overcoming the challenges you mention.

@calebbrown
Copy link

Thanks for preparing this @6mile! LGTM

The Malicious Packages repo is definitely growing beyond the Package Analysis project it was created within, so becoming its own project will continue to help support this growth.

marcelamelara
marcelamelara approved these changes Aug 4, 2025
View reviewed changes
Copy link
Contributor

@marcelamelara marcelamelara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

justaugustus
justaugustus requested changes Aug 5, 2025
View reviewed changes
Copy link
Member

@justaugustus justaugustus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great. Minor grammatical nits.

6mile and others added 2 commits August 6, 2025 11:15
@6mile @justaugustus
Update process/project-lifecycle-documents/maliciouspackages_sandbox_…
0495e93 
…stage.md

Co-authored-by: Stephen Augustus <[email protected]>
Signed-off-by: Paul McCarty <[email protected]>
@6mile @justaugustus
Update process/project-lifecycle-documents/maliciouspackages_sandbox_…
18b9155 
…stage.md

Co-authored-by: Stephen Augustus <[email protected]>
Signed-off-by: Paul McCarty <[email protected]>
@6mile
Copy link
Contributor Author

6mile commented Aug 6, 2025

Looks great. Minor grammatical nits.

Heya @justaugustus i've updated with your suggestions.

justaugustus
justaugustus approved these changes Aug 6, 2025
View reviewed changes
Copy link
Member

@justaugustus justaugustus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @6mile!

@steiza steiza merged commit 8cde88b into ossf:main Aug 19, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@steiza steiza steiza approved these changes

@justaugustus justaugustus justaugustus approved these changes

@scovetta scovetta scovetta approved these changes

@bobcallaway bobcallaway bobcallaway approved these changes

@lehors lehors lehors approved these changes

@gkunz gkunz gkunz approved these changes

@marcelamelara marcelamelara marcelamelara approved these changes

+1 more reviewer

@calebbrown calebbrown calebbrown approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
Major / New TI Changes to Charter/Technical Strategy/TI Lifecycle process, new TI. Needs 7 approvals, 15d review.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@6mile @marcelamelara @lehors @gkunz @calebbrown @steiza @justaugustus @scovetta @bobcallaway