What security outcome are maintainers of open-source software seeking and why?

[sevansdell]

Does this capture the high level security outcome maintainers of open-source software seek?

"As a maintainer of Open Source Software (OSS), I want to ensure the OSS I develop is licensed and secure over it's lifecycle so that I can quickly and efficiently provide automated evidence to (and answer questions from) stakeholders."

Please see the following references: for how we define the maintainer persona.

If you think the high level security outcome should be different, how would you reword it, and why?

**Bonus round: what would Diana the Weekend Warrior say?

This question is part of a special interest group in OpenSSF called the "Security Toolbelt". We are a part of the Best Practices Working Group, supported by the OpenSSF Technical Advisory Council (TAC).

[mlieberman85]

This is from @cartersocha

I think the biggest challenge for the OpenTelemetry community security sig is what does the minimum security bar look like for an open source project. Without a specific target it can be difficult to justify why the community should invest in specific tooling or require implementation across our repos. We typically just look at what Kubernetes does but that seems rather arbitrary

For the minimum bar this should include things like tooling, process guidelines like incident response for maintainers, and public disclosure of either our processes or incidents in a meaningful manner. For artifacts like SBOMs we can also struggle to get signals on what we’re producing is useful to end users.