Add CRA brief guide for OSS developers #909
Conversation
This markdown file was converted from https://docs.google.com/document/d/1Kjq7B8SMySs0OTd76p0wro-fAvIsbG3y5GnNeTzjTQg/edit Once merged, the plan is for future changes to be made in this git repository and *not* via Google documents. Signed-off-by: David A. Wheeler <[email protected]>
|
This was a collaborative work between the Global Cyber Policy WG and the Best Practices WG. Since the Best Practices WG has a website and houses many other guides, I propose putting the guide here. |
|
@SecurityCRob - can I get an approval to merge this first version in? |
Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: David A. Wheeler <[email protected]>
* Spell out title ("open source software"). This increases the
likelihood that search engines will find this document,
and is also helpful to readers who might not know the abbreviation.
* Clarify that steward is a per-software role
(an organization can be a manufacturer for one program
and a steward for another).
Signed-off-by: David A. Wheeler <[email protected]>
Again, spelling out CRA will make it easier for search engines to find this content. Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: David A. Wheeler <[email protected]>
I may as well admit that I led development of this document :-). Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: David A. Wheeler <[email protected]>
Deal with a difference in interpretation by *not* stating a claim one way or the other. @maertsen believes that it's possible to be both a manufacturer and a steward for the same sequence of bits but in different contexts. Others don't agree with this interpretation. We don't have the authority to interpret the CRA. So let's resolve this by saying what *is* clearly known, citing authority (in this case the EC), and stay silent where it's not clear what the interpretation is. If there's a formal interpretation stated later, we can change this text to reflect that. Signed-off-by: David A. Wheeler <[email protected]>
|
@maertsen - 3973c7 tries to address your interpretation by trying to carefully only state what's been stated by those in authority, and not saying anything else. I added a new sentence, that says what is known and cites its source:
I hope that works for you. |
|
This conservative approach seems sensible, while we await further clarification from official sources. Thanks @david-a-wheeler! |
|
Looks good. |
Co-authored-by: Georg Kunz <[email protected]> Signed-off-by: David A. Wheeler <[email protected]>
|
@gkunz - thanks for the typo fix! Merged! The Global Cybersecurity WG Awareness SIG wanted a week (until June 10) so everyone would have more time to review the content. Presuming all goes well, we can merge it as a soft-launch - that is, the document exists but we won't go crazy on social media. We can then make sure it's formatted well, etc. The SIG would also like to wait until early July for an official "splash" with social media, since this guide fits perfectly with their July theme. I'm thinking of a release date of July 1. Then it switches from "soft-launch" to "real-launch". That's when we'll link to it from openssf.org, best.openssf.org, and post on social media. Let me know if there's a problem with this plan. Thanks! |
|
I talked with our marketing folks, who pointed out problems with a "marketing splash" around July 1. Basically, in the US, the the time around July 4 isn't a great time for many announcements. Many people take vacations before & after that date. The marketing people themselves are out July 1, and I'm out the week later, unintentionally proving this. The CRA has worldwide effect, but many in the US aren't very aware of the CRA, so we want to increase the likelihood that developers in the US will see this. However, mid-July is rather late for the CRA guide to be available at all. So now I'm proposing a plan for "increasingly hardening launches"?:
Does this plan seem okay? |
There was a problem hiding this comment.
Hi @david-a-wheeler, this guide looks great and will be helpful as a resource for OSS contributors new to the CRA.
I had a handful of mostly minor comments and edits -- see below. Feel free to take or leave any of them :) or let me know if you have any questions if my comments are unclear!
Co-authored-by: Steve Winslow <[email protected]> Signed-off-by: David A. Wheeler <[email protected]>
Co-authored-by: Steve Winslow <[email protected]> Signed-off-by: David A. Wheeler <[email protected]>
Co-authored-by: Steve Winslow <[email protected]> Signed-off-by: David A. Wheeler <[email protected]>
Co-authored-by: Steve Winslow <[email protected]> Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: David A. Wheeler <[email protected]>
|
My thanks for the review by many, including the recent review by @swinslow ! I plan to merge this PR today. We've had a lot of people review this, and after a lot of tweaks, I think we have a rough consensus. People can still propose changes after it's merged. The merge will simply make it easier to view the material. |
Steve provided some great comments, let's give him credit! Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: David A. Wheeler <[email protected]>
This markdown file was converted from
https://docs.google.com/document/d/1Kjq7B8SMySs0OTd76p0wro-fAvIsbG3y5GnNeTzjTQg/edit
Once merged, the plan is for future changes to be made in this git repository and not via Google documents.