Skip to content

ossf/wg-securing-software-repos

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

wg-securing-software-repos

OpenSSF Working Group on Securing Software Repositories

Motivation

This working group is for and focuses on the maintainers of software repositories, software registries, and tools which rely on them, at various levels including system, language, plugin, extensions and container systems. It provides a forum to share experiences and to discuss shared problems, risks and threats.

Objective

  • Enable faster cross-pollination of existing ideas across ecosystems (including technical measures, infrastructure approaches, and policies)
  • Act as a clearinghouse for new ideas that could benefit multiple ecosystems
  • Enable maintainers to better align and coordinate policies and changes between different ecosystems
  • Identify & escalate needs for infrastructure and assistance for shared tooling and/or services (to be filled by supportive or sponsoring organizations (such as the OpenSSF))
  • Develop methods for sharing data related to software repositories, software registries, and tools which rely on them
  • Delegate solving particular problems and goals to subgroups or other workgroups as appropriate

The working group may create:

  • Normative, non-binding recommendations on common schemas
  • Descriptive documentation of experiences and best practices

Antigoals

  • The working group is not a governing body and does not create binding obligations on members
  • The working group does not dictate technologies, tools or solutions, though members are free to recommend them to one another

Published work

See also https://repos.openssf.org/

Projects

Name Repository/Home Page Notes Status
Repository Service for TUF https://github.com/repository-service-tuf/repository-service-tuf Meeting Notes Sandbox

Governance

The CHARTER.md outlines the scope and governance of our group activities, as well as the maintainers of this repository.

This group is co-chaired by Dustin Ingram and Zach Steindler.

Communication

Meeting times

Zoom every other Wednesday, alternating between EMEA (13:00 UTC) and APAC-friendly times (22:00 UTC).

The meeting invite is available on the public OSSF calendar.

Meeting Notes

Meeting notes are maintained in a Google Doc. If attending please add your name, and if a returning attendee, please change the color of your name from gray to black.

Antitrust Policy Notice

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.

Intellectual Property

In accordance with the OpenSSF Charter (PDF), work produced by this group is licensed as follows:

  1. Software source code: Apache License, Version 2.0, available at https://www.apache.org/licenses/LICENSE-2.0;
  2. Data: Any of the Community Data License Agreements, available at https://www.cdla.io;
  3. Specifications: Community Specification License, Version 1.0, available at https://github.com/CommunitySpecification/1.0;
  4. All other Documentation: Creative Commons Attribution 4.0 International License, available at https://creativecommons.org/licenses/by/4.0/

About

OpenSSF Working Group on Securing Software Repositories

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published