CII Best Practices badge project - proposed WG coordination #23
Comments
|
The name CII Best Practices badge alone makes it a more intuitive fit in the the Best Practices working group. I get it that the Identfying Security Treats group would probably give lots of input and retrieve metrics from the badge project, but as a 🏠 I would go with the no-brainer of putting a project with best practices in the name into the group with the same name. Makes it a lot easier to grasp for bystanders, too. |
|
@bkimminich - That's absolutely fine too, it's whatever the OpenSSF (as a group) decides. The rationale for this proposal is that the CII Best Practices badge is interested in measuring projects (it has automation to determine whether or not projects meet certain criteria, not just stating what they are). But both OpenSSF WGs would have an interest in this. Other thoughts? |
|
I think it makes sense to see how we can incorporate the CII Badges into the Developer Best Practices group. If nothing else, it gives us some measurable success criteria for projects(which is no small thing). |
|
In general I'm +1 on putting it here in this WG. My main interest is making sure it has a good home though, and that changes can be made to the best practices in a straightforward way without requiring too much coordination across WGs. |
|
@RedHatCRob @dlorenc - Would one of you be willing to write 1-3 sentences arguing for that position, to be shared at the next TAC meeting? Since two different WGs propose incorporating the CII Best Practices badge project, the current plan is to raise this issue to the TAC for resolution. I do want to make it clear that I'm happy to work with either/both WGs. |
|
i posted this in our Slack the other day as a proposal to submit: The OpenSSF Developer Best Practices working group is focused on improving developers from all communities produce better quality software. Through efforts like training on secure deveopment practices, collection of patterns, requirements, and best practice security activities, we seek to build a stronger OSS ecosystem. The CII Best Practices is a natural fit with this group as it aligns with requirements and the good practices we are already planning on advocating, and also gives a very public visible "reward" for those developers and projects that commit to and prove they can meet these higher-level expectations of quality. |
|
The TAC met this week and based off of the conversation between this group and the Metrics WG, it was determined that the Dev Best Practices group will be assisting in curating/augmenting the existing good practices as described in the CII Best Practices Badges project. We'll coordinate future efforts around the infrastructure/measurement pieces with the Metrics WG once they get to that stage in their backlog. I'll start our agenda for next week's meeting and we can dedicate some time talking about what this might look like as a group. |
|
The "Best Practices" part of the Best Practices Badges will get input from this working group. I'm marking this issue closed. Thanks all. |
|
The "Best Practices" part of the Best Practices Badges will get input from this working group. I'm marking this issue closed. Thanks all. |
I propose that this best practices WG coordinate with the "security threats" WG on any future criteria changes in the CII Best Practices badge, e.g., by voting on such changes by members of either WG. I further propose that this be voted on in the next WG.
There seems to be general agreement among OpenSSF participants that it'd be fine to move the CII Best Practices badge into an OpenSSF working group (WG), but there are two plausible working groups for it: The security threats WG (with its focus on metrics) and the best practices WG. No matter what, it's important that the groups work together.
Identifying security threats WG issue #9 proposes moving the CII Best Practices badge project officially into the "identifying security threats" WG (due to its metrics focus), but that any criteria changes be coordinated between both WGs.
It would also be possible to move the CII Best Practices badge to the "Best Practices" WG as well. I think it's important to identify one "official" home, but even more important to set up a way to ensure both WGs are involved (and not surprised!) in any changes.
The text was updated successfully, but these errors were encountered: