-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update objective and goals. #15
Conversation
lgtm. change the name of the PR s/mission/objective? |
This seems much broader in scope than my understanding of the goals of this working group. Supply Chain Integrity seems like it crosses quite far over into the existing non-OpenSSF SBOM/DBOM working group, and is a slightly different problem. IMO Developer Identity is about how projects know and trust the entities committing code into their projects. How that is implemented may give confidence/feed into how third parties decide whether or not to consume that project, but is still a different problem. I completely realize that I missed the first couple of meetings where this was discussed, so feel free to ignore me if I am rehashing closed topics. |
Yes, this is definitely a broadening in scope. @kaywilliams can discuss how this will relate to the SBOM/DBOM work - but my 2 cents is that we will not be working on any new standards in that space. I should probably specifically call that out in the non-goals section. The Developer Identity work you outlined is still one of the main priorities for me, and I hope this group :) This is definitely not a closed issue/discussion, the goal of this PR was to create a place to have it before the next meeting! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for changing the proposed name, that is something I would like us to do urgently, even while we debate scope.
This is based on the discussions on scope in the previous two WG meetings and the
scope document originally shared here.
This document has multiple unaddressed or unresolved comments, and a discussion meeting tomorrow, on 2020/09/15, to address specifically this scoping question.
This PR seems premature.
I still don't love the reference to developer names at all (vs., say, only referring to keys). I don't think this is the right threat model. If I am a known 'good' user, and my account is compromised (which is ), then the verification of my account did not help identify this compromise. It might help in mitigation (e.g., looking for signed commits), but then again, the issue there is the use of my cryptographic identity, not my personal identity.
As @ghindman points out, if the scope of this WG is meant to only to deal with provenance, and integrity, then that might make sense. Currently, the dashboard project does seem to be the place we are heading to surface this information but not necessarily generate this information.
This seems much broader in scope than my understanding of the goals of this working group.
I would agree. Also agree that if the goal is in fact provenance, then we should consider how to engage with existing groups in NTIA, OWASP and MITRE around their SBOM efforts.
@@ -35,28 +37,23 @@ These problems need solutions! | |||
|
|||
<img align="right" src="./dog_meme.jpg"> | |||
|
|||
* Give open source maintainers a way to do work under their chosen name, representing their real employers in secure ways. | |||
* Give open source maintainers a way to do work under their chosen name, and to prevent others from impersonating them. | |||
* Give open source projects tools and infrastructure to verify the identities of their maintainers. | |||
* Give consumers of open source libraries more data for determining the risks of depending on said library. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overlaps with the Project Security Metrics project from the Identifying Security Threats WG.
* Respect the privacy of everyone involved. | ||
* Give OSS maintainers better ability to ensure that project governance policies (like independent signoff) are followed. | ||
* Give OSS consumers tools to detect surges in activity from unknown committers. | ||
* Give OSS consumers tools to detect changes in activity from unknown committers. | ||
* Allow consumers of open source to examine the full provenance of their open source supply-chains. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A lot of the 'provenance' discussion is also part of the dashboard - in that that information would need to be surfaced somewhere.
README.md
Outdated
@@ -1,10 +1,12 @@ | |||
# WG Developer Identity | |||
# WG Supply Chain Integrity (Formerly Developer Identity) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# WG Supply Chain Integrity (Formerly Developer Identity) | |
# WG Supply Chain Integrity |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was not a very long-lived name, not sure if it is necessary to refer to it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that we shouldn't reference the old name, and keep the focus on the current objectives
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is more than just a readme change, though, the current name is reflected in the name of this repo, the mailing list/groups/calendar, and the rest of the OpenSSF docs that talk about workstreams, etc.. I would not change it until the topic has been closed and all the other references can be touched in unison. Too much confusion about what is where already.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to @ghindman , I'm just trying to minimize confusion around this until everything lands.
I think we crossed in the interwebs. Makes sense, thanks. |
This is based on the discussions on scope in the previous two WG meetings and the scope document originally shared here: https://docs.google.com/document/d/1_9jZSQLzoeqD8cgYMiRWRSdI7O5P1wJwdRjlXBKErUU/edit#heading=h.23hd1ivmr3lp
Your would like it changed due to your concerns about cryptographic identity vs personal identity? (which I agree with)
Where was this meeting scheduled? I don't see it on the google calendar for the workgroup or in the Google discussion group. |
Sorry, copied it over there. That calendar should be "deprecated" and everything is on the OSSF-wide one here: https://calendar.google.com/calendar/r?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ |
Hrm, I still only see the regular WG meeting for tomorrow, nothing for today. |
That's correct, the regular WG meeting. Ah I see- it's 9/16 not 9/15. |
👍 |
README.md
Outdated
* Give open source maintainers a way to do work under their chosen name, representing their real employers in secure ways. | ||
* Give open source projects tools and infrastructure to verify the identities of their maintainers. | ||
* Give open source maintainers a way to do work under their chosen name, and to prevent others from impersonating them. | ||
* Give open source comunities the tools tools and infrastructure to verify the identities of their maintainers, based on whatever criteria they require. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix typos and suggest slightly different phrasing:
"Provide open source communities with the tools and infrastructure to validate the integrity of their maintainers, based on their chosen criteria."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I see where you're going but don't love this phrasing either. When you talk about the "integrity of maintainers" that starts to cross over into "personal integrity".
Maybe "verify properties of their maintainers" ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking more along the lines of build integrity, but I see how this could be misinterpreted as well. How about just "verify maintainers"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"verify maintainers" and "verify properties of maintainers" are both clear, but have different meanings.
The "whatever" in the current phrasing, "verify the identities of their maintainers, based on whatever criteria they require" seems too open for me, as it could allow for someone to ask for private information.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm trending towards liking "privileged entities" when referring to a specific identity. The work of this group should apply to anything that can unilaterally do something that requires privilege. The context and the role of that something doesn't really matter. Could also be applied to bots or service accounts in a devops environment, for example. I think bounding this as specific individuals is the wrong path. My comment over in the threat doc characterized this as: "systems in place that provide evidence/trust that a privileged entity is who they say they are, and they are 'trustable'."
* Give consumers of open source libraries more data for determining the risks of depending on said library. | ||
* Give consumers and maintainers a public record of who implemented changes to an Open Source software project. | ||
* Give consumers and maintainers a trustworthy public record of who implemented changes to an Open Source software project. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a distinction that I brought up in the kernel topic last meeting that I think needs deeper discussion. In many open-source projects, the people who submit/merge the code to the tree are not the implementers of most of that code, which has been aggregated from a broader community through mailing-lists, etc..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1! I think the discrepancies in nomenclature (commiter, author, maintainer, etc.) are probably causing confusion here.
README.md
Outdated
* Enforce or mandate identity requirements for projects. | ||
We will simply make this service available and easy-to-use, leaving it up to projects and communities to adopt if they choose to do so. | ||
* Enforce or mandate identity policy and requirements for projects. | ||
We will simply make these services and tools available and easy-to-use, leaving it up to projects and communities to adopt if they choose to do so. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually I don't know that this line is required at all - this should be implicit in the Goals section.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, this might be a scoping question. We should do this, and I don't think it's covered anywhere else(?) in the WGs.
Co-authored-by: Gavin Hindman <gavin.hindman@intel.com>
This is based on the discussions on scope in the previous two WG meetings and the
scope document originally shared here: https://docs.google.com/document/d/1_9jZSQLzoeqD8cgYMiRWRSdI7O5P1wJwdRjlXBKErUU/edit#heading=h.23hd1ivmr3lp