Idea: whitepaper on identity management in open source projects

[dlorenc]

A few working groups in other foundations I've seen have published interesting white papers on topics they're interested in.

In tying with our approach of learning from the existing practices of large, existing projects, we could put our own together to cover these as case studies.

Would anyone be interested in working on/reviewing this?

I'm interested in covering the following topics, but open to more:

• how projects onboard maintainers/committers
• how projects manage permissions to privileged systems
• how projects sign (or don't!) artifacts, code and releases
• any actual attacks that have happened, or that have been thwarted
• what areas keep maintainers up at night worrying

[lukehinds]

I can add some input about how we do this on the k8s psc, in fact it would be a useful process to go through when we think about projects and OWNERS and are they really who we think they are. I would like to share findings back with the PSC.

In fact it might be useful to do this with several large OSS projects , just to pitch some ideas: Kubernetes, Linux Kernel and perhaps a dist such as Arch / Debian / Fedora.

[joshuagl]

I like this idea and would be interested in working on/reviewing.

I agree it would be useful to do this with large OSS projects. k8s and the kernel are great examples, as are distros. The three distros mentioned have very different community styles and I think we'll see some interesting differences in their approaches (any areas of similarity will be interesting to learn about).

As a model for smaller projects it could be worth looking at some of the umbrella organisations which have less uniformity in their development and maintenance practices, but still share a common purpose and infrastructure. Projects which immediately come to mind for me are Freedesktop, Gnome and KDE.

@lukehinds I'm curious if the k8s psc typical or atypical of processes for k8s projects? Are any findings brought back to the PSC likely to have an affect on the wider k8s organisation?

[lukehinds]

@joshuagl

I'm curious if the k8s psc typical or atypical of processes for k8s projects? Are any findings brought back to the PSC likely to have an affect on the wider k8s organisation?

They can do. In respect of OWNERS contact files in the projects, when a vulnerability is found we (PSC) bring them into the embargoed process to look at authoring a fix. Most of the time we know these folks personally and they have company based email addresses, but I wonder if there could be possible risk in this process that might be improved.

[dlorenc]

Awesome! I'll get a skeleton doc setup and shared with everyone where we can start filling in ideas for projects and content for each one.

[dlorenc]

Skeleton started here: https://docs.google.com/document/d/1l9CsTzQoh9ATcyrWms62zr15_XkYeAGlq3i_bIHp2I0/edit?usp=sharing

Feel free to hop in!

[melba-lopez]

Don't believe this to be apart of our current vision/mission. Would like to close this stale card.

@hepwori @camaleon2016 please give me a thumbs up to confirm.

[melba-lopez]

Closing this issue. If necessary, will reopen in the future.