TACOS documentation

Some lightweight documentation to start

Definitions

• Roles:
  • Attestor: An attestor is the holder of the source document, and signature for that document
• Attestation
  • A TACOS attestation is the document container with metadata about the creation of the attestation, and the statements about upstream open source libraries in use by an application or organization. It is an assertion about the status of a set of secure development software practices at a point in time.
• Statements
  • A TACOS statement is scoped to a single upstream open source package and is the result of an assessment against a set of specific standards for secure software development.
• NOASSERTION
  • TACOS uses the term NOASSERTION to indicate that the attestation preparer is not making any assertion regarding the value of this field
• Variable (income streams)
  • Variable income streams are verified community-backed income including GitHub Sponsors, Patreon, and other related models
• Foundation (income streams)
  • Foundation income streams are verified foundation-backed income, such as specific projects receiving recurring income from a sponsor such as NumFOCUS
• Corporate (income streams)
  • Corporate income streams are verified corporate backing to provide reliable income to projects, such as Red Hat-backed Hibernate
• Lifted
  • Lifted packages are packages that have a business contract and recurring income from Tidelift to attest they meet a set of secure development practices