OSV Schema TI Graduation Application#456
Conversation
This adds a CONTRIBUTING.md and CODE_OF_CONDUCT.md to address deficiencies and assist with progressing OSV Schema TI Graduation Application (ossf/tac#456) For want of something better, I used what is present at https://github.com/ossf/oss-vulnerability-guide
This adds a CONTRIBUTING.md and CODE_OF_CONDUCT.md to address deficiencies and assist with progressing OSV Schema TI Graduation Application (ossf/tac#456) For want of something better, I used what is present at https://github.com/ossf/oss-vulnerability-guide Signed-off-by: Andrew Pollock <andrew@pollock.id.au> Signed-off-by: Andrew Pollock <andrewpollock@users.noreply.github.com>
andrewpollock
left a comment
andrewpollock
left a comment
There was a problem hiding this comment.
I've suggested a few modifications based on conversations with related parties
This adds a CONTRIBUTING.md and CODE_OF_CONDUCT.md to address deficiencies and assist with progressing OSV Schema TI Graduation Application (ossf/tac#456) For want of something better, I used what is present at https://github.com/ossf/oss-vulnerability-guide Signed-off-by: Andrew Pollock <andrew@pollock.id.au> Signed-off-by: Andrew Pollock <andrewpollock@users.noreply.github.com>
| * The project has a standing agenda item in the Vulnerability Disclosures Working Group meetings. [Meeting Notes](https://docs.google.com/document/d/1TdxiFofLOfpHUEQILlKq7qkjSsRXVab0uApSDJ8c5rI/edit?tab=t.0) | ||
|
|
||
| Implements, practices, and refines mature software development and release practices, such as adherence to semantic versioning, and having a declared policy for stable releases and backported fixes. | ||
| * "link to policy for (or describe here) software development and release practices" |
There was a problem hiding this comment.
@oliverchang can you suggest an edit here to describe the release process of the schema?
There was a problem hiding this comment.
Actually, it'd be better for that to be in something like a RELEASING.md in the osv-schema repo, I think.
There was a problem hiding this comment.
I will take a look at making a RELEASING.md file, the current release process is pretty simple:
- Bump up the version (patch version bump for new ecosystems, minor version bump for non breaking schema field changes)
- Add schema changes to the changelog
- Publish github release
- Update the github pages branch to the new release.
SecurityCRob
added
the
TI Lifecycle
Signed-off-by: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com>
…e.md Co-authored-by: Andrew Pollock <andrewpollock@users.noreply.github.com> Signed-off-by: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com>
…e.md Co-authored-by: Andrew Pollock <andrewpollock@users.noreply.github.com> Signed-off-by: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com>
…e.md Co-authored-by: Andrew Pollock <andrewpollock@users.noreply.github.com> Signed-off-by: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com>
…e.md Co-authored-by: Andrew Pollock <andrewpollock@users.noreply.github.com> Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
updating based on Oliver's feedback Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
…e.md Co-authored-by: Andrew Pollock <andrewpollock@users.noreply.github.com> Signed-off-by: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com>
marcelamelara
force-pushed
the
osv-schema-app
branch
from
e28c7eb to
e7f7d7b
Compare
marcelamelara
left a comment
marcelamelara
left a comment
There was a problem hiding this comment.
It's really exciting to see OSV schema reach this stage! That said, I would like to see a clearer roadmap for a project at this maturity level, so I hope that we can start to clarify this as part of this process.
| * https://github.com/ossf/osv-schema/blob/main/CHARTER.md | ||
|
|
||
| Have a defined and documented roadmap and annual goals for the project | ||
| * https://github.com/ossf/osv-schema/projects?query=is%3Aopen |
There was a problem hiding this comment.
The project board is currently empty. Do you a have a sense for the open issues (or other tasks) you might prioritize next?
There was a problem hiding this comment.
I don't seem to have the ability to add / link issues onto that project board, but here are the list of current priorities we are working on, ordered by current priority:
- Add a severity source field osv-schema#510 - (Adding severity source field)
- Representing end-of-life (EOL) in OSV records osv-schema#519 - (Adding a way to represent (sub)ecosystem EOL)
- Tighten guidelines on acceptable IDs osv-schema#547 - (Tightening guidelines on acceptable ID characters)
- Suggestion: addition of a
symbolsfield osv-schema#501 - (Some more unified forms of affected symbols)
In addition to these, we are continuously onboarding new ecosystems.
| * https://github.com/ossf/osv-schema/projects?query=is%3Aopen | ||
|
|
||
| Project has met at least 4 times over a period of at least 2 months since becoming incubating | ||
| * The project has a standing agenda item in the Vulnerability Disclosures Working Group meetings. [Meeting Notes](https://docs.google.com/document/d/1TdxiFofLOfpHUEQILlKq7qkjSsRXVab0uApSDJ8c5rI/edit?tab=t.0) |
There was a problem hiding this comment.
Besides the requirements for graduation, there doesn't seem to be a lot of discussion about OSV in recent meetings. Per my comment about prioritization above, once this application is completed, do you have a sense for what's next?
There was a problem hiding this comment.
Since this comment, there's been a decent amount of osv discussions. The primary maintainers are located in Sydney Australia, so can't actually attend the US focused meetings.
| |-----------------------|-----| | ||
| | Repo | https://github.com/ossf/osv-schema | | ||
| | Website | https://ossf.github.io/osv-schema/ | | ||
| | Contributing guide | | |
There was a problem hiding this comment.
Can you please add the link to the CONTRIBUTING.md file?
| ## Project graduation application | ||
|
|
||
| ### Project has met all Incubating requirements | ||
| * n/a |
There was a problem hiding this comment.
Why is this said to be not applicable? It is not optional. A project doesn't have to go through every step of the lifecycle and may apply for a status at any level but it still needs to fulfill all the requirements for the previous ones.
|
This PR should also include the related necessary change to be made to the table in the README.md file. |
|
|
||
| ### Security Baseline | ||
|
|
||
| The project meets all applicable Security Baseline requirements: |
There was a problem hiding this comment.
It looks like there are some open issues with respect to meeting the security baseline: https://github.com/ossf/osv-schema/issues?q=state%3Aopen%20label%3A%22security%20baseline%22
…e.md Co-authored-by: Andrew Pollock <andrewpollock@users.noreply.github.com> Signed-off-by: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com>
…e.md Co-authored-by: Andrew Pollock <andrewpollock@users.noreply.github.com> Signed-off-by: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com>
|
|
||
| ### List of project maintainers | ||
| The project must have maintainers with a minimum of five different contributors from three different organizational affiliations. | ||
| * Oliver Chang, Google, @oliverchang |
There was a problem hiding this comment.
Please replace Oliver Chang with Rex Pan (me), Google, @another-rex
and Jess Lowe, Google, @jess-lowe
| * https://github.com/ossf/osv-schema/blob/main/CHARTER.md | ||
|
|
||
| Have a defined and documented roadmap and annual goals for the project | ||
| * https://github.com/ossf/osv-schema/projects?query=is%3Aopen |
There was a problem hiding this comment.
I don't seem to have the ability to add / link issues onto that project board, but here are the list of current priorities we are working on, ordered by current priority:
- Add a severity source field osv-schema#510 - (Adding severity source field)
- Representing end-of-life (EOL) in OSV records osv-schema#519 - (Adding a way to represent (sub)ecosystem EOL)
- Tighten guidelines on acceptable IDs osv-schema#547 - (Tightening guidelines on acceptable ID characters)
- Suggestion: addition of a
symbolsfield osv-schema#501 - (Some more unified forms of affected symbols)
In addition to these, we are continuously onboarding new ecosystems.
| * https://github.com/ossf/osv-schema/projects?query=is%3Aopen | ||
|
|
||
| Project has met at least 4 times over a period of at least 2 months since becoming incubating | ||
| * The project has a standing agenda item in the Vulnerability Disclosures Working Group meetings. [Meeting Notes](https://docs.google.com/document/d/1TdxiFofLOfpHUEQILlKq7qkjSsRXVab0uApSDJ8c5rI/edit?tab=t.0) |
There was a problem hiding this comment.
Since this comment, there's been a decent amount of osv discussions. The primary maintainers are located in Sydney Australia, so can't actually attend the US focused meetings.
8 participants
This is an initial draft of the application with some of the basic information included. Submitting as a draft PR to allow for contributions from others collaborating on this app.