[EXTERNAL] Re: [openssf-tac] Proposal: OpenSSF TAC to resolve WG "home" for CII Best Practices badge project

Ryan Haning (Microsoft)

We decided at the end of the last TAC meeting that I would create doc detailing the current scope/work of the two working groups and make a recommendation based on their current charters. This document will serve as the virtual discussion and we will then hold a vote.


The document can be found here: https://drive.google.com/file/d/1p36s2eXk9j2hnVyHeAgkY680OdjpegHR/view?usp=sharing

Please review and provide comments by next Monday, November 2, 2020.



-Ryan Haning



From: openssf-tac@... <openssf-tac@...>
Date: Monday, October 26, 2020 at 3:16 PM
To: Luke Hinds <lhinds@...>
Cc: Kay Williams <kayw@...>, David A. Wheeler <dwheeler@...>, openssf-wg-best-practices@... <openssf-wg-best-practices@...>, openssf-tac@... <openssf-tac@...>, openssf-wg-security-threats@... <openssf-wg-security-threats@...>, Michael Dolan <mdolan@...>, Chris Aniszczyk <caniszczyk@...>, Lindsay Gendreau <lmays@...>, Todd Benzies <tbenzies@...>
Subject: [EXTERNAL] Re: [openssf-tac] Proposal: OpenSSF TAC to resolve WG "home" for CII Best Practices badge project

I think I must have misunderstood, I thought we were waiting for a writeup of the WG scopes rather than of the three projects. I'd rather try to get this decision made than wait on a potentially longer-term reconciliation, especially with the Scorecards project. That one is brand new and I didn't intend for it to interfere with or delay any of the ongoing discussions. 


The CII Best Practices project has been around for a long time and is fairly well understood by everyone at this point, thanks to David's patient presentations :). I don't think we're realistically going to learn any more about it. I'll suggest we move this to a vote either in the meeting next week, or via email if we decide to cancel. Does that make sense? If anything, I'd prefer we discuss changes to the scopes of the working groups rather than the projects.


 My opinion is that the CII Best Practices Badge program aligns most closely with the Best Practices WG. 


Dan Lorenc


On Mon, Oct 26, 2020 at 2:59 PM Luke Hinds <lhinds@...> wrote:



On Mon, Oct 26, 2020 at 7:46 PM Kay Williams via lists.openssf.org <kayw=microsoft.com@...> wrote:

Hi all,


My recommendation is to complete an analysis of the three related initiatives (Best Practices Badge, Security Metrics and Security Scorecards) before deciding on homes for any one of them.  This analysis includes understanding the goals, user scenarios, requirements, and technology roadmap across all three.  Once we have this understanding, we can then have a more reasoned discussion about what parts live in which working groups. 


Here is a link to the document where we are capturing this analysis.




Would it help to include members from the best practices group in these discussion to keep everyone on the same page?


Most certainly.





From: openssf-tac@... <openssf-tac@...> On Behalf Of Dan Lorenc via lists.openssf.org
Sent: Monday, October 26, 2020 12:02 PM
To: David A. Wheeler <dwheeler@...>
Cc: openssf-wg-best-practices@...; openssf-tac@...; openssf-wg-security-threats@...; Michael Dolan <mdolan@...>; Chris Aniszczyk <caniszczyk@...>; Lindsay Gendreau <lmays@...>; Todd Benzies <tbenzies@...>
Subject: Re: [openssf-tac] Proposal: OpenSSF TAC to resolve WG "home" for CII Best Practices badge project


To circle back here again - in the TAC meeting last week I believe we discussed Kay writing up some of her thoughts on working group scopes before a vote.


Kay, will you be able to share that soon? I'm still concerned the TAC hasn't given these working groups a clear answer or set of next steps yet.


Dan Lorenc


On Mon, Oct 12, 2020 at 11:50 AM David A. Wheeler <dwheeler@...> wrote:

On Oct 12, 2020, at 10:57 AM, Dan Lorenc <dlorenc@...> wrote:
> i'm not sure we really reached a concrete plan here in the last TAC meeting. Does anyone have any feedback on my suggestions above? I want to make sure we unblock the decisions and give the WGs and the Badging program a clear path forward.

I was at the last TAC meeting. Here’s *my* understanding of the plan:
1. Each WG will propose its scope; the TAC will review/tweak and eventually approve them. I imagine that will be a key topic on Oct 20.
2. The TAC will revisit the CII Best Practices badge location in its Nov 3 meeting (it will revisit 2-4 weeks after the last one, but since WG scopes will happen first, I don’t expect it to come up until Nov 3):
 - The hope was that having approved WG scopes (for at least Best Practices and Security Threats/metrics WGs) would make it easier for the TAC to make its decision. The decision might even be obvious from the approved scopes.
  - If at least one of those two WGs scopes haven’t been approved by then, I expect the TAC would delay until those two WG scopes are approved, & then revisit.

Of course, my understanding could be wrong.

--- David A. Wheeler