Here's my understanding of where we are:

- David (representing the Badge program) is really the final decider. He could just pick a working group and move the badge program there. Assuming that working group is happy to host the program, the TAC wouldn't need to get involved.

- David had interest from both working groups, so he chose to let the TAC make the final call.

- We agreed on a process to make this decision. Both working groups presented their rationales for hosting the program, and the TAC seemed ready to hold a vote.

I'm not sure why or how we ended up moving backwards. I still think the TAC members have everything we need to make a decision, if David still wants us to. If any TAC members feel differently we should discuss that. I've been trying to push this forward for several weeks now and so far no one on the TAC has raised any issues.

To be clear, I don't think we need to rush to a decision because of the town hall. I do think we should decide soon because this has been pending for close to two months and I can't see what more time or discussions will change.

I'm still concerned about the private meeting scheduled for today and would like to understand why it is private. Any discussions should happen on a public email list or in public meetings per our charter, and I haven't been able to find any of the discussions that led to this meeting.

Hi folks,

 

I have been thinking about this and wondering how to find a positive way forward. This is an important decision. It is also one of our first opportunities as a community to work through a complex issue while flexing our muscle to work within and uphold our community values, including the following:

 

• Openness and Transparency: We commit to encouraging all interested stakeholders to participate in the foundation and its working groups. The foundation’s work will be made publicly available.
• Diversity, Inclusion, and Representation: We work to actively invite and include people from a range of backgrounds, locations, identities, and perspectives, and promote a culture of mutual respect and inclusiveness as a requirement for participation
• Empathy: We recognize and understand each other’s challenges, perspective and circumstances. We commit to a culture of listening and caring for multiple opinions.

 

See the FAQ on our website for the full list of values.

 

I wonder if we want to pause, take a step back, and lay the groundwork for this and future decisions.

 

This topic has been discussed several times in TAC sessions and on email threads without clear consensus. Let’s start by first reaching collective agreement on process?

 

• How will we make a decision in a way that encourages listening and caring for multiple opinions?
• What factors should be used in making a decision?
• What hard and soft requirements are there for timeframe?
• What are the stages of the decision process (draft, proposal, final) and who needs to be involved at each stage?

 

We might feel pressure to reach a decision soon and communicate at the Town Hall meeting. I would caution against this. We have other avenues for communication. Let’s focus instead on taking the time - in these early stages of our endeavor - to build a culture that reflects our values and will carry us forward as a community.

 

One thought I had for a next step is to ask the leads of the following WGs and projects to prepare a draft proposal (or multiple alternative proposals) for a process to make a decision.

 

• Best Practices WG (CRob, Xavier)
• Identifying Security Threats WG (Michael)
• CII Best Practices Badge (David)
• Security Scorecards (Dan)

 

Thoughts from others?  Have folks seen examples from other communities where similar issues have been resolved in a manner that upholds cultural values? What models can we follow?

 

Thanks,

Kay

 

 

From: Christopher B Ferris <chrisfer@...>
Sent: Wednesday, November 4, 2020 5:20 AM
To: lhinds@...
Cc: caniszczyk@...; crrobins@...; dlorenc@...; dwheeler@...; Kay Williams <kayw@...>; lmays@...; mdolan@...; openssf-tac@...; openssf-wg-best-practices@...; openssf-wg-security-threats@...; Ryan Haning <ryhaning@...>; tbenzies@...
Subject: Re: [openssf-tac] Proposal: OpenSSF TAC to resolve WG "home" for CII Best Practices badge project

 

+2 Aside from the board meetings, and certain committees of the board, I see no reason why all meetings are not on the public calendar. It is fine to have individuals specifically invited, and it would also be fine to limit discussion (e.g. to TAC members) but transparency is going to be key to the success of this initiative.

 

Cheers,

Christopher Ferris
IBM Fellow, CTO Open Technology
email: chrisfer@...
twitter: @christo4ferris

blog: https://developer.ibm.com/profiles/chrisfer/

IBM Open Source white paper: https://developer.ibm.com/articles/cl-open-architecture-update/
phone: +1 508 667 0402

 

 

----- Original message -----
From: "Luke A Hinds" <lhinds@...>
Sent by: openssf-tac@...
To: Dan Lorenc <dlorenc@...>
Cc: CRob Robinson <crrobins@...>, Ryan Haning <ryhaning@...>, "David A. Wheeler" <dwheeler@...>, Kay Williams <kayw@...>, "openssf-wg-best-practices@..." <openssf-wg-best-practices@...>, "openssf-tac@..." <openssf-tac@...>, "openssf-wg-security-threats@..." <openssf-wg-security-threats@...>, Michael Dolan <mdolan@...>, Chris Aniszczyk <caniszczyk@...>, Lindsay Gendreau <lmays@...>, Todd Benzies <tbenzies@...>
Subject: Re: [EXTERNAL] [openssf-tac] Proposal: OpenSSF TAC to resolve WG "home" for CII Best Practices badge project
Date: Wed, Nov 4, 2020 2:22 AM
 

 

 

On Wed, Nov 4, 2020 at 1:20 AM Dan Lorenc <dlorenc@...> wrote:

+crob

 

Actually the charter seems pretty clear here:

 

TAC, Working Group and Project meetings shall be open, public meetings. For special circumstances, the TAC may hold meetings limited to the TAC voting representatives, invited guests, and LF staff

 

We need to at least invite the TAC members to meetings like this, but I still see no reason why this can't just be a public meeting. I'm not trying to be difficult here, but it's critical we be transparent and open here as a group.

 

Dan Lorenc

 

+1

 

What's the reasoning for not being public, perhaps we can resolve those concerns instead? 

 

The problem with setting a single meeting as closed, is that the precedence is then set for others to also do the same by referencing this meeting.

 

 

On Tue, Nov 3, 2020 at 6:54 PM Dan Lorenc via lists.openssf.org <dlorenc=google.com@...> wrote:

Is there any context on where this meeting came from? This issue was raised to the TAC so I'd expect that the TAC at least be kept up to date with the change in plans here.

 

I'd still prefer all meetings take place publicly here. This is an open foundation, and all working groups operate openly. What's the reason to keep it private?

 

Dan Lorenc

 

On Tue, Nov 3, 2020, 6:37 PM Ryan Haning <ryhaning@...> wrote:

Hi Dan,

 

The leads of the Best Practices and the Identifying Security Threats working groups are meeting tomorrow to discuss this (CRob has the invite). As the leaders of those WGs, let’s allow them to have the discussion with David, and then they can present their (ideally) decision to the TAC or if they are unable to reach agreement on their own, they can present their cases to the TAC and the TAC may then vote on a decision.

 

I agree in keeping these conversations transparent, so we can ask that they record the meeting and publish it afterwards.

 

-Ryan

 

From: openssf-tac@... <openssf-tac@...>
Date: Tuesday, November 3, 2020 at 9:18 AM
To: David A. Wheeler <dwheeler@...>
Cc: Luke Hinds <lhinds@...>, Ryan Haning <ryhaning@...>, Kay Williams <kayw@...>, openssf-wg-best-practices@... <openssf-wg-best-practices@...>, openssf-tac@... <openssf-tac@...>, openssf-wg-security-threats@... <openssf-wg-security-threats@...>, Michael Dolan <mdolan@...>, Chris Aniszczyk <caniszczyk@...>, Lindsay Gendreau <lmays@...>, Todd Benzies <tbenzies@...>
Subject: Re: [EXTERNAL] [openssf-tac] Proposal: OpenSSF TAC to resolve WG "home" for CII Best Practices badge project

Could someone please update this thread with the current status of this discussion? 

 

There are some comments in the TAC slack channel about an upcoming meeting between working group leads to discuss, but CRob and I haven't been able to track down the invitation. Let's try to keep all conversations transparent and open.

 

Dan Lorenc

 

On Fri, Oct 30, 2020, 11:50 AM David A. Wheeler <dwheeler@...> wrote:

On Oct 30, 2020, at 12:26 PM, Dan Lorenc <dlorenc@...> wrote:

 

We've officially cancelled next week's meeting, so I'll continue trying to push this forward via email.

 

It looks like we're up to 3 options now:

• Ryan's proposal
• Best Practices WG
• Identifying Threats WG

Should we move to a vote between these options? Something else? The WGs have been waiting on a decision here for over a month now, we owe them some kind of answer.

 

The TAC can choose to do whatever it wants to do!

 

I thought the WGs would first propose their charters to the TAC, the TAC would vote to approve (or not) each charter, and after the charters were approved *then* the TAC would vote on the location of the badge (see TAC 2020-10-20 meeting notes). But the TAC has every right to vote *now* if it chooses to.

 

--- David A. Wheeler

 

 

 

 

 

 

We can then get on with being of service to the community and focusing less efforts on bureaucracy.

If TAC members feel strongly that we still need more time, and over half of the TAC replies stating so, then we can hold out for longer. If not, let's vote and move forward.

From: openssf-tac@... <openssf-tac@...> On Behalf Of Middleton, Dan via lists.openssf.org
Sent: Wednesday, November 4, 2020 12:56 PM
To: Kay Williams <kayw@...>; dlorenc@...
Cc: Christopher B Ferris <chrisfer@...>; Luke Hinds <lhinds@...>; caniszczyk@...; Robinson, CRob <crrobins@...>; dwheeler@...; lmays@...; mdolan@...; openssf-tac@...; openssf-wg-best-practices@...; openssf-wg-security-threats@...; Ryan Haning <ryhaning@...>; tbenzies@...
Subject: Re: [openssf-tac] Proposal: OpenSSF TAC to resolve WG "home" for CII Best Practices badge project

I don't think that the CII Badge Project should be a part of any working group.

In fact if you look at the Open SSF charter, there's not only no requirement for such structure but it seems like the opposite intention. Projects are their own things.

I can't personally think of an advantage to creating a reporting structure among projects to working groups. After all as a permissively licensed project everyone has equal access to consuming and contributing to the code. In fact, I think projects reporting to working groups may be detrimental. It seems to me to belie a misunderstanding that there's some way to direct an open source project other than with your own contributions.

As organizations like ours get started it's easy to get distanced from the do-acracy reality of open source. Maybe making rules and structures feels kind of like coding to us. :)

But really making commits (or other tangible work products) is the fundamental goal for our work. So if people are excited about the CII Badging project (and I think we should be), then consider putting that energy into commits to improve the project.

And if you are excited about your working group (and you should be) then consider approaching it from the perspective of what you will contribute rather than what you will lead.
 

Dan Middleton

Principal Engineer

Intel

On Wed, Nov 4, 2020 at 7:24 PM Kay Williams <kayw@...> wrote: