Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118889
Return-Path: <tysonandre775@hotmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 9072 invoked from network); 27 Oct 2022 13:27:30 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 27 Oct 2022 13:27:30 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 7488A180549
	for <internals@lists.php.net>; Thu, 27 Oct 2022 06:27:28 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: *
X-Spam-Status: No, score=1.7 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_HOTMAIL_RCVD2,
	FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS8075 40.80.0.0/12
X-Spam-Virus: No
X-Envelope-From: <tysonandre775@hotmail.com>
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11olkn2054.outbound.protection.outlook.com [40.92.19.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 27 Oct 2022 06:27:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=IIXU+u63TzDV43Yg0WwMrXvVl1TSezO4TARw8lHImq707OSU7vxML/RGEBDy06jivx1OuVKUUqLvfNnWF5DxDXmWGSTT2rrS3aqxoxAK9xGncjmuTmUbIcyGEzZ0essWKrPYawRMUZLhukBixhnM5dqpGv7AxT0QsWHHfgEHS7VUQ2YsAoDLXln/95WsFL9kxcCx71wZ8bxbz+Iv/7gIt4JeHr2/+K4Y0Td4vCgMNXPHLXbLCuDfErifO6t1etTCX7bFlO+o+sntf2iWPOzFG/f5kngtRkrG9Q0C+3ks8XrARGmbVDY16O3hZGWmp809vTLKsdD2N2KRr/yntoa1oQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=F6fQJ31lgzo8HRryuusj5QgkFgBBaS1p1YSwU7uYjZo=;
 b=gm4qlJYF0bck1GWt4QgXSJRMttYqjcSKWXLjO3v5IAed01uoUsP2Mpx810jS3xtN2OwYGtruwcK+1ilb1epEtWCQl+oZUCJr8nkhkGIoThDxaFJI7kMoQeKOteJiOX3ztz7e24CTLSxrcFnv7yMt/hTzgML9uf1m65b3f6b4CgKKLpindpgXFf3BYhvirjI4qc36dFiwunmoJOtKsffvL5Lst8lLfDMQoT1h31a9o1kU7DAKvOin7Fg3BXiJo/2QLC+TrgCXjywGLxYCGsdFUkGX62sqdvmya5An2zZ0QdeCMrZu4pfL+GoRMZ42np+7RLbQ+GA2Fa3Y7NpuexqD1A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=F6fQJ31lgzo8HRryuusj5QgkFgBBaS1p1YSwU7uYjZo=;
 b=NcRZVQqIDw0+XphyBk53OPZXEIG6Rxdknh926BRVTz6+ogz5UuizC3E1XRAQxcBLYwbJxP5QEcVZUSktsOIUl73axk/Sb6cbILgP2/HROHBPyFU2wlaK3VRe3hn3gQmTGlwl2rbeZvRkxDWTMwKEG+x8ZRplpoVnNPcOYSBHSfyogrF/wGFCI4ShA57hOIdeHuUMtePcGBv2CrFuVSdoz5c5uWUpMg/2QFWR6vR21cqXadUK2K26JyqiPNGuSgOAI8fAqHSUuKulsVXAmmNODq7ag5T1ElQOioBbqRCtXgMzHt2/Pnib+vM7ZvlP3CYbcX6hVks/Cx6RvAcVZTDGxw==
Received: from DM6PR14MB4155.namprd14.prod.outlook.com (2603:10b6:5:21e::11)
 by BL0PR14MB3636.namprd14.prod.outlook.com (2603:10b6:208:17d::14) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.28; Thu, 27 Oct
 2022 13:27:23 +0000
Received: from DM6PR14MB4155.namprd14.prod.outlook.com
 ([fe80::ec6e:edb1:a5c6:a4d]) by DM6PR14MB4155.namprd14.prod.outlook.com
 ([fe80::ec6e:edb1:a5c6:a4d%7]) with mapi id 15.20.5723.035; Thu, 27 Oct 2022
 13:27:23 +0000
To: "internals@lists.php.net" <internals@lists.php.net>, Pedro Nacht
	<pnacht@google.com>
Thread-Topic: [PHP-DEV] Adding the OpenSSF Scorecards GitHub Action
Thread-Index: AQHY5Mqdi8Z690nNd0qdRzPCtqhDB64iQDGA
Date: Thu, 27 Oct 2022 13:27:23 +0000
Message-ID:
 <DM6PR14MB41556EA909E3FDCF059B60EFF9339@DM6PR14MB4155.namprd14.prod.outlook.com>
References:
 <CAFWHjfpriiBX1Xg34F95zXsgwKQeh1-AwActDws5wuRL83pHhQ@mail.gmail.com>
In-Reply-To:
 <CAFWHjfpriiBX1Xg34F95zXsgwKQeh1-AwActDws5wuRL83pHhQ@mail.gmail.com>
Accept-Language: en-CA, en-US
Content-Language: en-CA
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [Ya6Ih6omfInnK8ny/GiPbZ6mrqezJyKnckCEzRTy+lc=]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR14MB4155:EE_|BL0PR14MB3636:EE_
x-ms-office365-filtering-correlation-id: 65148f79-2da3-4df8-ef74-08dab81efb8f
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info:
 w5kpoSY56QVjksIT8id5rrlgx5pJndXggdVnA/3EDePfukR5inbeYHnKO3OHcUVcjCL9vYKRDkUgnl9/Sd+iefRjfZ++UKy/zVUEMN5G/BP3C9XNvWnNj+hX0AFqC8oSins4fZ+541QyXOTXvW1+5Egnig8fZT/gq1hVW6W6ZgKEJY6j2tg/cd1fhiz2T0AKfxOai20uRQbvI4iDU+tSpzXQDA4z720VSJrjftlRK2BE/XoyYgIw2W07dPAJh/cA9R6ZoLTzMtwKkKAiUtxcbr8vzNndxXucoFYYjkJS3H/yoC5FuzVBb8Zi7TXOMMyVncFJWuUWNQjB9Ce4igyeNY1qtJ31zcFW2RQS7EjSd4eDkQG8RUYmL5u/+m8FYH0SehNarpYL93I9EFMfVdptIBD7F1UcZPutjzD6FDog3GDsQgCWeboHUHMn7mKs9mm9TKYhyxnvA3wdcxfteaV/kJUDRKT5rly0fyOdRUuBCvmeysxspQIBuxKdr5lDz2PEaBZNcD5sYNbMrRdNLw/HfG7Pf9UGoKnSzj0yyWwuu4NXXacAhLTWVZ/9Fl0VdjOtHCO0RfEKZzF24Vf7HCafRnKTbaV9+jIWUZdSDlpYjE6nBNxV30DSYrH2rqmJjw0ymU7jXLzv7wShJClMVZT1ObQiwxG6HqgRh+fenmJtnOfXG7+eGkuj8VBxBeNo66OIRorLzaIOpnxFmjfQY/7177yau9L7+x1YxcsCQXn6H8g=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0:
 =?iso-8859-1?Q?wPJvigKyy7r5fzBhO+Ses44E6eILPxLdsw7P/pT2XBXAi8+s8cEs9KyzKP?=
 =?iso-8859-1?Q?jDAksVwvPh6+Tfpf/HEdrgxGTUxysKO35r4VBxVaZ6e+UH31o5O2OdQfPT?=
 =?iso-8859-1?Q?sRuzJwgtTmGWPwbHDpGPSSF2vtB5nPxRh7IzIBr1D5RmCWAz3zmx78c766?=
 =?iso-8859-1?Q?+yrGocuurIvI3cAuzGdbXyqv9xqhbnNjnfV4MzLzEkTQdPUliDzANuQYRp?=
 =?iso-8859-1?Q?CnvdDiayyt4o5umKcSeW871dFzcTECteagDXypn5f2+PPfc9XRL/P5lTAQ?=
 =?iso-8859-1?Q?xl0s7dIlId7Fe8raQjpZU/Na8i0DKXaEAR5xAFRynyvXTFzo9hZBTnue5n?=
 =?iso-8859-1?Q?e6E6Y7HweqFQvfE06ixttAzwMcrYnDnmBf3FfiDB4Y3ucZ1xB9gVYE+gjf?=
 =?iso-8859-1?Q?4FYtc/doiQOLE4ua8rv4HpIyAPQcFznhTQWhCgOcyJBcCWeg/UvtkRT6Mf?=
 =?iso-8859-1?Q?lE3nu0TZM8e+ZeRLP78xhWc+/AjzYX/gUR9IZAKUy7uaZWdYs1ID25G3xK?=
 =?iso-8859-1?Q?13LMtDLfwzgQDUUf5SHHA2pIJjBr+DBvfFvYz06VWes0yA+kddR72wQnfJ?=
 =?iso-8859-1?Q?d6klM4nLGXujEWXDV1ny1lXGpDnzLhYwYku4VM6yktMlgaurrLb/FfYPrP?=
 =?iso-8859-1?Q?+JCbq/K8AU4gKOtsctuF7Qqi1WBD8EqtQSknRAyXs1TB8B9RsWgNtMVcmj?=
 =?iso-8859-1?Q?NOjGzqRB2NHS5O9syMxDyuD2Rxi1FyMEStPAhreVy3wK5F+BeikeFuLvRn?=
 =?iso-8859-1?Q?b8ynXT4LS4ClqI+FUwpY/YHNbbHa2CqnaNhIzV/cNOXBeTxGInP6BvKgIr?=
 =?iso-8859-1?Q?6MmPFOzNJ0rVqOWd8vvMWYHFAnC3Qrh9KB6Gdl3ncpcNowIV4d2XOT3cpF?=
 =?iso-8859-1?Q?VCPEO/uRPQlTt6iqiKdIULs00Np+qmsy9YzocrubpytpWg4m9/I7yDsRzS?=
 =?iso-8859-1?Q?jRccjVAMf/xwYZ9+nClvti5k3nioPKisr9UvvD5gutW4ruq+th/C9vBUqm?=
 =?iso-8859-1?Q?jVOPdpJ4dyGoIJEodCEYnKdygxP7nUM4SCQnGJYbnRLSDlKg9ifF6eDzOJ?=
 =?iso-8859-1?Q?R7pPWo8m7pYgN0YMN1HgZkLQvs7Ngkl06LtDGiHCbX5a2FEXD13dYuRExx?=
 =?iso-8859-1?Q?TE3RjwZvsy6FYcCPN3c8/YNBuAqluW+EhIKDk/aLrFCX6WJ56SLZDwyzh0?=
 =?iso-8859-1?Q?792oCmwc/g3k0Kw7jPc98bgOD9QzYY+4gspqxRzcCsAVUNsDNiczFKAiwE?=
 =?iso-8859-1?Q?SxeH+7Y+ZaeVpw5FHOfps7HKt0lPl0IrN3bE3xheiWpuUz7AO99/ral9ED?=
 =?iso-8859-1?Q?NOLgV87JQPdrQYYomixGfRcV2vJqPJfdN0AkXlO1CYDWU9M=3D?=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-cd57b.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB4155.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 65148f79-2da3-4df8-ef74-08dab81efb8f
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2022 13:27:23.4765
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR14MB3636
Subject: Re: [PHP-DEV] Adding the OpenSSF Scorecards GitHub Action
From: tysonandre775@hotmail.com (tyson andre)

Hi Pedro Nacht,=0A=
=0A=
> Hello, I'm working on behalf of Google and the Open Source Security Found=
ation to help essential open-source projects improve their supply-chain sec=
urity.=0A=
=0A=
Could you expand on that? It isn't obvious from your comment, and I'm curio=
us about this initiative at Google.=0A=
=0A=
=0A=
1. How many hours a week do you spend working for Google/Alphabet, roughly?=
 (e.g., averaged over the last month)=0A=
2. How many hours a week do you spend working for the Open Source Security =
Foundation, roughly? Is that work part of your job role at Google?=0A=
3. What is your job title, team, and department in those organizations?=0A=
4. What is the team size?=0A=
=0A=
I also had a few other questions:=0A=
=0A=
5. How many of the top N security-critical open-source projects does the OS=
SF plan to propose this badge to this year?=0A=
6. What studies have been published or are being conducted by Google/OSSF o=
n the impact of the badge on open-source organizations (or being conducted =
externally, e.g., by universities) (e.g. comparing organizations where it i=
s proposed to vs not proposed to)? If so, where can I find them?=0A=
=0A=
=A0 =A0E.g., I saw https://news.ycombinator.com/item?id=3D33309969 recently=
 and wanted to learn more about what is known about the impact on metrics o=
f projects short-term and long-term. (e.g. on developers that strongly focu=
s on scorecards, or perfectionists, or averaged)=0A=
=0A=
   I'm interested in learning more about what is being done to ensure the o=
verall security, stability, and ongoing improvements of open source softwar=
e in general as an end user, contributor, maintainer, and user of the compa=
nies that use open source software.=0A=
=0A=
=A0 =A0This would be useful to know when an organization considers adopting=
 a badge or change to process.=0A=
6. Is creating PRs to add this badge part of your job role (If so, the job =
role of which organization)? Is this done in your free time?=0A=
=0A=
=A0 =A0Sorry, it isn't clear - From https://opensource.google/documentation=
/reference/patching, I see that the use of @google.com emails is required f=
or all open-source contributions, so I was initially confused.=0A=
7. Are there recent posts by Google clarifying their involvement in the Ope=
n Source Security Foundation (funding provided, team size, shared employees=
/contractors, etc)?=0A=
=A0 =A0I wanted to know more.=0A=
=0A=
=A0 =A0https://security.googleblog.com/2022/10/announcing-guac-great-pairin=
g-with-slsa.html mentions that the foundation exists,=0A=
=A0 =A0but doesn't mention any details about how Google is involved in it.=
=0A=
=0A=
=A0 =A0> An open source organization like the Open Source Security Foundati=
on wants to identify critical libraries to maintain and secure....=0A=
8. What is the roadmap/timeline for this tool? https://github.com/ossf/scor=
ecard/issues has a lot of open issues.=0A=
   E.g., avoiding false positives in some contexts seems to be a TODO,=0A=
=A0 =A0the preview is a one-line JSON dump (https://stedolan.github.io/jq/ =
is a fantastic tool), and there are a lot of open tickets for the website.=
=0A=
=0A=
=A0 =A0What other practices are planned for inclusion in this badge?=0A=
=0A=
Best regards,=0A=
Tyson=