Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118891 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 37965 invoked from network); 27 Oct 2022 21:16:29 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 27 Oct 2022 21:16:29 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id D6194180211 for ; Thu, 27 Oct 2022 14:16:27 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com [209.85.219.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 27 Oct 2022 14:16:27 -0700 (PDT) Received: by mail-qv1-f47.google.com with SMTP id i12so2636973qvs.2 for ; Thu, 27 Oct 2022 14:16:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=o45BHf7wWbNBDdcFaU+aUo4gTVtnCiGQqpFPXIZNj3M=; b=KnbZ5+2GzW3/AXoZfbp9NGb6rojxhfQ5ZXmmqF/+uTuY+VIrUyfQMAXlmbAayUXETQ 7SD5yjQDtzM/rFcWUTx9pruHOz87iqyhtYgWwZJFCdqK2DuItVcs24vQbYiztz1OYJ8S 3knDTp/eHG9DBO72tH7PVmavnY9lXrtPibi0iFrwaZS3rMjgVoeC10YkE4wqBv0WswFf gZMHW4wHVPAZ0xhFMf64lEz8bJsPV/mC6s8L7mrIvj5hHB0M5rLJKeE4z1FSKu/Va9+G NfzV1Hl7oJWvWHpIvjmQHF20+9J9mBwVnOr4++lFowODLm0wKcYDCu6dXyjtdghVD0Iq ROiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=o45BHf7wWbNBDdcFaU+aUo4gTVtnCiGQqpFPXIZNj3M=; b=wpCDgcgu4m86DMqBZ/3Ei6urYulgX/2ZQTLyKyYhChFsU96tS8x6yi5TMiG4fird+I /v8atC64YIZaCgbMMp9EEjlJoFcp1pDzj0K4GBWn3Kjle6KbKnCHm5wiHuyHrOWMoKAB feaMSQbu4DjW/W2Ayoh5dr464pWW4DnJpxpdAYT6mOYA0LcMcR27kXe5t5nGppIWsOG3 TyDduQYm7QxP8h3HQZDuI359Kjr0ndCBS6fO7btyNSMxgW64/5nFFBK2BXRhhsY+J3C0 YjMdAguM7XlQVBT+9fdXZGsAwq7FpQ4w4CQ4ZBh4FpTvVlC3eoDqTCMjgvItiUZvChzM H+Bw== X-Gm-Message-State: ACrzQf2IDFfxd6LTOFcj42FvOIUOwJ5fXsuKCz5q9jJA1qGm3YRHTOjO D5UYvSod27M4ER9anmgj4DmCYNBxKqaqpOll1cpMlaXeuflH9Q== X-Google-Smtp-Source: AMsMyM7ldZQI03sMHh1802pYk9Q8Tp9qHyo5slOBRoM/cLFogqg8Y2xuF9wtN/TZlpV6nq1sbSFWWUdEeXs8nMW+TYY= X-Received: by 2002:a05:6214:625:b0:4b7:11b5:73e7 with SMTP id a5-20020a056214062500b004b711b573e7mr36161583qvx.123.1666905386380; Thu, 27 Oct 2022 14:16:26 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Reply-To: Pedro Nacht Date: Thu, 27 Oct 2022 18:16:10 -0300 Message-ID: To: tyson andre Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary="0000000000006e386705ec0aa7a1" Subject: Re: [PHP-DEV] Adding the OpenSSF Scorecards GitHub Action From: internals@lists.php.net ("Pedro Nacht via internals") --0000000000006e386705ec0aa7a1 Content-Type: text/plain; charset="UTF-8" Tyson, Could you expand on that? It isn't obvious from your comment, and I'm > curious about this initiative at Google. > > > 1. How many hours a week do you spend working for Google/Alphabet, > roughly? (e.g., averaged over the last month) > 2. How many hours a week do you spend working for the Open Source Security > Foundation, roughly? Is that work part of your job role at Google? > 3. What is your job title, team, and department in those organizations? > 4. What is the team size? [...] 6. Is creating PRs to add this badge part of your job role (If so, the job > role of which organization)? Is this done in your free time? > Sorry, it isn't clear - From > https://opensource.google/documentation/reference/patching, I see that > the use of @google.com emails is required for all open-source > contributions, so I was initially confused. I'm a full-time, run-of-the-mill Software Engineer at Google. Specifically, I'm a member of the Google Open Source Security Team (GOSST). We don't have a public-facing website I can point you towards, but you can read this interview with our tech-lead for some background: https://reproducible-builds.org/news/2022/04/26/supporter-spotlight-google-open-source-security-team . GOSST and the Linux Foundation's Open Source Security Foundation (OpenSSF) were both created in 2020 after the SolarWinds attack. GOSST is a part of the commitment Google has made to improve the supply-chain security of the open-source community ( https://www.cnbc.com/2021/08/25/google-microsoft-plan-to-spend-billions-on-cybersecurity-after-meeting-with-biden.html ). While most GOSST teams work to develop OpenSSF tooling open-source projects can adopt to improve their supply-chain security (i.e. Scorecards, AllStar, SLSA), my team is focused on actually trying to improve the supply-chain security of external projects (which includes suggesting the Action to projects where we deem it relevant). So yes, offering to help open-source projects improve their supply-chain security is my full-time job. We've been referred to as the "Open Source Maintenance Crew" ( https://therecord.media/google-open-source-security-team-openssf/) and are currently a team of four (started just a few months ago, still ramping up). > I also had a few other questions: > > 5. How many of the top N security-critical open-source projects does the > OSSF plan to propose this badge to this year? > 6. What studies have been published or are being conducted by Google/OSSF > on the impact of the badge on open-source organizations (or being conducted > externally, e.g., by universities) (e.g. comparing organizations where it > is proposed to vs not proposed to)? If so, where can I find them? > > E.g., I saw https://news.ycombinator.com/item?id=33309969 recently and > wanted to learn more about what is known about the impact on metrics of > projects short-term and long-term. (e.g. on developers that strongly focus > on scorecards, or perfectionists, or averaged) > > I'm interested in learning more about what is being done to ensure the > overall security, stability, and ongoing improvements of open source > software in general as an end user, contributor, maintainer, and user of > the companies that use open source software. > > This would be useful to know when an organization considers adopting a > badge or change to process. > I'd first like to emphasize that this isn't about a badge, but including the Scorecards workflow. A project may choose to include a badge in their README so that consumers of the project can have a better understanding of its security posture, but the badge is strictly optional. In fact, the PR I submitted doesn't include the badge. As for the impact of the Scorecards system, the timing is quite fortuitous: Sonatype (also a member of the OpenSSF) released their 8th Annual State of the Software Supply Chain Report a few days ago ( https://www.sonatype.com/state-of-the-software-supply-chain/introduction). According to their analysis in the "Project Quality Metrics" section, the Scorecards system is the best single predictor of a project supply-chain security. Now, to be clear, that analysis was regarding the Scorecards results, not whether a project did or did not have the Action installed (the scores can be calculated by anyone via a CLI tool). So not precisely what you asked, but I hope this demonstrates the signals the workflow tries to collect are significant. The report also analyses other tools such as Libraries.io's SourceRank and a bunch of metrics (public and proprietary). > 7. Are there recent posts by Google clarifying their involvement in the > Open Source Security Foundation (funding provided, team size, shared > employees/contractors, etc)? > I wanted to know more. > > > https://security.googleblog.com/2022/10/announcing-guac-great-pairing-with-slsa.html > mentions that the foundation exists, > but doesn't mention any details about how Google is involved in it. > > > An open source organization like the Open Source Security Foundation > wants to identify critical libraries to maintain and secure.... > Google is a founding member of the OpenSSF. See here for the full list of member organizations: https://openssf.org/about/members/, and here for the founding press release: https://openssf.org/press-release/2020/08/03/technology-and-enterprise-leaders-combine-efforts-to-improve-open-source-security/. I honestly have no idea or information regarding funding. I honestly don't know anything about the OpenSSF's team size or whether there are any shared employees/contractors (I'm not one... just a Google employee doing work that's aligned with OpenSSF objectives). > 8. What is the roadmap/timeline for this tool? > https://github.com/ossf/scorecard/issues has a lot of open issues. > E.g., avoiding false positives in some contexts seems to be a TODO, > the preview is a one-line JSON dump (https://stedolan.github.io/jq/ is > a fantastic tool), and there are a lot of open tickets for the website. > The tool is indeed still in active development, but I'm not aware of a specific roadmap. There are many open issues and there is certainly room for improvement. The current state of the report is one we're keenly aware of (I actually have to look through those on a daily basis, trust me!) and has been raised in https://github.com/ossf/scorecard-webapp/issues/206. > What other practices are planned for inclusion in this badge? > Do you mean what new checks will be included? Again, I'm not aware of a specific roadmap, but there are plenty of ideas being discussed or actively developed in their issues: https://github.com/ossf/scorecard/issues?q=is%3Aopen+is%3Aissue+label%3Aenhancement Thank you and let me know if you have any further questions, Pedro --0000000000006e386705ec0aa7a1--