Apply to donate vuln-reach to the OpenSSF

[louislang]

We are applying to donate vuln-reach to the OpenSSF. We believe this meets the criteria for a sandbox submission. This project aims to commoditize determining whether or not a vulnerability is reachable in a given codebase.

[SecurityCRob]

Has the group been speaking with our Security Tooling WG, and that group endorses this motion? We'll want to see evidence of public meetings and minutes as the project would move over to the foundation.

[louislang]

Yes, we've been having discussions with the Security Tooling WG. This project was presented to the group on 2024-08-09 and is in the meeting notes under the bullet Phylum for static reachability project.

[mlieberman85]

Craig is listed as a maintainer but according to GitHub he has never contributed to the project. Can you go into more detail what he's a maintainer of?

Beyond that I do think this project is good for openssf.

[louislang]

Thanks for making this pull request! In this pull request can you also add vuln-reach to the Projects table on https://github.com/ossf/tac/blob/main/README.md#projects?

Yes, of course.

Is development of this project primarily happening on https://github.com/phylum-dev/vuln-reach in the main branch, or elsewhere? There doesn't seem to be a lot of recent activity.

We began this work some time ago as part of our proprietary product. We got it to a steady state for Javascript/Typescript, before shifting our core product focus a bit. We recently decided to open source this.

Craig is listed as a maintainer but according to GitHub he has never contributed to the project. Can you go into more detail what he's a maintainer of?

I wasn't personally involved with the initial presentation to the WG, so I'm just going with what was passed along to me. As I understand it, Craig was interested in supporting the project. I will follow up with our team to get a better understanding on this specifically.

[ware]

I wasn't personally involved with the initial presentation to the WG, so I'm just going with what was passed along to me. As I understand it, Craig was interested in supporting the project. I will follow up with our team to get a better understanding on this specifically.

I think there are two things being conflated here. Let's break them up.

1. @craigmcl volunteered to be the ST:WG sponsor. There were some further discussions that were supposed to take place between Craig and Aaron Bray but don't know if they took place. If Craig is unable to be that sponsor, I will go ahead and be the sponsor so I don't think this is a hangup.
2. I don't know that Craig has signed up to be a maintainer but invite him to clarify. I'm not sure it meets the spirit of the Sandbox Entry Requirements to list someone as a maintainer that has not made any contributions though I invite TAC comment.

[SecurityCRob]

I wasn't personally involved with the initial presentation to the WG, so I'm just going with what was passed along to me. As I understand it, Craig was interested in supporting the project. I will follow up with our team to get a better understanding on this specifically.

I think there are two things being conflated here. Let's break them up.

1. @craigmcl volunteered to be the ST:WG sponsor. There were some further discussions that were supposed to take place between Craig and Aaron Bray but don't know if they took place. If Craig is unable to be that sponsor, I will go ahead and be the sponsor so I don't think this is a hangup.
2. I don't know that Craig has signed up to be a maintainer but invite him to clarify. I'm not sure it meets the spirit of the Sandbox Entry Requirements to list someone as a maintainer that has not made any contributions though I invite TAC comment.

Thanks Ryan. Re: #2 correct. We want to ensure that as projects develop and grow that they have a thriving community around to support them (hence the desire to house them within a like-minded/focused working group). Having multiple maintainers is critical to the long-term viability of a project as it allows for things like code reviewing, dual-control, etc., and helps share the ongoing burden that maintenance and community engagement. We also prefer those maintainers to be from different organizations to help weather any challenges that could arise from organizational changes that impact the maintainer (that in fact is a requirement at higher levels within the TI lifecycle).

[marcelamelara]

+1 To needing to address the diverse maintainership requirement.

@louislang Some ideas to potentially engage some more folks from the community: 1) put out a call for contributors in the OpenSSF Slack channels (#general,#wg-security-tooling and #wg-dei might be good options), 2) give an updated presentation at the ST:WG or other WGs for the added visibility.

[marcelamelara]

@ware @louislang Is this application still in progress? If yes, it'd be great to get an update. Otherwise, I suggest we close this PR and revisit this when the we're ready to reopen the application.

CC @ossf/tac

[marcelamelara]

I was revisiting this application, and seeing that there hasn't been a lot of active development since late 2023 in the vuln-reach repo, I do worry that this project doesn't currently have the level of activity/interest needed for a sandbox project.

[marcelamelara]

@GeauxJD any updates on this? If not, we can close this.

[ware]

@GeauxJD any updates on this? If not, we can close this.

@marcelamelara, is there a process for closing donation requests such as this when they haven't been pursued to completion? It looks like we are rapidly coming to the point where this has been open for a year and there has been many months without response from the project being donated.

[marcelamelara]

is there a process for closing donation requests such as this when they haven't been pursued to completion?

In the past, I believe we've simply closed the issue/PR, but I don't think there's anything more formal beyond that.

@ossf/tac any thoughts?

[bobcallaway]

i'd just close it; easy enough to re-open it if something changes.