tac icon indicating copy to clipboard operation
tac copied to clipboard
verified publisher icon ossf

Add the OpenSSF labs process

Open marcelamelara opened this issue 1 year ago • 5 comments

This PR introduces the process for creating and managing pre-sandbox projects under a future OpenSSF-managed GitHub organization (name TBD). Ideally, all docs and templates related to this process would eventually be moved to a dedicated repo in that same GH org to separate it from the main TAC repo.

Resolves #264 .

marcelamelara avatar Dec 11 '24 01:12 marcelamelara

My only worry is the debt in created and then archived or abandoned labs. We may consider a policy or procedure for how long we maintain an archived lab before it's deleted.

@camaleon2016 Is your concern more about whether we'll run out of space for new labs, or more about the optics of having a lot of archived labs?

marcelamelara avatar Jan 09 '25 19:01 marcelamelara

I think more about optics and who will bear the responsibility of maintaining account and record of issued labs and their disposition.

Jay White (He/Him)

Security Principal Program Manager

Azure Office of the CTO

OSS Ecosystem

[Graphical user interface Description automatically generated]

[cid:2fb3a606-0348-4159-8454-0d6fe57708cc]

From: Marcela Melara @.> Sent: Thursday, January 9, 2025 11:59 AM To: ossf/tac @.> Cc: Jay White @.>; Mention @.> Subject: Re: [ossf/tac] Add the OpenSSF labs process (PR #421)

My only worry is the debt in created and then archived or abandoned labs. We may consider a policy or procedure for how long we maintain an archived lab before it's deleted.

@camaleon2016https://github.com/camaleon2016 Is your concern more about whether we'll run out of space for new labs, or more about the optics of having a lot of archived labs?

— Reply to this email directly, view it on GitHubhttps://github.com/ossf/tac/pull/421#issuecomment-2581143689, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AYSMSZVIV5W7O36I3D7UAO32J3IK5AVCNFSM6AAAAABTMMAIU6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOBRGE2DGNRYHE. You are receiving this because you were mentioned.Message ID: @.***>

camaleon2016 avatar Jan 09 '25 21:01 camaleon2016

I think more about optics and who will bear the responsibility of maintaining account and record of issued labs and their disposition.

@camaleon2016 Gotcha. The current proposal has the TAC as the body responsible for reviewing new lab applications (much like we do with other TI lifecycle applications). Ideally, labs maintainers will either apply for sandbox status when they're ready, or submit an archival request to the TAC when deemed necessary. But the proposed process won't let labs go inactive for longer than 6 months, so the TAC would archive any repo that's been abandoned longer than that timeframe. Either way, the TAC would have the documentation for the approved and archived labs. Does this address your concerns?

marcelamelara avatar Jan 09 '25 22:01 marcelamelara

@marcelamelara is there a reason this is still pending? I can't remember where this was left at.

lehors avatar Apr 01 '25 12:04 lehors

@marcelamelara is there a reason this is still pending? I can't remember where this was left at.

There are still some outstanding TODOs, mostly around adding some additional onboarding guidance. But the main reason this is still open is that I just haven't been able to sit down and just finish it. I'll get it done by next TAC meeting because I definitely want to close this out soon. Thanks for the ping @lehors !

marcelamelara avatar Apr 01 '25 16:04 marcelamelara