Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Technical Initiative Funding Request]: Technical Writer for Package Yanking Guidance #414

Open
1 task done
steiza opened this issue Nov 25, 2024 · 11 comments
Open
1 task done
Assignees
Labels
administration For Review gitvote TI Funding Request Quarterly TI requests for funding. Needs 5 approvals, 7d review.

Comments

@steiza
Copy link
Member

steiza commented Nov 25, 2024

Technical Initiative

Securing Repositories Working Group

Lifecycle Phase

Graduated

Funding amount

$4000

Problem Statement

Software repositories are looking for guidance on when to allow a previously published package to be deleted. This is tricky, as a flexible policy makes it easy to recover from releases that are mistakenly published, where a restrictive policy prevents supply chain attacks.

Who does this affect?

People who operate software repositories (PyPI, RubyGems, Rust Crates, NuGet, etc)

Have there been previous attempts to resolve the problem?

Not to solve this specific problem (that I'm aware of) but other guidance our working group has published has been well received (like https://repos.openssf.org/trusted-publishers-for-all-package-repositories)

Why should it be tackled now and by this TI?

Because people are asking for it! https://openssf.slack.com/archives/C034CBLMQ9G/p1732095578884899 Even though our guidance might not be published in time for Rust Crates to make use of it, it will help other repositories who take on this problem in the future.

Give an idea of what is required to make the funding initiative happen

  1. We will contract a technical writer to research existing policies in this space (like https://docs.npmjs.com/policies/unpublish, https://pypi.org/help/#file-name-reuse, https://peps.python.org/pep-0541/, https://peps.python.org/pep-0592/, and others)
  2. Draft a pull request in https://github.com/ossf/wg-securing-software-repos
  3. Get community feedback from people who have written these policies in the past, and from people who would write a policy like this in the future
  4. Respond to the feedback and merge the PR

What is going to be needed to deliver this funding initiative?

A technical writer (see above)

Are there tools or tech that still need to be produced to facilitate the funding initiative?

No, we'll be writing guidance on policy and documentation that the software repositories would host on their website

Give a summary of the requirements that contextualize the costs of the funding initiative

This will give us 40 hours of a technical writer's time to research, draft, and respond to community feedback

Who is responsible for doing the work of this funding initiative?

I recommend contracting from Hayley Denbraver, who is doing the technical writing for the Sigstore docs improvement funding request.

Who is accountable for doing the work of this funding initiative?

Zach Steindler, co-chair of Securing Repos Working Group

If the responsible or accountable parties are no longer available, what is the backup contact or plan?

Dustin Ingram, co-chair of Securing Repos Working Group

What license is this funding initiative being used under?

https://github.com/ossf/wg-securing-software-repos/blob/main/LICENSE

Code of Conduct

  • I agree to follow the OpenSSF's Code of Conduct

List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.

Jan 2025 - draft pull request created
Feb 2025 - respond to community comments and land content

If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.

We'll need to work with OpenSSF staff to create a formal statement of work. Roughly:

@riaankleinhans
Copy link
Contributor

/cc @riaankleinhans

@riaankleinhans riaankleinhans added the TI Funding Request Quarterly TI requests for funding. Needs 5 approvals, 7d review. label Nov 25, 2024
@mlieberman85
Copy link
Contributor

I approve (I don't know if we're still doing the github voting mechanism)

@riaankleinhans
Copy link
Contributor

Thank you for the reminder @mlieberman85

/vote

Copy link

git-vote bot commented Dec 2, 2024

Vote created

@riaankleinhans has called for a vote on [Technical Initiative Funding Request]: Technical Writer for Package Yanking Guidance (#414).

The members of the following teams have binding votes:

Team
@ossf/tac

Non-binding votes are also appreciated as a sign of support!

How to vote

You can cast your vote by reacting to this comment. The following reactions are supported:

In favor Against Abstain
👍 👎 👀

Please note that voting for multiple options is not allowed and those votes won't be counted.

The vote will be open for 1month 11days 13h 26m 24s. It will pass if at least 70% of the users with binding votes vote In favor 👍. Once it's closed, results will be published here as a new comment.

@camaleon2016
Copy link
Member

Should the SOW accompany the funding request? How long should the work actually take? Can other work be leveraged? Is 4k too little or too much?

@steiza
Copy link
Member Author

steiza commented Dec 3, 2024

Thanks for your questions @camaleon2016!

Should the SOW accompany the funding request?

I was wondering the same thing as I filled out this form. The template question is worded in a way that makes it seem like it should be, but in practice I think the SOW is co-developed with OpenSSF staff, if / when the request is approved.

See for example #339 (a previous funding request the TAC approved to engage a technical writer).

I wasn't able to find any previous funding request (approved or otherwise) that included a full statement of work.

How long should the work actually take?

In terms of billable hours, I believe it will take about 40 hours of a technical writer's time to research what's currently being done by package repositories, draft guidance and post a pull request, and then respond to community feedback on that pull request. This estimate is based on the work we did on https://repos.openssf.org/principles-for-package-repository-security, https://repos.openssf.org/trusted-publishers-for-all-package-repositories, and https://repos.openssf.org/build-provenance-for-all-package-registries.

In terms of calendar time, based on the contractor's availability, I believe we can have a draft ready by the end of January and a final version landed by end of February. Again, this estimate is based on the 3 docs linked above that the working group has previously published.

Can other work be leveraged?

In terms of if guidance like this has been published before, not that I'm aware of.

In terms of basing this work on what package repositories are doing today, yes, absolutely! That's why the project is budgeting in research time to get up to speed on what's currently being done (see the linked content from npm and PyPI on the proposal).

Is 4k too little or too much?

By our process docs, I think this actually a question for the OpenSSF General Manager, not the TAC, who is supposed to be evaluating the proposals based on technical merit (see https://github.com/ossf/tac/blob/main/process/TI%20Funding%20Request%20Process.md?plain=1#L19-L21).

For what it's worth, I think the amount is reasonable. This proposal covers not just writing a draft but the research to support that content as well as edits based on community feedback, which we estimate to be 40 hours of work. 40 hours * $100 / hour (a fairly reasonable contracting rate) = $4000.

@riaankleinhans
Copy link
Contributor

@steiza once approved and a contractor was I identified, I would help getting the contract set up in the LF contact system to ensure the contractor can be paid.

@marcelamelara
Copy link
Contributor

@steiza To confirm, the timeframe for the initiative is roughly Jan-Feb 2025, and the 40 hours' time for the technical write are expected to be spread across the 2 months? Or is the technical writer expected to be involved mostly at the beginning of the initiative, and the rest will be handled by the WG community?

@steiza
Copy link
Member Author

steiza commented Dec 3, 2024

the timeframe for the initiative is roughly Jan-Feb 2025, and the 40 hours' time for the technical write are expected to be spread across the 2 months

That's correct - there will be 40 billable hours spread over the two months. I'm hopeful that will include a round of edits based on community feedback, but if not the Securing Repos WG will finish edits and land the doc.

Copy link

git-vote bot commented Dec 9, 2024

Vote status

So far 75.00% of the users with binding vote are in favor and 0.00% are against (passing threshold: 70%).

Summary

In favor Against Abstain Not voted
6 0 0 2

Binding votes (6)

User Vote Timestamp
bobcallaway In favor 2024-12-05 20:09:43.0 +00:00:00
torgo In favor 2024-12-09 12:24:22.0 +00:00:00
marcelamelara In favor 2024-12-03 20:22:05.0 +00:00:00
steiza In favor 2024-12-05 15:11:09.0 +00:00:00
mlieberman85 In favor 2024-12-02 19:42:45.0 +00:00:00
sevansdell In favor 2024-12-05 18:10:15.0 +00:00:00
@lehors Pending
@camaleon2016 Pending

Copy link

git-vote bot commented Dec 10, 2024

Vote closed

The vote passed! 🎉

75.00% of the users with binding vote were in favor and 0.00% were against (passing threshold: 70%).

Summary

In favor Against Abstain Not voted
6 0 0 2

Binding votes (6)

User Vote Timestamp
@steiza In favor 2024-12-05 15:11:09.0 +00:00:00
@torgo In favor 2024-12-09 12:24:22.0 +00:00:00
@sevansdell In favor 2024-12-05 18:10:15.0 +00:00:00
@bobcallaway In favor 2024-12-05 20:09:43.0 +00:00:00
@mlieberman85 In favor 2024-12-02 19:42:45.0 +00:00:00
@marcelamelara In favor 2024-12-03 20:22:05.0 +00:00:00

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
administration For Review gitvote TI Funding Request Quarterly TI requests for funding. Needs 5 approvals, 7d review.
Projects
Status: Budget Approved
Development

No branches or pull requests

5 participants