Advice Needed - Staff-Produced Architecture Document Review Process

[Danajoyluck]

Right now it's difficult to for people interested in participating with OpenSSF to determine how to participate or what to use.

I'm working on a consumption architecture for the technologies we produce at the OpenSSF and the foundational OSS technologies that OpenSSF uses. The goal of this artifact would be to provide an easy model for our end user organizations large and small to have a framework / reference architecture to help them think about adopting OpenSSF technical projects and guidance. Another goal is to make it easier for people to contribute to our technologies.

The draft is here: https://github.com/Danajoyluck/openssf-tac/blob/main/consumption-architecture-dependency-management.md

I will need advice from TAC:

1. Does TAC need to review and approve the document?
2. Is TAC repo the home for this document?
3. OR is the new Security Baseline SIG the proper repo for the architecture documents? The SIG was newly created in the BEST Working Group and @SecurityCRob is the sponsor. See BEST WG issue for details.

[sevansdell]

At first glance, this "feels" like an extension of the https://github.com/ossf/Diagrammers-Society and then the CICD extension of the security toolbelt? Since both of those projects have archived due to lack of engagement, I'm glad to see the OSSF architect continuing on this good work.

There are three other places thinking about how to make understand what OSSF offers: https://github.com/ossf/DevRel-community/issues, #169 and #330

Classically, we have two types of stakeholders:
-Maintainers of OSS projects (producers)
-Enterprises using OSS projects (consumers)

When I looked at the linked Word document, it wasn't clear to me if it applied to our producer or consumer stakeholders or both. I recommend identifying who this document will serve (producers, consumers or both).

That helps with the other follow up questions:

1. I believe you need to find a Technical Initiative/MAC/DevRel/staff initiative where this work can live. The TAC will get informed about your work with the community in TAC updates from whichever working group you partner with. (in the past, both the Diagrammer's Society and SEcurity Toolbelt lived in the BEST WG) or from interlocks during the "Staff updates" section of the call when MAC/website marketing staff member, DevRel community engagement manager, or you in your role bringing all these threads together with OSSF can informational updates/awareness to TAC.
2. I believe the Technical Initiative with which you work with other community members should house documents you create in partnership with them in their repo/process. Something that gives business continuity for your role as architect. Where do other staff members host and store these types of documents? e.g. I know that Dr. Martin had a ppt that each OSSF member could see that shared how to get started that leveraged the Diagrammers Society CICD view. Is that the staff Google Drive, and is turned into educational materials through the website, etc?. I also believe there is an effort to update the website navigation to communicate to producers and consumers better?
3. The security baseline SIG (my understanding) was how producers could apply a security baseline to their project (starting with OSSF projects first, but then going on to other LF OSS projects). Are you wanting to increase the Security Baseline SIG scope to incorporate how End Users (consumers) can interact with OSSF? Perhaps that might be a good conversation for the End Users WG?

There was also some great work in the governance committee last year to create a GB policies and procedures document, and leverage the governance committee as a way to keep that documentation evergreen. It spearheaded the MVS, and several communications workflows between GB/TAC/community.

I think your documentation does need a home, and your efforts to coordinate should pay off with continued coordinating with staff/other TIs/MAC/DevRel community/website update content owners/governance committee MVS and GB Policies and Procedures. To date, the TAC repo is for TI technical oversight in partnership with TIs. We don't put all the material we collaborate on in the TAC repo. As an example, we work with MAC committee to review some blogs, but that is a process through Slack, and then the content lives on the OSSF website in a blog page. I want to support you to get your content somewhere where everyone can keep it fresh with you, and avoid duplication of overlapping activities.

Thanks again for your leadership as OSSF continues to mature and navigate operationally. I believe there is "green space" opportunity for you to lead/document ongoing interlocks between all the areas within OSSF.

[Danajoyluck]

Thanks a lot @sevansdell for the detailed response....very helpful information. Thank you for sharing the other efforts.

I mistakenly attached the wrong link to the draft document. I have corrected it. The draft is mainly diagrams and I'm filling in the contents.

The intended audience are OSS producers and consumers. The architecture aims to help OSS producers to producer more secure code, and consumers to consume more secure OSS. This architecture complements the security baseline. They complement each other to increase the adoption of OpenSSF technologies, and contributions to these emerging technologies. I'm hoping this document provide maintainers and consumers an easier way to discover technologies in OpenSSF and other foundations.

[sevansdell]

Dana - Did a quick scan of the diagrams. At first glance, they look outstanding!

If you put this documentation in the security baselines SIG repo, be sure the scope of the SIG includes both producers and consumers, and that it will include broad diagrams for both personas. Right now, I believe the security baseline SIG seems geared towards producers vs consumers, but as long as you keep the scope updated in the SIG repo home page, and keep the Best WG lead updated, that could be it's home for now.

During the next weeks and months, I recommend keeping in touch with the BEST WG and End Users WG, announcing the status of the diagrams in your TAC staff update section, and communicate with MAC and DevRel communities. I believe over time, you will find all of these teams will participate in various ways.

Thanks for your leadership.

[Danajoyluck]

@sevansdell thank you Sarah for the advice! Glad you appreciate the diagrams. Very helpful. I will sync up with CRob and Jacques.

[Danajoyluck]

closing the issue, will check the document into Security Baseline SIG repo. Many thanks to @sevansdell for your prompt support!