Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[IP policy and license review] Vuln-Reach Sandbox Project Entry #387

Open
louislang opened this issue Sep 25, 2024 · 7 comments
Open

[IP policy and license review] Vuln-Reach Sandbox Project Entry #387

louislang opened this issue Sep 25, 2024 · 7 comments
Assignees
Labels
Next Meeting TI Lifecycle Issue/PR related to TIs' lifecycle status. Needs 5 approvals, 10d review.

Comments

@louislang
Copy link

Vuln-Reach is seeking Sandbox Project Entry into the OpenSSF under the Security Tools WG.

The Vuln-Reach maintainers are requesting the "one-time IP policy and license review with The Linux Foundation" as part of our sandbox application.

VulnReach Links

@SecurityCRob
Copy link
Contributor

We will discuss this at the 1October TAC call at 11am ET. Please have representatives from the project and the Working Group in attendance.

Please review https://github.com/ossf/tac/blob/main/process/project-lifecycle.md#submission-process

@SecurityCRob SecurityCRob added Next Meeting TI Lifecycle Issue/PR related to TIs' lifecycle status. Needs 5 approvals, 10d review. labels Sep 25, 2024
@ware
Copy link
Contributor

ware commented Oct 1, 2024

Vuln-Reach is seeking Sandbox Project Entry into the OpenSSF under the Security Tools WG.

The Vuln-Reach maintainers are requesting the "one-time IP policy and license review with The Linux Foundation" as part of our sandbox application.

VulnReach Links

@louislang, please make sure to take a close look at the Project Lifecycle document to make sure we get all of the right information in to the Sandbox application. Specifically we need to make sure the application covers these aspects:

Sandbox Entry Requirements and Considerations

  • Projects must have a minimum of three maintainers with a minimum of two different organization affiliations.
  • Projects must be aligned with the OpenSSF mission and either be a novel approach for existing areas or address an unfulfilled need. It is expected that the initial code or specification developed by an OpenSSF WG be kept within their repository and will not function as a Project in its own right. Should the initial WG code or specification grow and mature that it warrants its own Project status, then it is subject to Sandbox entry requirements. It is preferred that extensions of an existing OpenSSF project collaborate with the existing project rather than seek a new project.
  • Projects must seek one TAC sponsor or one WG sponsor (if reporting to a WG)
    • TAC or WG sponsor agrees to attend Project meetings regularly
    • TAC or WG sponsor does not need to have a formal role in Project, e.g., maintainer
    • TAC or WG sponsor requests TAC approval
  • If contributing an existing project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF).

Additionally, we need to make sure we reach the security baseline for a sandbox project.

@sevansdell
Copy link
Contributor

Are we doing the legal review in parallel, or waiting for the PR to be approved then doing the legal review?

@lehors
Copy link
Contributor

lehors commented Oct 16, 2024

Are we doing the legal review in parallel, or waiting for the PR to be approved then doing the legal review?

Historically we've done this in parallel.

@sevansdell
Copy link
Contributor

This legal review is tied to the PR for sandbox appliction: #388. Has the legal review been initiated? How is it progressing? @afmarcum

@afmarcum
Copy link
Contributor

@riaankleinhans can you verify this is with LF Legal and whether there is any update?

@riaankleinhans
Copy link
Contributor

@louislang I have created a project in LFX for review by the LF Project formation team.
One of the blocking points I foresee for project adoption is the requirement for the Github repo to live in a neutral Github Org. Your can look at other projects approach to that here: https://github.com/ossf/tac?tab=readme-ov-file#projects
The project could use https://github.com/ossf/vuln-reach or https://github.com/vuln-reach/vuln-reach or something similar.
Another request that would be share with the formation documents would be to make "thelinuxfoundation" and owner of the Github org.
I will keep you updated as I get feedback from the formation team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Next Meeting TI Lifecycle Issue/PR related to TIs' lifecycle status. Needs 5 approvals, 10d review.
Projects
None yet
Development

No branches or pull requests

7 participants