OpenSSF Working Group on Securing Software Repositories
This working group is for and focuses on the maintainers of software repositories, software registries, and tools which rely on them, at various levels including system, language, plugin, extensions and container systems. It provides a forum to share experiences and to discuss shared problems, risks and threats.
- Enable faster cross-pollination of existing ideas across ecosystems (including technical measures, infrastructure approaches, and policies)
- Act as a clearinghouse for new ideas that could benefit multiple ecosystems
- Enable maintainers to better align and coordinate policies and changes between different ecosystems
- Identify & escalate needs for infrastructure and assistance for shared tooling and/or services (to be filled by supportive or sponsoring organizations (such as the OpenSSF))
- Develop methods for sharing data related to software repositories, software registries, and tools which rely on them
- Delegate solving particular problems and goals to subgroups or other workgroups as appropriate
The working group may create:
- Normative, non-binding recommendations on common schemas
- Descriptive documentation of experiences and best practices
- The working group is not a governing body and does not create binding obligations on members
- The working group does not dictate technologies, tools or solutions, though members are free to recommend them to one another
- Survey of OSS software repositories
- TBD
We use the securing-software-repos-wg GitHub team.
The CHARTER.md outlines the scope and governance of our group activities.
This group is chaired by Dustin Ingram.
- Meeting Minutes
- Mailing list. Manage your subscriptions to Open SSF mailing lists.
- OpenSSF Slack instance in the
#wg_securing_software_reposchannel (see here for an invite)
Zoom every other Wednesday, alternating between EMEA (13:00 UTC) and APAC-friendly times (22:00 UTC).
The meeting invite is available on the public OSSF calendar.
Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.
Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.
In accordance with the OpenSSF Charter (PDF), work produced by this group is licensed as follows:
- Software source code: Apache License, Version 2.0, available at https://www.apache.org/licenses/LICENSE-2.0;
- Data: Any of the Community Data License Agreements, available at https://www.cdla.io;
- Specifications: Community Specification License, Version 1.0, available at https://github.com/CommunitySpecification/1.0;
- All other Documentation: Creative Commons Attribution 4.0 International License, available at https://creativecommons.org/licenses/by/4.0/