-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Technical Initiative Funding Request]: Funding for Contractors To Work On Security Tools #311
Comments
I'm supportive of this idea generally, and I love the milestones, but I'm not sure I understand the sequencing and what is being asked for today. @ware are you requesting funding for a contractor to run the WG survey in Q2? Or are we saying that once we have the results of that survey we'll be making more concrete funding requests? Or maybe there's a third option, where we're requesting funds for the whole project in advance, to shape the survey and scope the projects we consider for Q3? Again, I think this is promising, but I could use help in clarifying the request. Thanks! |
Excellent question! To be clear, the contractor will be to do coding after we do the WG survey. The survey is to identify areas where OpenSSF WGs need help getting coding done. I think the survey itself can be done by me and others in the ST WG. When the survey is complete, we would work collaboratively with TAC to determine what the right priority is. I envision this more as a pilot on how we can get code written for critical needs across OpenSSF. In conversations with various folks in OpenSSF, I regularly hear that we create lots of documentation but don't have the right people to write code. I'd like to make sure OpenSSF has a place to go to address those needs in a prioritized manner. Does that answer your question @steiza? |
I think this would be useful especially in cases where among the contributors/volunteers on the projects aren't experts in a particular thing. For example having someone who is an expert in databases to help with optimizing queries when the engineers on the project aren't experts. We also probably want to be sensitive here as there's a lot of projects with devs working on it already that could use help and there's various projects that have no engineers that could use help and I want us to be careful not view the latter case as the obvious one that is in need of help. We don't want to end up in a situation where member companies view the OpenSSF as a way to subsidize work potentially on projects they want to productize. |
I recommend after the survey, when you have a list of TIs that could benefit from code support, to put in a time boxed request for support and what they'd do. We should do an ask of members to participate, and barring anyone stepping forward, could fund timeboxed work with a future TI proposal review with the specifics: its a need, no members have responded, here's what they'd do for x amount of time. And then take those on a case by case basis. |
@ware we're doing some issue housekeeping - can we close this issue out? My understanding is that you're going to conduct a survey and come back with a more detailed request for funding - is that the case? |
That wasn't the intent. I was going to do the survey if there was going to be funding. I'm happy to go work with all of the WGs & SIGs to determine their needs and work with all key stakeholders to prioritize what gets worked on, but that's a lot of prospective work to do if I have no idea there's going to be funding. If there's going to be funding, happy to do all that work. |
I don't see a specific dollar request in this. I see "2-3 contractors", but no projected cost. It is hard to approve funding without specific figures. @ware |
@ware What I am hearing from Budget and Finance committee - we have funds to distribute to TIs for one time activities, not those that will become an annual or long term expense. I believe work you do to survey and come back with TI requests will be well received....OpenSSF wants to support TIs with one time funding this year! Your surveys could help accelerate this. |
Thank you @SecurityCRob & @sevansdell both for your thoughts. I think there is a good way to address your thoughts and some others that I've seen: Let's make this a 1-time pilot to prove the concept, and if it's successful, we look for other avenues of funding that are cyclical. As such, I would like to amend this TIFR for us to hire one developer (contractor) for 1 quarter. I think experienced developers are about $50k/quarter so that is the specific ask. I can survey the various WGs and SIGs over the next 6 weeks and then we can work on hiring an appropriate contractor for the work we all agree upon. Thoughts? |
Perfect, tyvm. The TAC will discuss this in our next call (11June) |
I will be out the June 11 and am trying to proactive. I support this TI funding request with your additions @ware. |
I want to respond to a suggestion that was brought up. It was suggested that I pick a project for this that has already been brought to my attention. I feel this runs directly counter to concerns that were brought up by others implying that we don't want to show any type of favoritism. We need to ensure that if we are going to do this pilot, that we fairly evaluate the needs of all TIs and not just ones that have been brought to my personal attention. Without doing that, this feels much less open and community focused. Maybe we turn this around and have TI's come make requests of the ST WG? |
I support this funding request. In the future, I think we want funding requests to have the specific work already defined (see for example #339). But I don't think our existing process made that clear. Since the TAC meeting I've learned that after the TAC reviews the technical merits of the request it goes on to the budget committee to figure out a way forward. That sounds fine to me! |
@ware I can certainly appreciate the intent to have a fair and balanced approach on how to choose which particular development to support but I'm concerned that doing an organization-wide survey will take a lot of time during which nothing will be done. Having the TIs come and make requests would probably be better but I don't understand why they can't just come to the TAC to make those requests then. As I mentioned on the TAC call, this is essentially adding another layer of process which I don't think we need. |
I agree with the objective, but I would prefer to see this application come from a specific TI instead of us hunting one down. I think @ware 's suggestion of doing some legwork to identify a pilot project that has the need within our TIs would help us prove out the need and see a measured result from a more specific focus. Alternatively, we can reach out to the software projects within the foundation to highlight this as an option for them to see if anyone takes up the effort. |
In a way, @ware came to ask the TAC if we'd support that kind of request because, understandably, he didn't want to do all the legwork of figuring what tool to develop and put together a more detailed request without knowing whether this was time well spent. |
@lehors & @SecurityCRob, I really appreciate the thoughts and feedback. I'll try and figure out some time to do some more investigation. |
Chiming in since we're getting close to the decision deadline. I generally support this request, but I would prefer to see a more concrete SoW and involved TIs before fully agreeing to fund the contractors. So I vote to defer this request. |
/vote |
Vote created@riaankleinhans has called for a vote on The members of the following teams have binding votes:
Non-binding votes are also appreciated as a sign of support! How to voteYou can cast your vote by reacting to
Please note that voting for multiple options is not allowed and those votes won't be counted. The vote will be open for |
Gitvote was added as a tool to test for stream lining the TI Funding process. Community members can show their support by also voting, however only the "TAC" GH Group's votes will count. The current passing threshold is 70% and the committee is the TAG GH group. All these parameters can by fine tuned or changed here |
@ware Do we have an update on whether a TI has been identified for this funding request since our last review in Q2? |
Vote statusSo far Summary
Binding votes (0)
|
@marcelamelara, with my job change, while I think this is interesting, I do not have the time to drive this particular request. I'm closing this request. If someone else wants to pick this up to drive, that would be great, but my bandwidth is oversubscribed. |
Vote statusSo far Summary
Binding votes (0)
|
/cancel-vote |
Vote cancelled@lehors has cancelled the vote in progress in this issue. |
Problem Statement
OpenSSF has lots of ideas and volunteers, but not enough people creating software reflecting those ideas. We need to be able to higher contractors to work on these tools.
Who does this affect?
The majority of the WGs
Have there been previous attempts to resolve the problem?
Other than a call for volunteers, I do not believe so.
Why should it be tackled now and by this TI?
Many of the groups have tools they would like to see or need help developing the tools they currently have
Give an idea of what is required to make the funding initiative happen
This question is pretty open ended so I'm unsure of everything that is being asked of it. That said, many people look at the Security Tooling WG as a place where security tools can be created. Yes, that is being done in relation to some of the SBOM tooling, but there are other tools that need to be developed and then maintained. To make this really valuable, the ST:WG needs to work with all of the other WGs, do a survey with them on the tooling efforts that they need, and then hire 2-3 contractors to help those WGs build out those tools.
What is going to be needed to deliver this funding initiative?
A completed survey with other WGs to determine their needs.
Are there tools or tech that still need to be produced to facilitate the funding initiative?
There are no tools or tech that would be needed by this funding initiative. However, this funding initiative could be used to help other WGs with their tools or tech needs.
Give a summary of the requirements that contextualize the costs of the funding initiative
This summery of the need here is for there to be funding in place to hire 2-3 contractors working full time to help create new OpenSSF tools and where possible contribute to existing tools that need help.
Who is responsible for doing the work of this funding initiative?
Ryan Ware
Who is accountable for doing the work of this funding initiative?
Ryan Ware
If the responsible or accountable parties are no longer available, what is the backup contact or plan?
Arun Gupta
Which technical initiative will this funding initiative be associated with, and will it report to which WG or project?
This would be a part of the Security Tooling WG
What license is this funding initiative being used under?
Variable
Code of Conduct
List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.
If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.
There would undoubtedly be a contract with contracting agencies that would need to be put in place. The SoW would depend upon the projects being tackled.
The text was updated successfully, but these errors were encountered: