Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Technical Initiative Funding Request]: Funding for Contractors To Work On Security Tools #311

Closed
1 task done
ware opened this issue Apr 10, 2024 · 27 comments
Closed
1 task done
Assignees
Labels
administration For Review gitvote TI Funding Request Quarterly TI requests for funding. Needs 5 approvals, 7d review.

Comments

@ware
Copy link
Contributor

ware commented Apr 10, 2024

Problem Statement

OpenSSF has lots of ideas and volunteers, but not enough people creating software reflecting those ideas. We need to be able to higher contractors to work on these tools.

Who does this affect?

The majority of the WGs

Have there been previous attempts to resolve the problem?

Other than a call for volunteers, I do not believe so.

Why should it be tackled now and by this TI?

Many of the groups have tools they would like to see or need help developing the tools they currently have

Give an idea of what is required to make the funding initiative happen

This question is pretty open ended so I'm unsure of everything that is being asked of it. That said, many people look at the Security Tooling WG as a place where security tools can be created. Yes, that is being done in relation to some of the SBOM tooling, but there are other tools that need to be developed and then maintained. To make this really valuable, the ST:WG needs to work with all of the other WGs, do a survey with them on the tooling efforts that they need, and then hire 2-3 contractors to help those WGs build out those tools.

What is going to be needed to deliver this funding initiative?

A completed survey with other WGs to determine their needs.

Are there tools or tech that still need to be produced to facilitate the funding initiative?

There are no tools or tech that would be needed by this funding initiative. However, this funding initiative could be used to help other WGs with their tools or tech needs.

Give a summary of the requirements that contextualize the costs of the funding initiative

This summery of the need here is for there to be funding in place to hire 2-3 contractors working full time to help create new OpenSSF tools and where possible contribute to existing tools that need help.

Who is responsible for doing the work of this funding initiative?

Ryan Ware

Who is accountable for doing the work of this funding initiative?

Ryan Ware

If the responsible or accountable parties are no longer available, what is the backup contact or plan?

Arun Gupta

Which technical initiative will this funding initiative be associated with, and will it report to which WG or project?

This would be a part of the Security Tooling WG

What license is this funding initiative being used under?

Variable

Code of Conduct

  • I agree to follow the OpenSSF's Code of Conduct

List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.

  • End of Q2 do survey of all WGs to determine their security tooling needs
  • End of July, have a priority list of projects
  • End of Q3, have 2-3 contractors hired to work on the projects with appropriate skill matching

If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.

There would undoubtedly be a contract with contracting agencies that would need to be put in place. The SoW would depend upon the projects being tackled.

@ware ware added administration For Review TI Funding Request Quarterly TI requests for funding. Needs 5 approvals, 7d review. labels Apr 10, 2024
@steiza
Copy link
Member

steiza commented Apr 30, 2024

I'm supportive of this idea generally, and I love the milestones, but I'm not sure I understand the sequencing and what is being asked for today.

@ware are you requesting funding for a contractor to run the WG survey in Q2? Or are we saying that once we have the results of that survey we'll be making more concrete funding requests? Or maybe there's a third option, where we're requesting funds for the whole project in advance, to shape the survey and scope the projects we consider for Q3?

Again, I think this is promising, but I could use help in clarifying the request. Thanks!

@ware
Copy link
Contributor Author

ware commented Apr 30, 2024

Excellent question! To be clear, the contractor will be to do coding after we do the WG survey. The survey is to identify areas where OpenSSF WGs need help getting coding done. I think the survey itself can be done by me and others in the ST WG. When the survey is complete, we would work collaboratively with TAC to determine what the right priority is.

I envision this more as a pilot on how we can get code written for critical needs across OpenSSF. In conversations with various folks in OpenSSF, I regularly hear that we create lots of documentation but don't have the right people to write code. I'd like to make sure OpenSSF has a place to go to address those needs in a prioritized manner.

Does that answer your question @steiza?

@mlieberman85
Copy link
Contributor

I think this would be useful especially in cases where among the contributors/volunteers on the projects aren't experts in a particular thing. For example having someone who is an expert in databases to help with optimizing queries when the engineers on the project aren't experts.

We also probably want to be sensitive here as there's a lot of projects with devs working on it already that could use help and there's various projects that have no engineers that could use help and I want us to be careful not view the latter case as the obvious one that is in need of help. We don't want to end up in a situation where member companies view the OpenSSF as a way to subsidize work potentially on projects they want to productize.

@sevansdell
Copy link
Contributor

I recommend after the survey, when you have a list of TIs that could benefit from code support, to put in a time boxed request for support and what they'd do. We should do an ask of members to participate, and barring anyone stepping forward, could fund timeboxed work with a future TI proposal review with the specifics: its a need, no members have responded, here's what they'd do for x amount of time. And then take those on a case by case basis.

@steiza
Copy link
Member

steiza commented May 28, 2024

@ware we're doing some issue housekeeping - can we close this issue out? My understanding is that you're going to conduct a survey and come back with a more detailed request for funding - is that the case?

@ware
Copy link
Contributor Author

ware commented Jun 3, 2024

@ware we're doing some issue housekeeping - can we close this issue out? My understanding is that you're going to conduct a survey and come back with a more detailed request for funding - is that the case?

That wasn't the intent. I was going to do the survey if there was going to be funding. I'm happy to go work with all of the WGs & SIGs to determine their needs and work with all key stakeholders to prioritize what gets worked on, but that's a lot of prospective work to do if I have no idea there's going to be funding. If there's going to be funding, happy to do all that work.

@SecurityCRob
Copy link
Contributor

I don't see a specific dollar request in this. I see "2-3 contractors", but no projected cost. It is hard to approve funding without specific figures. @ware

@sevansdell
Copy link
Contributor

@ware we're doing some issue housekeeping - can we close this issue out? My understanding is that you're going to conduct a survey and come back with a more detailed request for funding - is that the case?

That wasn't the intent. I was going to do the survey if there was going to be funding. I'm happy to go work with all of the WGs & SIGs to determine their needs and work with all key stakeholders to prioritize what gets worked on, but that's a lot of prospective work to do if I have no idea there's going to be funding. If there's going to be funding, happy to do all that work.

@ware What I am hearing from Budget and Finance committee - we have funds to distribute to TIs for one time activities, not those that will become an annual or long term expense. I believe work you do to survey and come back with TI requests will be well received....OpenSSF wants to support TIs with one time funding this year! Your surveys could help accelerate this.

@ware
Copy link
Contributor Author

ware commented Jun 7, 2024

Thank you @SecurityCRob & @sevansdell both for your thoughts. I think there is a good way to address your thoughts and some others that I've seen: Let's make this a 1-time pilot to prove the concept, and if it's successful, we look for other avenues of funding that are cyclical.

As such, I would like to amend this TIFR for us to hire one developer (contractor) for 1 quarter. I think experienced developers are about $50k/quarter so that is the specific ask.

I can survey the various WGs and SIGs over the next 6 weeks and then we can work on hiring an appropriate contractor for the work we all agree upon.

Thoughts?

@SecurityCRob
Copy link
Contributor

Perfect, tyvm. The TAC will discuss this in our next call (11June)

@sevansdell
Copy link
Contributor

I will be out the June 11 and am trying to proactive. I support this TI funding request with your additions @ware.

@ware
Copy link
Contributor Author

ware commented Jun 11, 2024

I want to respond to a suggestion that was brought up. It was suggested that I pick a project for this that has already been brought to my attention. I feel this runs directly counter to concerns that were brought up by others implying that we don't want to show any type of favoritism. We need to ensure that if we are going to do this pilot, that we fairly evaluate the needs of all TIs and not just ones that have been brought to my personal attention. Without doing that, this feels much less open and community focused. Maybe we turn this around and have TI's come make requests of the ST WG?

@marcelamelara marcelamelara moved this from Submitted to Under TAC review in OpenSSF TI Funding Project Board Jun 11, 2024
@steiza
Copy link
Member

steiza commented Jun 13, 2024

I support this funding request.

In the future, I think we want funding requests to have the specific work already defined (see for example #339). But I don't think our existing process made that clear. Since the TAC meeting I've learned that after the TAC reviews the technical merits of the request it goes on to the budget committee to figure out a way forward. That sounds fine to me!

@lehors
Copy link
Contributor

lehors commented Jun 13, 2024

@ware I can certainly appreciate the intent to have a fair and balanced approach on how to choose which particular development to support but I'm concerned that doing an organization-wide survey will take a lot of time during which nothing will be done. Having the TIs come and make requests would probably be better but I don't understand why they can't just come to the TAC to make those requests then. As I mentioned on the TAC call, this is essentially adding another layer of process which I don't think we need.

@SecurityCRob
Copy link
Contributor

I agree with the objective, but I would prefer to see this application come from a specific TI instead of us hunting one down. I think @ware 's suggestion of doing some legwork to identify a pilot project that has the need within our TIs would help us prove out the need and see a measured result from a more specific focus. Alternatively, we can reach out to the software projects within the foundation to highlight this as an option for them to see if anyone takes up the effort.

@lehors
Copy link
Contributor

lehors commented Jun 13, 2024

In a way, @ware came to ask the TAC if we'd support that kind of request because, understandably, he didn't want to do all the legwork of figuring what tool to develop and put together a more detailed request without knowing whether this was time well spent.
I think the answer to that question is clearly yes. But it's too vague for us to be able to fully commit. So, I hope this is enough reassurance for @ware to further investigate and put together a concrete proposal we can then review and approve.

@ware
Copy link
Contributor Author

ware commented Jun 13, 2024

@lehors & @SecurityCRob, I really appreciate the thoughts and feedback. I'll try and figure out some time to do some more investigation.

@KennyPaul KennyPaul moved this from Under TAC review to Needs improvement in OpenSSF TI Funding Project Board Jun 14, 2024
@marcelamelara
Copy link
Contributor

Chiming in since we're getting close to the decision deadline. I generally support this request, but I would prefer to see a more concrete SoW and involved TIs before fully agreeing to fund the contractors. So I vote to defer this request.

@riaankleinhans
Copy link
Contributor

/vote

Copy link

git-vote bot commented Sep 23, 2024

Vote created

@riaankleinhans has called for a vote on [Technical Initiative Funding Request]: Funding for Contractors To Work On Security Tools (#311).

The members of the following teams have binding votes:

Team
@ossf/tac

Non-binding votes are also appreciated as a sign of support!

How to vote

You can cast your vote by reacting to this comment. The following reactions are supported:

In favor Against Abstain
👍 👎 👀

Please note that voting for multiple options is not allowed and those votes won't be counted.

The vote will be open for 1month 11days 13h 26m 24s. It will pass if at least 70% of the users with binding votes vote In favor 👍. Once it's closed, results will be published here as a new comment.

@riaankleinhans
Copy link
Contributor

Gitvote was added as a tool to test for stream lining the TI Funding process.
The members of the GH group "TAC" can vote by commenting with an +1. -1 or eye on the Gitvote block in this issue.
Until the TAC is satisfied with the process the GitVote outcome would not be binding.

Community members can show their support by also voting, however only the "TAC" GH Group's votes will count.

The current passing threshold is 70% and the committee is the TAG GH group.
The vote say open fo 6 week and an announcement is sent on the GH/TAC/Discussion

All these parameters can by fine tuned or changed here
Please reach out if you have any questions.

@marcelamelara
Copy link
Contributor

@ware Do we have an update on whether a TI has been identified for this funding request since our last review in Q2?

Copy link

git-vote bot commented Sep 30, 2024

Vote status

So far 0.00% of the users with binding vote are in favor (passing threshold: 70%).

Summary

In favor Against Abstain Not voted
0 0 0 9

Binding votes (0)

User Vote Timestamp
@steiza Pending
@torgo Pending
@mlieberman85 Pending
@bobcallaway Pending
@lehors Pending
@SecurityCRob Pending
@marcelamelara Pending
@camaleon2016 Pending
@sevansdell Pending

@ware
Copy link
Contributor Author

ware commented Oct 1, 2024

@ware Do we have an update on whether a TI has been identified for this funding request since our last review in Q2?

@marcelamelara, with my job change, while I think this is interesting, I do not have the time to drive this particular request. I'm closing this request. If someone else wants to pick this up to drive, that would be great, but my bandwidth is oversubscribed.

@ware ware closed this as completed Oct 1, 2024
Copy link

git-vote bot commented Oct 7, 2024

Vote status

So far 0.00% of the users with binding vote are in favor (passing threshold: 70%).

Summary

In favor Against Abstain Not voted
0 0 0 9

Binding votes (0)

User Vote Timestamp
@steiza Pending
@torgo Pending
@mlieberman85 Pending
@bobcallaway Pending
@lehors Pending
@SecurityCRob Pending
@marcelamelara Pending
@camaleon2016 Pending
@sevansdell Pending

@lehors
Copy link
Contributor

lehors commented Oct 7, 2024

/cancel-vote

Copy link

git-vote bot commented Oct 7, 2024

Vote cancelled

@lehors has cancelled the vote in progress in this issue.

@git-vote git-vote bot removed the vote open label Oct 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
administration For Review gitvote TI Funding Request Quarterly TI requests for funding. Needs 5 approvals, 7d review.
Projects
Status: Needs Refinement
Development

No branches or pull requests

8 participants