[Technical Initiative Funding Request]: Technical Writer for Package Yanking Guidance #414
Comments
|
/cc @riaankleinhans |
riaankleinhans
added
the
TI Funding Request
|
I approve (I don't know if we're still doing the github voting mechanism) |
|
Thank you for the reminder @mlieberman85 /vote |
Vote created@riaankleinhans has called for a vote on The members of the following teams have binding votes:
Non-binding votes are also appreciated as a sign of support! How to voteYou can cast your vote by reacting to
Please note that voting for multiple options is not allowed and those votes won't be counted. The vote will be open for |
|
Should the SOW accompany the funding request? How long should the work actually take? Can other work be leveraged? Is 4k too little or too much? |
|
Thanks for your questions @camaleon2016!
I was wondering the same thing as I filled out this form. The template question is worded in a way that makes it seem like it should be, but in practice I think the SOW is co-developed with OpenSSF staff, if / when the request is approved. See for example #339 (a previous funding request the TAC approved to engage a technical writer). I wasn't able to find any previous funding request (approved or otherwise) that included a full statement of work.
In terms of billable hours, I believe it will take about 40 hours of a technical writer's time to research what's currently being done by package repositories, draft guidance and post a pull request, and then respond to community feedback on that pull request. This estimate is based on the work we did on https://repos.openssf.org/principles-for-package-repository-security, https://repos.openssf.org/trusted-publishers-for-all-package-repositories, and https://repos.openssf.org/build-provenance-for-all-package-registries. In terms of calendar time, based on the contractor's availability, I believe we can have a draft ready by the end of January and a final version landed by end of February. Again, this estimate is based on the 3 docs linked above that the working group has previously published.
In terms of if guidance like this has been published before, not that I'm aware of. In terms of basing this work on what package repositories are doing today, yes, absolutely! That's why the project is budgeting in research time to get up to speed on what's currently being done (see the linked content from npm and PyPI on the proposal).
By our process docs, I think this actually a question for the OpenSSF General Manager, not the TAC, who is supposed to be evaluating the proposals based on technical merit (see https://github.com/ossf/tac/blob/main/process/TI%20Funding%20Request%20Process.md?plain=1#L19-L21). For what it's worth, I think the amount is reasonable. This proposal covers not just writing a draft but the research to support that content as well as edits based on community feedback, which we estimate to be 40 hours of work. 40 hours * $100 / hour (a fairly reasonable contracting rate) = $4000. |
|
@steiza once approved and a contractor was I identified, I would help getting the contract set up in the LF contact system to ensure the contractor can be paid. |
|
@steiza To confirm, the timeframe for the initiative is roughly Jan-Feb 2025, and the 40 hours' time for the technical write are expected to be spread across the 2 months? Or is the technical writer expected to be involved mostly at the beginning of the initiative, and the rest will be handled by the WG community? |
That's correct - there will be 40 billable hours spread over the two months. I'm hopeful that will include a round of edits based on community feedback, but if not the Securing Repos WG will finish edits and land the doc. |
Vote statusSo far Summary
Binding votes (6)
|
Vote closedThe vote passed! 🎉
Summary
Binding votes (6)
|
Technical Initiative
Securing Repositories Working Group
Lifecycle Phase
Graduated
Funding amount
$4000
Problem Statement
Software repositories are looking for guidance on when to allow a previously published package to be deleted. This is tricky, as a flexible policy makes it easy to recover from releases that are mistakenly published, where a restrictive policy prevents supply chain attacks.
Who does this affect?
People who operate software repositories (PyPI, RubyGems, Rust Crates, NuGet, etc)
Have there been previous attempts to resolve the problem?
Not to solve this specific problem (that I'm aware of) but other guidance our working group has published has been well received (like https://repos.openssf.org/trusted-publishers-for-all-package-repositories)
Why should it be tackled now and by this TI?
Because people are asking for it! https://openssf.slack.com/archives/C034CBLMQ9G/p1732095578884899 Even though our guidance might not be published in time for Rust Crates to make use of it, it will help other repositories who take on this problem in the future.
Give an idea of what is required to make the funding initiative happen
What is going to be needed to deliver this funding initiative?
A technical writer (see above)
Are there tools or tech that still need to be produced to facilitate the funding initiative?
No, we'll be writing guidance on policy and documentation that the software repositories would host on their website
Give a summary of the requirements that contextualize the costs of the funding initiative
This will give us 40 hours of a technical writer's time to research, draft, and respond to community feedback
Who is responsible for doing the work of this funding initiative?
I recommend contracting from Hayley Denbraver, who is doing the technical writing for the Sigstore docs improvement funding request.
Who is accountable for doing the work of this funding initiative?
Zach Steindler, co-chair of Securing Repos Working Group
If the responsible or accountable parties are no longer available, what is the backup contact or plan?
Dustin Ingram, co-chair of Securing Repos Working Group
What license is this funding initiative being used under?
https://github.com/ossf/wg-securing-software-repos/blob/main/LICENSE
Code of Conduct
List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.
Jan 2025 - draft pull request created
Feb 2025 - respond to community comments and land content
If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.
We'll need to work with OpenSSF staff to create a formal statement of work. Roughly:
The text was updated successfully, but these errors were encountered: