Hi Pedro Nacht, > Hello, I'm working on behalf of Google and the Open Source Security > Foundation to help essential open-source projects improve their supply-chain > security.
Could you expand on that? It isn't obvious from your comment, and I'm curious about this initiative at Google. 1. How many hours a week do you spend working for Google/Alphabet, roughly? (e.g., averaged over the last month) 2. How many hours a week do you spend working for the Open Source Security Foundation, roughly? Is that work part of your job role at Google? 3. What is your job title, team, and department in those organizations? 4. What is the team size? I also had a few other questions: 5. How many of the top N security-critical open-source projects does the OSSF plan to propose this badge to this year? 6. What studies have been published or are being conducted by Google/OSSF on the impact of the badge on open-source organizations (or being conducted externally, e.g., by universities) (e.g. comparing organizations where it is proposed to vs not proposed to)? If so, where can I find them? E.g., I saw https://news.ycombinator.com/item?id=33309969 recently and wanted to learn more about what is known about the impact on metrics of projects short-term and long-term. (e.g. on developers that strongly focus on scorecards, or perfectionists, or averaged) I'm interested in learning more about what is being done to ensure the overall security, stability, and ongoing improvements of open source software in general as an end user, contributor, maintainer, and user of the companies that use open source software. This would be useful to know when an organization considers adopting a badge or change to process. 6. Is creating PRs to add this badge part of your job role (If so, the job role of which organization)? Is this done in your free time? Sorry, it isn't clear - From https://opensource.google/documentation/reference/patching, I see that the use of @google.com emails is required for all open-source contributions, so I was initially confused. 7. Are there recent posts by Google clarifying their involvement in the Open Source Security Foundation (funding provided, team size, shared employees/contractors, etc)? I wanted to know more. https://security.googleblog.com/2022/10/announcing-guac-great-pairing-with-slsa.html mentions that the foundation exists, but doesn't mention any details about how Google is involved in it. > An open source organization like the Open Source Security Foundation wants to identify critical libraries to maintain and secure.... 8. What is the roadmap/timeline for this tool? https://github.com/ossf/scorecard/issues has a lot of open issues. E.g., avoiding false positives in some contexts seems to be a TODO, the preview is a one-line JSON dump (https://stedolan.github.io/jq/ is a fantastic tool), and there are a lot of open tickets for the website. What other practices are planned for inclusion in this badge? Best regards, Tyson -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
