From 73944cfeb3a899ec1b437a03551beade6e0d9b2c Mon Sep 17 00:00:00 2001 From: Michael Scovetta Date: Fri, 21 Jun 2024 17:31:46 -0400 Subject: [PATCH 1/6] Add Alpha-Omega Q2 update Signed-off-by: Michael Scovetta --- TI-reports/2024/2024-Q2-Alpha-Omega.md | 39 ++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 TI-reports/2024/2024-Q2-Alpha-Omega.md diff --git a/TI-reports/2024/2024-Q2-Alpha-Omega.md b/TI-reports/2024/2024-Q2-Alpha-Omega.md new file mode 100644 index 00000000..d6250549 --- /dev/null +++ b/TI-reports/2024/2024-Q2-Alpha-Omega.md @@ -0,0 +1,39 @@ +# 2024 Q2 Alpha-Omega +## Overview + + +Alpha-Omega continues on our mission, to sustainably + +We provide [monthly public reports](https://alpha-omega.dev/resources/reports), including to TAC and the OpenSSF Governing Board: + * May 2024 + * March/April 2024 + * February 2024 + +_Required: Sum up the status, health of your TI, and the community in a few sentences. Consider this the TL;DR for the rest of the report. How is your community doing health-wise (e.g., is the number of active contributors increasing or decreasing) ? What are the latest news? + + +## Activity #1 + +_Required: Replace the section title with the actual name (e.g., "Memory Safety SIG") and fill out each subsection. Repeat this section and subsections as necesssary for other activities. + + +### Purpose + +### Current Status +We're active, healthy, + +### Up Next + +Some key: +* Our next monthly report is due out around July 5th. +* Our next roundtable (for grant recipients and selected guests) will be held on July 25th. +* Our next public meeting will be held on August 7th. +* We'll have a roundtable at Open Source Summit EU in September and are planning to attend the LF Member Summit. + +### Questions/Issues for the TAC +No, but if TAC has any + +## Additional Information + +_Optional: Please provide any additional information that you feel would be useful for TAC to be aware._ + From bc8c9f485bf06c155eac40cb039a7cbf08360235 Mon Sep 17 00:00:00 2001 From: Michael Scovetta Date: Fri, 21 Jun 2024 19:10:51 -0400 Subject: [PATCH 2/6] Update 2024-Q2-Alpha-Omega.md Signed-off-by: Michael Scovetta --- TI-reports/2024/2024-Q2-Alpha-Omega.md | 29 ++++++++++++++++++-------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/TI-reports/2024/2024-Q2-Alpha-Omega.md b/TI-reports/2024/2024-Q2-Alpha-Omega.md index d6250549..4afad6a5 100644 --- a/TI-reports/2024/2024-Q2-Alpha-Omega.md +++ b/TI-reports/2024/2024-Q2-Alpha-Omega.md @@ -1,18 +1,20 @@ # 2024 Q2 Alpha-Omega + ## Overview -Alpha-Omega continues on our mission, to sustainably +The Alpha-Omega Directed Fund continues our mission, to catalyze sustainable security improvements to the world's most critical open source projects and ecosystems. We do this by applying funding and influence in four key areas: -We provide [monthly public reports](https://alpha-omega.dev/resources/reports), including to TAC and the OpenSSF Governing Board: - * May 2024 - * March/April 2024 - * February 2024 +* Staffing dedicated security roles within critical ecosystems/foundations +* Funding work to improve security for artifact repositories / package registries +* Funding security audits and remediation, often as a precusor to additional work +* Experimentation -_Required: Sum up the status, health of your TI, and the community in a few sentences. Consider this the TL;DR for the rest of the report. How is your community doing health-wise (e.g., is the number of active contributors increasing or decreasing) ? What are the latest news? +Our team consists of Michael Scovetta (Microsoft), Henri Yandell (Amazon Web Services), Bob Callaway (Google), supported by Michael Winser (contractor) and Michelle Martineau and Tracy Li from the Linux Foundation. We've received $5M in funding so far in 2024 and are actively meeting with new potential engagement partners. -## Activity #1 +## Objectives & Key Results + _Required: Replace the section title with the actual name (e.g., "Memory Safety SIG") and fill out each subsection. Repeat this section and subsections as necesssary for other activities. @@ -31,9 +33,18 @@ Some key: * We'll have a roundtable at Open Source Summit EU in September and are planning to attend the LF Member Summit. ### Questions/Issues for the TAC -No, but if TAC has any + +No, but as always, we're eager for substantive discussion with TAC and others ## Additional Information -_Optional: Please provide any additional information that you feel would be useful for TAC to be aware._ + +We provide [monthly public reports](https://alpha-omega.dev/resources/reports), including to TAC and the OpenSSF Governing Board: + * [May 2024](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/06/May-Monthly-2024-Report.pdf) + * [March/April 2024](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/05/AO-March-April-Monthly-2024-Report.pdf) + * [February 2024](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/03/AO-February-Monthly-2024-Report.pdf) + * [January 2024](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/02/AO-January-Monthly-2024-Report.pdf) + * [2023 Annual Report](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/02/Alpha-Omega-Annual-Report-2023.pdf) + +You can always reach us at [#alpha_omega](https://openssf.slack.com/archives/C02LUUWQZNK) or by e-mail directly. From 6b92fcfc1df18d987ec7bb9eb0542628d59c1e18 Mon Sep 17 00:00:00 2001 From: Michael Scovetta Date: Fri, 21 Jun 2024 19:22:20 -0400 Subject: [PATCH 3/6] Update 2024-Q2-Alpha-Omega.md Signed-off-by: Michael Scovetta --- TI-reports/2024/2024-Q2-Alpha-Omega.md | 40 ++++++++++++++++++++------ 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/TI-reports/2024/2024-Q2-Alpha-Omega.md b/TI-reports/2024/2024-Q2-Alpha-Omega.md index 4afad6a5..e1067959 100644 --- a/TI-reports/2024/2024-Q2-Alpha-Omega.md +++ b/TI-reports/2024/2024-Q2-Alpha-Omega.md @@ -2,7 +2,6 @@ ## Overview - The Alpha-Omega Directed Fund continues our mission, to catalyze sustainable security improvements to the world's most critical open source projects and ecosystems. We do this by applying funding and influence in four key areas: * Staffing dedicated security roles within critical ecosystems/foundations @@ -10,23 +9,45 @@ The Alpha-Omega Directed Fund continues our mission, to catalyze sustainable sec * Funding security audits and remediation, often as a precusor to additional work * Experimentation -Our team consists of Michael Scovetta (Microsoft), Henri Yandell (Amazon Web Services), Bob Callaway (Google), supported by Michael Winser (contractor) and Michelle Martineau and Tracy Li from the Linux Foundation. We've received $5M in funding so far in 2024 and are actively meeting with new potential engagement partners. - +### Recent Updates -## Objectives & Key Results +* OpenSSL 3.1 security audit completed. +* Homebrew +## Objectives & Key Results -_Required: Replace the section title with the actual name (e.g., "Memory Safety SIG") and fill out each subsection. Repeat this section and subsections as necesssary for other activities. - +|Key Result|Status| +|-|-| +|**O1: Catalyze trustworthy and secure software, runtimes, and infrastructure for all the major open source ecosystems through staffing**|| +|KR 1.1: Fund security improvements and initiatives for at least ten critical open source organizations by the end of 2024. |On target| +|KR 1.2: For each engagement, confirm progress toward improved security outcomes, evidenced through initial and/or follow-on assessments, monthly reporting, and periodic check-ins.|On target| +|KR 1.3: Drive the organizations we work with to obtain security funding from at least one organization other than Alpha-Omega, targeting 33% by the end of 2024.|On target| +|KR 1.4: Organize quarterly roundtables for at least 5 major ecosystems to share information, build connections, and collaborate, resulting in at least one new project or joint publication started in 2024.|On target| +|**O2: The top 10,000 open source projects are free of critical security vulnerabilities**|| +|KR 2.1: Drive adoption of key security processes, including static analysis, credential scanning, the use of private vulnerability disclosures, structured metadata (Security Insights) and the use of multi-factor authentication by maintainers of 500 critical projects from the top 10,000 by the end of 2024.|Planning| +|KR 2.2: Independently scan, triage, and notify maintainers when critical vulnerabilities are found in 2,000 projects, chosen from the top 10,000 by the end of June 2024, with emphasis on clearing a "section of the beach" by focusing on the top PyPI packages.|On target| +|KR 2.3: Publish in a machine readable format the attestations for all packages from 2.2 that returned no vulnerabilities and those that found vulnerabilities which were subsequently fixed and verified.|On target| +|**O3: Enhance Alpha-Omega's effectiveness in driving security improvements through deliberate innovation and experimentation**|| +|KR 3.1: By the end of 2024, run three experiments to explore new strategies for reducing security risk within the open source ecosystems, share the results/learnings, using them to refine our overall strategy and objectives for 2025.|Not started| +|**O4: Run an operationally efficient and effective program**|| +|KR 4.1: Allocate at least 85% of our yearly spend to activities directly in support of our mission.|On Target| +|KR 4.2: Receive at least $5 million in renewed funding in 2024.|Completed| +|KR 4.3: For each partner engagement, at least 70% of the objectives defined within the respective agreement are met within the defined time period.|On target| ### Purpose +To catalyze sustainable security improvements to the world's most critical open source projects and ecosystems. + ### Current Status -We're active, healthy, + +We're active and healthy. Our team consists of Michael Scovetta (Microsoft), Henri Yandell (Amazon Web Services), Bob Callaway (Google), supported by Michael Winser (contractor) and Michelle Martineau and Tracy Li from the Linux Foundation. We've received $5M in funding so far in 2024 and are actively meeting with new potential engagement partners. We meet at least weekly as a team and most weeks, meet with at least a few partners (actual or potential). ### Up Next -Some key: +We're finalizing details on a few new engagements - details will be shared with TAC privately through the private TAC mailing list. + +Some key opportunities to engage: + * Our next monthly report is due out around July 5th. * Our next roundtable (for grant recipients and selected guests) will be held on July 25th. * Our next public meeting will be held on August 7th. @@ -34,7 +55,7 @@ Some key: ### Questions/Issues for the TAC -No, but as always, we're eager for substantive discussion with TAC and others +No, but as always, we're eager for substantive discussion with TAC and others. ## Additional Information @@ -46,5 +67,6 @@ We provide [monthly public reports](https://alpha-omega.dev/resources/reports), * [January 2024](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/02/AO-January-Monthly-2024-Report.pdf) * [2023 Annual Report](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/02/Alpha-Omega-Annual-Report-2023.pdf) +Each engagement partners provides monthly updates to us on our [GitHub repository](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024). You can always reach us at [#alpha_omega](https://openssf.slack.com/archives/C02LUUWQZNK) or by e-mail directly. From 2b3d47796ce26195ae7c890eb47501cf813087a2 Mon Sep 17 00:00:00 2001 From: Michael Scovetta Date: Fri, 21 Jun 2024 19:38:48 -0400 Subject: [PATCH 4/6] Update 2024-Q2-Alpha-Omega.md Signed-off-by: Michael Scovetta --- TI-reports/2024/2024-Q2-Alpha-Omega.md | 28 ++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/TI-reports/2024/2024-Q2-Alpha-Omega.md b/TI-reports/2024/2024-Q2-Alpha-Omega.md index e1067959..bf15c4e8 100644 --- a/TI-reports/2024/2024-Q2-Alpha-Omega.md +++ b/TI-reports/2024/2024-Q2-Alpha-Omega.md @@ -10,9 +10,28 @@ The Alpha-Omega Directed Fund continues our mission, to catalyze sustainable sec * Experimentation ### Recent Updates - -* OpenSSL 3.1 security audit completed. -* Homebrew +We receive monthly updates from each of our engagements - we urge TAC to read through some of the recent updates in [our repository](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024) to learn more about the depth and breadth of the work that's going on: + +* [Eclipse Foundation](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/Eclipse%20Foundation) +* [FreeBSD](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/FreeBSD) +* [Homebrew](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/Homebrew) +* [jQuery](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/jQuery) +* [Node.js](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/NodeJS) +* [OpenRefactory](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/OpenRefactory) +* [OpenSSL](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/OpenSSL) +* [Prossimo](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/Prossimo) +* [Python Software Foundation](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/Python%20Software%20Foundation) +* [Ruby Central](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/RubyCentral) +* [Rust Foundation](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/Rust%20Foundation) + +Below is a very small sampling of recent updates. + +* **Homebrew**: Homebrew now supports build provenance for practically all bottles and opt-in client-side validation. Read more on the [Trail of Bits blog](https://blog.trailofbits.com/2024/05/14/a-peek-into-build-provenance-for-homebrew/). +* **Eclipse Kuksa**: This project provides shared building blocks for Software Defined Vehicles, and the audit covered the data broker and the Python client, conducted by + Quarkslab and managed by the Open Source Technology Improvement Fund. There were two high severity findings and about a dozen lower severity findings, all + addressed in the latest version. [Download the full report](https://ostif.org/wp-content/uploads/2024/05/Kuksaaudit1.2.pdf). +* **OpenSSL**: This security audit focused on the libcrypto component of OpenSSL 3.1, and was conducted by Trail of Bits and managed by the Open Source Technology + Improvement Fund. There were four medium and six low severity findings. [Download the full report](https://github.com/trailofbits/publications/blob/master/reviews/2023-09-openssl-securityreview.pdf). ## Objectives & Key Results @@ -59,7 +78,6 @@ No, but as always, we're eager for substantive discussion with TAC and others. ## Additional Information - We provide [monthly public reports](https://alpha-omega.dev/resources/reports), including to TAC and the OpenSSF Governing Board: * [May 2024](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/06/May-Monthly-2024-Report.pdf) * [March/April 2024](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/05/AO-March-April-Monthly-2024-Report.pdf) @@ -67,6 +85,4 @@ We provide [monthly public reports](https://alpha-omega.dev/resources/reports), * [January 2024](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/02/AO-January-Monthly-2024-Report.pdf) * [2023 Annual Report](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/02/Alpha-Omega-Annual-Report-2023.pdf) -Each engagement partners provides monthly updates to us on our [GitHub repository](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024). You can always reach us at [#alpha_omega](https://openssf.slack.com/archives/C02LUUWQZNK) or by e-mail directly. - From f905f6a871b93d8ae25405ad31dbeafe35b014b6 Mon Sep 17 00:00:00 2001 From: Michael Scovetta Date: Fri, 21 Jun 2024 19:48:04 -0400 Subject: [PATCH 5/6] Add scovetta to spelling list. Signed-off-by: Michael Scovetta --- .github/actions/spelling/allow.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt index 403d62fa..e349c3b8 100644 --- a/.github/actions/spelling/allow.txt +++ b/.github/actions/spelling/allow.txt @@ -58,3 +58,4 @@ Jautau jaywhite checkboxes rstuf +scovetta From e6449d6d03b622cea9c8fcebc072997e93c84e30 Mon Sep 17 00:00:00 2001 From: Michael Scovetta Date: Tue, 9 Jul 2024 10:06:39 -0400 Subject: [PATCH 6/6] Add latest updates. Signed-off-by: Michael Scovetta --- TI-reports/2024/2024-Q2-Alpha-Omega.md | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/TI-reports/2024/2024-Q2-Alpha-Omega.md b/TI-reports/2024/2024-Q2-Alpha-Omega.md index bf15c4e8..205adbdc 100644 --- a/TI-reports/2024/2024-Q2-Alpha-Omega.md +++ b/TI-reports/2024/2024-Q2-Alpha-Omega.md @@ -10,7 +10,20 @@ The Alpha-Omega Directed Fund continues our mission, to catalyze sustainable sec * Experimentation ### Recent Updates -We receive monthly updates from each of our engagements - we urge TAC to read through some of the recent updates in [our repository](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024) to learn more about the depth and breadth of the work that's going on: + +We published our June 2024 report at . + +A few new/renewed engagments: + +* **AI Library Reviews**: We've agreed to fund security audits for the top 100 open source AI libraries, the first set of 25 via the Open Source Technology Improvement Fund (OSTIF). Open source AI libraries are of particular interest due to their inherent nature and the speed at which the space is moving. OSTIF will be conducting these reviews through the end of 2024 after which we'll take what we learn and apply it to the next set of open source AI libraries. + +* **OpenRefactory**: We've renewed our engagement with OpenRefactory to continue scanning important open source projects for serious security vulnerabilities, including full transitive dependency scans of Apache Airflow, Kubernetes, and Jenkins, as well as an initial scan of the top 300 Rust crates. + +* **Apache Airflow**: We've agreed to fund work in 2024 on a security audit of Apache Airflow and a "light" audit it's entire (700+) dependencies. We expect to learn a lot for this experience and will use it to inform our strategy moving forward. + +* **Rust for Linux**: We've agreed to renew funding (through Prossimo / ISRG) to support advancing Rust in the Linux Kernel. + +In addition, we receive monthly inbound updates from each of our engagements - we urge TAC to read through some of the recent updates in [our repository](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024) to learn more about the depth and breadth of the work that's going on: * [Eclipse Foundation](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/Eclipse%20Foundation) * [FreeBSD](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/FreeBSD) @@ -24,7 +37,7 @@ We receive monthly updates from each of our engagements - we urge TAC to read th * [Ruby Central](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/RubyCentral) * [Rust Foundation](https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/Rust%20Foundation) -Below is a very small sampling of recent updates. +Below is a very small sampling of recent updates from our existing engagements: * **Homebrew**: Homebrew now supports build provenance for practically all bottles and opt-in client-side validation. Read more on the [Trail of Bits blog](https://blog.trailofbits.com/2024/05/14/a-peek-into-build-provenance-for-homebrew/). * **Eclipse Kuksa**: This project provides shared building blocks for Software Defined Vehicles, and the audit covered the data broker and the Python client, conducted by @@ -59,12 +72,10 @@ To catalyze sustainable security improvements to the world's most critical open ### Current Status -We're active and healthy. Our team consists of Michael Scovetta (Microsoft), Henri Yandell (Amazon Web Services), Bob Callaway (Google), supported by Michael Winser (contractor) and Michelle Martineau and Tracy Li from the Linux Foundation. We've received $5M in funding so far in 2024 and are actively meeting with new potential engagement partners. We meet at least weekly as a team and most weeks, meet with at least a few partners (actual or potential). +We're active and healthy. Our team consists of Michael Scovetta (Microsoft), Henri Yandell (Amazon Web Services), Bob Callaway (Google), supported by Michael Winser (contractor) and Michelle Martineau and Tracy Li from the Linux Foundation. We've received $5M in funding so far in 2024 and are actively meeting with new potential engagement partners. We've spent $4M so far in 2024 and plan to spend more. We meet at least weekly as a team and most weeks, meet with our partners (existing and potential) regularly. ### Up Next -We're finalizing details on a few new engagements - details will be shared with TAC privately through the private TAC mailing list. - Some key opportunities to engage: * Our next monthly report is due out around July 5th. @@ -79,6 +90,7 @@ No, but as always, we're eager for substantive discussion with TAC and others. ## Additional Information We provide [monthly public reports](https://alpha-omega.dev/resources/reports), including to TAC and the OpenSSF Governing Board: + * [June 2024](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/07/June-Monthly-2024-Report.pdf) * [May 2024](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/06/May-Monthly-2024-Report.pdf) * [March/April 2024](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/05/AO-March-April-Monthly-2024-Report.pdf) * [February 2024](https://alpha-omega.dev/wp-content/uploads/sites/22/2024/03/AO-February-Monthly-2024-Report.pdf)