From 4ecd2a2c7dbe22c591bd99fab6da0e00d46afd99 Mon Sep 17 00:00:00 2001 From: Marcela Melara Date: Mon, 18 Mar 2024 08:42:25 -0700 Subject: [PATCH] Update incubating TI Gives+Gets to match lifecycle/templates Signed-off-by: Marcela Melara --- process/TI-Gives+Gets.md | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/process/TI-Gives+Gets.md b/process/TI-Gives+Gets.md index cf06d709..8f1907cf 100644 --- a/process/TI-Gives+Gets.md +++ b/process/TI-Gives+Gets.md @@ -15,7 +15,7 @@ Also note that benefits may actually vary based on resources and funds availabil * TI must be aligned with the OpenSSF mission and either be a novel approach for existing areas or address an unfulfilled need. It is expected that the initial code needed for an OpenSSF WG to work be kept within their repository and will not function as a project in its own right. Should initial WG code grow and mature that it warrants its own Project status, then it is subject to Sandbox entry requirements. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project. * TI must maintain a diversified contributor base (i.e. not a single-vendor project). TI must have a minimum of two maintainers with different organization affiliations. * WG must find a TAC sponsor that can help guide the WG through its sandbox stage. - * Project and or SIG must find an aligned WG to host the TI or must have a TAC sponsor that can help guide the TI through the sandbox stage. + * Project and SIG must find an aligned WG to host the TI or must have a TAC sponsor that can help guide the TI through the sandbox stage. * TI agrees to follow the [Secure Software Development Guiding Principles](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/SecureSoftwareGuidingPrinciples.md) and the [Open Source Consumption Manifesto](https://github.com/ossf/wg-endusers/tree/main/MANIFESTO). * If contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). * Provides quarterly updates to the TAC on technical vision and progress on vision. @@ -37,16 +37,19 @@ Also note that benefits may actually vary based on resources and funds availabil ### Gives/Requirements - All requirements of Sandbox must be fulfilled. PR filed to promote group to Incubating stage. - * Group has met no less than 5 times within the last calendar quarter - * Maintains a diversified contributor base (i.e. not a single-vendor project) with an active flow of contributions. Projects must have a minimum of three maintainers with a minimum of two different organization affiliations, and document the current list of maintainers. - * Projects must have defined a contributor guide, which makes it clear how and when contributors should be given increasing responsibilities towards maintainership of the project. (Example guides: Sigstore, AllStar) - * Projects should be able to show adoption by multiple parties and adoption's value to the open source community and/or end users (may include adoption of beta/early versions) with the intent to showcase wide adoption by the project's consumers. +All requirements of Sandbox must be fulfilled. PR filed to promote TI to Incubating stage. * TI must have documented, initial group governance. - * Maintains a point of contact for vulnerability reports in the security.md - * Implements, practices, and refines mature software development and release practices such as following a version schema. - * TI follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria, secret scanning, and code scanning. - * TIs that include code use Scorecards + * WG and Project has met no less than 5 times within the last calendar quarter + * Maintains a diversified contributor base (i.e. not a single-vendor project) with an active flow of contributions, and documents the current list of maintainers: + * WG must have a minimum of five participants with a minimum of three different organization affiliations. + * Project and SIG must have a minimum of three contributors with a minimum of two different organization affiliations. + * Project must have defined a contributor guide, which makes it clear how and when contributors should be given increasing responsibilities towards maintainership of the project. (Example guides: Sigstore, AllStar) + * Project should be able to show adoption by multiple parties and adoption's value to the open source community and/or end users (may include adoption of beta/early versions) with the intent to showcase wide adoption by the project's consumers. + * TI that develops code: + * Implements, practices, and refines mature software development and release practices such as following a version schema. + * Follows security best practices (as recommended by the OpenSSF and others), including passing the OpenSSF Best Practices criteria, secret scanning, and code scanning. + * Maintains a point of contact for vulnerability reports in the security.md. + * Must use Scorecards. * Begins to establish the appropriate governance that enables its sustainment for potential graduation. ### Gets/Benefits