Agenda

  1. Finalize agenda
  2. Presentation: Dana Wang from OpenSSF
  3. New business
  4. Misc
    • Workgroups
    • OS summit conference
    • Blogs
    • Vice-chair election
    • Action Items

Announcements

None

Presentation

Dana Wang from OpenSSF

  • OS security matters
    • dependency management
    • Software supply chain threats
    • Various recent headlines on OSS security vulnerabilities
  • OpenSSF is second try at LF security
  • Mission: Make OSS more secure
  • Values and strategies 1. Education and training 2. Facilitate collaboration 3. Sustainable tech innovation 4. Advocacy and policy 5. Community engagement
  • Operations
    • Strcture
    • Working groups
    • Tech initiatives
  • Scorecard: github.com/ossf/scorecard
    • Analysis on project but not code level
    • Metadata
    • APIs based
    • Looks at various items
      • Workflows
      • Vulnerabilities
      • Binary artifacts
      • Code reviews
      • Dependency update tools
      • Maintained
      • Signed releases
      • Token permissions
      • Pinned dependencies
      • Fuzzing
      • Packaging
      • SASAT
      • Security policy
      • CI tests
      • CII best practices
      • Contributors
      • Licenses
      • Branch protection
      • SBOM probe (will be adding)
      • Expand SBOM probe to CBOM
  • How to customize / modify
  • GSA is currently working on the below SBOM efforts -Develop three user guides -Validate SBOM workflow (ITC Lab Project) -Incorporate contract language into our Multiple Award Schedule Contracts
  • GUAC project
  • Protobom - ingest SBOM data and write protobom
  • MVSP – minimum viable secure product
  • Take a risk-based approach, minimal, practical
  • Establishing process for projects to be secure Baseline
  • All OpenSSF following Security Baseline
    • tooling limited
    • Scorecard to use
  • Various events coming up, podcast (what is SOSS?)

Decision

Add here

Discussion

  1. New business
    • ARM / Github funding
      • $5K / month
      • Ry has it on the board
      • Circle CI free plan (need to move out)
  2. Misc
    • TSC update
      • MLKEM
      • Nigel elected TSC chair

  • Workgroups update

    • Lifecycle doc review: https://docs.google.com/document/d/1NV-0vNgXWdc81oqT0jv0C-9Funb8dySS06u90ghF-X4/edit?usp=sharing
      • Please read
      • What do you think

  • Conferences

  • Vice-chair election

    • Deadline to submit

Action items

Action items

## Done (from previous minutes)

  • Create GH issue for content reviewers [Naomi]

## Old

  • Docs / Education / Website — look at PQ Code package as example [Nigel]
  • Lifecycle document review [All]
  • Summary for security workgroup [Nigel]

  • SBOM / CBOM interest query [Nigel] ## New

  • Lifecycle document completion [Hart]

Recordings

Upcoming TAC meetings

Please check the calendar

Attended by

TAC members

Norman, Sam, Sophie, and Brian attended

  • Norman Ashley, Cisco
  • Michael (Max)imilien, IBM
  • Yarkin Doroz, NVIDIA
  • Sophie Schmieg, Google
  • Brian Jarvis, Amazon Web Services Inc.
  • Thomas Bailleux, SandboxAQ

Additional attendees

Ry Jones (LF) Hart Montgomery (LF) Naomi Washington (LF) Dana Wang (LF)

Alex Bozarth (IBM) Nigel Jones (IBM)

Bryan Uhri () Jason XXX (GSA) Jim Miller (Trails of Bits) JP Lomas (QRL Foundation)