Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adopt the Alpha-Omega 10k critical OSS Projects list under this WG #66

Open
JLLeitschuh opened this issue Mar 10, 2023 · 5 comments
Open

Adopt the Alpha-Omega 10k critical OSS Projects list under this WG #66

JLLeitschuh opened this issue Mar 10, 2023 · 5 comments

Comments

@JLLeitschuh
Copy link

The @ossf/alpha-omega team has collected a list of the top 10k OSS projects which we are using as a target for security scanning, vulnerability reporting, and, in the future, as a list of projects that any automated bulk PR generation campaign is required to report vulnerabilities privately to.

We'd like to propose that this list be owned by this WG, both to avoid confusion between your lists, and the one @ossf/alpha-omega uses, and also because it seems like the right fit.

https://docs.google.com/spreadsheets/d/1fgj0DOoNC-HpHhokN75AfXk9m02mZDpFt1jpkacohus/edit#gid=0
@bureado
Copy link

bureado commented Mar 11, 2023
edited
Loading

Very interesting! Just to state the obvious, the list has a mix of critical and popular repos. And, while a much minor consideration, there are also duplicates, e.g., homebrew's two virtualenv packages are likely the same as pypi's virtualenv package which is likely the same as github's virtualenv repo. Stating this so that it's a bit more clear whether the definitions here or in a-o are changing as a result of this (doesn't look like this is what you're proposing, just making it more clear)

@scovetta
Copy link

Yep, the purpose of this was to get something that's "correct" to a first approximation. Since 10,000 is a Big Number, we can easily add/remove over time with a relatively low barrier to entry. When we find dupes, we can just remove one of them, and if we want to add others, we can just do it.

Basically, this should be a "living" list that changes over time and without a lot of process. At least, that's how I've been thinking about it.

@nathan-menhorn
Copy link

@JLLeitschuh What's the best way to request a project get added to the list? I would suggest adding https://github.com/DMTF/libspdm if possible as the SPDM standard and this lib is widely used across the data center industry. Thanks.

@scovetta
Copy link

Thanks @nathan-menhorn! While I'm in favor of very low barriers to entry for this list, libspdm has an ominous statement in their README that suggests that folks shouldn't actually be using it in production:

This package is only the sample code to show the concept of SPDM and should not be considered fit for production.

But to the larger point -- if you or anyone else has a project that you think should be added, it should be very easy to get it added. IMHO.

@david-a-wheeler
Copy link
Contributor

@scovetta - can we please have a short "key" for the spreadsheet entries? E.g., when it says "criticality_score", what does that mean? I presume that means "it's the top X project as measured by the OpenSSF Criticality Score as of DATE".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bureado @scovetta @david-a-wheeler @JLLeitschuh @nathan-menhorn