[Technical Initiative Funding Request]: Funding for Contractors To Work On Security Tools #311
Comments
|
I'm supportive of this idea generally, and I love the milestones, but I'm not sure I understand the sequencing and what is being asked for today. @ware are you requesting funding for a contractor to run the WG survey in Q2? Or are we saying that once we have the results of that survey we'll be making more concrete funding requests? Or maybe there's a third option, where we're requesting funds for the whole project in advance, to shape the survey and scope the projects we consider for Q3? Again, I think this is promising, but I could use help in clarifying the request. Thanks! |
|
Excellent question! To be clear, the contractor will be to do coding after we do the WG survey. The survey is to identify areas where OpenSSF WGs need help getting coding done. I think the survey itself can be done by me and others in the ST WG. When the survey is complete, we would work collaboratively with TAC to determine what the right priority is. I envision this more as a pilot on how we can get code written for critical needs across OpenSSF. In conversations with various folks in OpenSSF, I regularly hear that we create lots of documentation but don't have the right people to write code. I'd like to make sure OpenSSF has a place to go to address those needs in a prioritized manner. Does that answer your question @steiza? |
|
I think this would be useful especially in cases where among the contributors/volunteers on the projects aren't experts in a particular thing. For example having someone who is an expert in databases to help with optimizing queries when the engineers on the project aren't experts. We also probably want to be sensitive here as there's a lot of projects with devs working on it already that could use help and there's various projects that have no engineers that could use help and I want us to be careful not view the latter case as the obvious one that is in need of help. We don't want to end up in a situation where member companies view the OpenSSF as a way to subsidize work potentially on projects they want to productize. |
|
I recommend after the survey, when you have a list of TIs that could benefit from code support, to put in a time boxed request for support and what they'd do. We should do an ask of members to participate, and barring anyone stepping forward, could fund timeboxed work with a future TI proposal review with the specifics: its a need, no members have responded, here's what they'd do for x amount of time. And then take those on a case by case basis. |
|
@ware we're doing some issue housekeeping - can we close this issue out? My understanding is that you're going to conduct a survey and come back with a more detailed request for funding - is that the case? |
That wasn't the intent. I was going to do the survey if there was going to be funding. I'm happy to go work with all of the WGs & SIGs to determine their needs and work with all key stakeholders to prioritize what gets worked on, but that's a lot of prospective work to do if I have no idea there's going to be funding. If there's going to be funding, happy to do all that work. |
|
I don't see a specific dollar request in this. I see "2-3 contractors", but no projected cost. It is hard to approve funding without specific figures. @ware |
@ware What I am hearing from Budget and Finance committee - we have funds to distribute to TIs for one time activities, not those that will become an annual or long term expense. I believe work you do to survey and come back with TI requests will be well received....OpenSSF wants to support TIs with one time funding this year! Your surveys could help accelerate this. |
|
Thank you @SecurityCRob & @sevansdell both for your thoughts. I think there is a good way to address your thoughts and some others that I've seen: Let's make this a 1-time pilot to prove the concept, and if it's successful, we look for other avenues of funding that are cyclical. As such, I would like to amend this TIFR for us to hire one developer (contractor) for 1 quarter. I think experienced developers are about $50k/quarter so that is the specific ask. I can survey the various WGs and SIGs over the next 6 weeks and then we can work on hiring an appropriate contractor for the work we all agree upon. Thoughts? |
|
Perfect, tyvm. The TAC will discuss this in our next call (11June) |
|
I will be out the June 11 and am trying to proactive. I support this TI funding request with your additions @ware. |
|
I want to respond to a suggestion that was brought up. It was suggested that I pick a project for this that has already been brought to my attention. I feel this runs directly counter to concerns that were brought up by others implying that we don't want to show any type of favoritism. We need to ensure that if we are going to do this pilot, that we fairly evaluate the needs of all TIs and not just ones that have been brought to my personal attention. Without doing that, this feels much less open and community focused. Maybe we turn this around and have TI's come make requests of the ST WG? |
Problem Statement
OpenSSF has lots of ideas and volunteers, but not enough people creating software reflecting those ideas. We need to be able to higher contractors to work on these tools.
Who does this affect?
The majority of the WGs
Have there been previous attempts to resolve the problem?
Other than a call for volunteers, I do not believe so.
Why should it be tackled now and by this TI?
Many of the groups have tools they would like to see or need help developing the tools they currently have
Give an idea of what is required to make the funding initiative happen
This question is pretty open ended so I'm unsure of everything that is being asked of it. That said, many people look at the Security Tooling WG as a place where security tools can be created. Yes, that is being done in relation to some of the SBOM tooling, but there are other tools that need to be developed and then maintained. To make this really valuable, the ST:WG needs to work with all of the other WGs, do a survey with them on the tooling efforts that they need, and then hire 2-3 contractors to help those WGs build out those tools.
What is going to be needed to deliver this funding initiative?
A completed survey with other WGs to determine their needs.
Are there tools or tech that still need to be produced to facilitate the funding initiative?
There are no tools or tech that would be needed by this funding initiative. However, this funding initiative could be used to help other WGs with their tools or tech needs.
Give a summary of the requirements that contextualize the costs of the funding initiative
This summery of the need here is for there to be funding in place to hire 2-3 contractors working full time to help create new OpenSSF tools and where possible contribute to existing tools that need help.
Who is responsible for doing the work of this funding initiative?
Ryan Ware
Who is accountable for doing the work of this funding initiative?
Ryan Ware
If the responsible or accountable parties are no longer available, what is the backup contact or plan?
Arun Gupta
Which technical initiative will this funding initiative be associated with, and will it report to which WG or project?
This would be a part of the Security Tooling WG
What license is this funding initiative being used under?
Variable
Code of Conduct
List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.
If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.
There would undoubtedly be a contract with contracting agencies that would need to be put in place. The SoW would depend upon the projects being tackled.
The text was updated successfully, but these errors were encountered: