[Technical Initiative Funding Request]: RSTUF Cloud/k8s deployment costs for tests, demo and validations #315
Comments
|
I am in favor of this proposal, but be aware that at least for this year there's no interest to run public services so can you also include information on who would have access both from and Admin perspective and who the intended users on those tests might be? |
|
@mlieberman85, RSTUF maintainers are the users. The intended users are the RSTUF Maintainers, who will run different tests, such as updating the version to verify the consistency of the TUF metadata and releases and running processes such as key rotation, key revocation, etc. |
|
Thanks, that clarifies! |
|
I am also in favor of this proposal! There are some promising early results on using RSTUF to secure RubyGems and Warehouse (Python) package indexes. |
|
I do support this. Current RSTUF infra is really useful for adopters (like RubyGems.org). I'm happy to help as well if needed. |
|
We discussed this on the TAC call, but it's a good idea to document here as well. Note that this is not a request to fund a long-running service (like the Sigstore Public Good Instance). Rather, this is to fund the RSTUF development instance, while the codebase is developed. The RSTUF instances that will run after development is complete will be the operational responsibility of the package managers (like RubyGems or Warehouse), not the OpenSSF. |
|
In support. |
|
SGTM |
|
I do not see a specific amount being requested nor a time-boundary for the duration of the funding. I see "The entire cost here is to deploy one or two Kubernetes clusters for RSTUF.", but nothing defining what the actual request is. |
Good call. Is there an estimate, or a cap "up to" desired? |
|
Hi @SecurityCRob and @sevansdell. |
|
Perfect, tyvm. The TAC will discuss this in our next call (11June) |
|
I am supportive. I will miss the June 11 TAC meeting and am trying to be proactive. :) |
Problem Statement
RSTUF deployment on Cloud/K8s for demos and tests
Who does this affect?
Financial expense of RSTUF author/maintainer
Have there been previous attempts to resolve the problem?
No
Why should it be tackled now and by this TI?
RSTUF is part of the OpenSSF sandbox
Give an idea of what is required to make the funding initiative happen
Currently, RSTUF Author/Maintainer Kairo de Araujo (@kairoaraujo) spends over 1000€ a year supporting a live deployment of RSTUF that servers for tests, demos, and verification of no breaking release updates.
The deployment now lives in https://api.rstuf.kairo.dev
Kairo de Araujo is looking for funding to support it and move to https://rstuf.org (domain also maintained by @kairoaraujo)
What is going to be needed to deliver this funding initiative?
An account or credits to use deploy the RSTUF in a cloud service on Kubernetes
Are there tools or tech that still need to be produced to facilitate the funding initiative?
No
Give a summary of the requirements that contextualize the costs of the funding initiative
The entire cost here is to deploy one or two Kubernetes clusters for RSTUF.
Who is responsible for doing the work of this funding initiative?
Kairo de Araujo (@kairoaraujo)
Who is accountable for doing the work of this funding initiative?
Kairo de Araujo (@kairoaraujo)
If the responsible or accountable parties are no longer available, what is the backup contact or plan?
Martin Vrachev (@MVrachev)
Which technical initiative will this funding initiative be associated with, and will it report to which WG or project?
Securing Software Repositories WG
What license is this funding initiative being used under?
MIT
Code of Conduct
List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.
Kairo hopes to have this approved and deploy the cluster as soon as possible, as he pays the costs monthly.
If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.
N/A
The text was updated successfully, but these errors were encountered: