Skip to content

Latest commit

 

History

History
107 lines (54 loc) · 11.4 KB

CHARTER.md

File metadata and controls

107 lines (54 loc) · 11.4 KB
Raw

Technical Charter for Open Source Security Foundation

[Securing Critical Projects - Working Group]

In Review August 18th, 2022

This Technical Charter sets forth the responsibilities and procedures for technical contribution to, and oversight of, the Securing Critical Projects WG open source community, which has been established as a Working Group (the "Technical Initiative") under the Open Source Security Foundation (the “OpenSSF”). All contributors (including committers, maintainers, and other technical positions) and other participants in the Technical Initiative (collectively, “Collaborators”) must comply with the terms of this Technical Charter and the OpenSSF Charter.

1. Mission and Scope of the Technical Initiative

  • a. The mission of the Technical Initiative is to identify critical open source software (OSS) projects and secure those projects. This space allows members to collaborate together on these goals.

  • b. The scope of the Technical Initiative includes collaborative development under the Technical Initiative License (as defined herein) supporting the mission, including organizing collaboration activities, defining best practices, documentation, testing, integration, and the creation of other artifacts that support the mission.

  • c. Membership. The Technical Initiative generally will involve Collaborators and Contributors. The TSC may adopt or modify additional roles so long as the roles are documented in the Technical Initiative’s repository. Unless otherwise documented:

    • i. Contributors include anyone in the technical community that contributes effort, ideas, code, documentation, or other artifacts to the Technical Initiative;

    • ii. Collaborators are Contributors who have earned the ability to modify ("commit") text, source code, documentation or other artifacts in the Technical Initiative’s repository or direct the agenda or working activities of the Technical Initiative; and

    • iii. A Contributor may become a Collaborator by a majority approval of the existing Collaborators. A Collaborator may be removed by a majority approval of the other existing Collaborators.

    • iv. Maintainers are the initial Collaborators defined at the creation of the Technical Initiative. The Maintainers will determine the process for selecting future Maintainers. A Maintainer may be removed by two-thirds approval of the other existing Maintainers, or a majority of the other existing Collaborators.

  • d. Participation in the Technical Initiative through becoming a Contributor, Collaborator, or Maintainer is open to anyone, whether a OpenSSF member or not, so long as they abide by the terms of this Technical Charter.

2. Technical Steering Committee

  • a. The Technical Steering Committee (the "TSC") will be responsible for all oversight of the Technical Initiative.

  • b. The TSC voting members are initially the Technical Initiative’s Maintainers. The Maintainers will be documented in the Technical Initiative repository. The TSC is responsible for determining the future process for defining voting members of the TSC, and any such alternative approach will also be documented appropriately. Any meetings of the Technical Steering Committee are intended to be open to the public, and can be conducted electronically, via teleconference, or in person. While all meetings are intended to be open to the public, the TSC reserves the right to make a given meeting closed to handle sensitive issues that arise.

  • c. The TSC may create, change, modify, or remove roles or their definitions, so long as the definitions of roles for the Technical Initiative are publicly available and following a two week public comment period to solicit community feedback in the Technical Initiative repository.

  • d. The TSC may elect a TSC Chair, who will preside over meetings of the TSC and will serve until their resignation or replacement by the TSC.

  • e. Responsibilities: The TSC will be responsible for all aspects of oversight relating to the Technical Initiative, which may include:

    • i. coordinating the direction of the Technical Initiative;

    • ii. approving, organizing or removing activities and projects;

    • iii. establish community norms, workflows, processes, release requirements, and templates for the operation of the Technical Initiative;

    • iv. establish a fundraising model, and approve or modify a Technical Initiative budget, subject to OpenSSF Governing Board approval;

    • v. appointing representatives to work with other open source or open standards communities;

    • vi. approving and implementing policies and processes for contributing (to be published in the Technical Initiative repository) and coordinating with the Linux Foundation to resolve matters or concerns that may arise as set forth in Section 6 of this Technical Charter;

    • vii. facilitating discussions, seeking consensus, and where necessary, voting on technical matters relating to the Technical Initiative; and

    • viii. coordinating any communications regarding the Technical Initiative.

3. TSC Voting

  • a. While the Technical Initiative aims to operate as a consensus-based community, if any TSC decision requires a vote to move the Technical Initiative forward, the voting members of the TSC will vote on a one vote per voting member basis.

  • b. Quorum for TSC meetings requires at least fifty percent of all voting members of the TSC to be present. The TSC may continue to meet if quorum is not met but will be prevented from making any decisions at the meeting.

  • c. Except as provided in Section 7.c. and 8.a, decisions by vote at a meeting require a majority vote of those in attendance, provided quorum is met. Decisions made by electronic vote without a meeting require a majority vote of all voting members of the TSC.

  • d. In the event a vote cannot be resolved by the TSC, any voting member of the TSC may refer the matter to the TAC for assistance in reaching a resolution.

4. Compliance with Policies

  • a. This Technical Charter is subject to the OpenSSF Charter and any rules or policies established for all Technical Initiatives.

  • b. The Technical Initiative participants must conduct their business in a professional manner, subject to the Contributor Covenant Code of Conduct 2.0, available at https://www.contributor-covenant.org/version/2/0/code_of_conduct. The TSC may adopt a different code of conduct ("CoC") for the Technical Initiative, subject to approval by the TAC.

  • c. All Collaborators must allow open participation from any individual or organization meeting the requirements for contributing under this Technical Charter and any policies adopted for all Collaborators by the TSC, regardless of competitive interests. Put another way, the Technical Initiative community must not seek to exclude any participant based on any criteria, requirement, or reason other than those that are reasonable and applied on a non-discriminatory basis to all Collaborators in the Technical Initiative community. All activities conducted in the Technical Initiative are subject to the Linux Foundation’s Antitrust Policy, available at https://www.linuxfoundation.org/antitrust-policy.

  • d. The Technical Initiative will operate in a transparent, open, collaborative, and ethical manner at all times. The output of all Technical Initiative discussions, proposals, timelines, decisions, and status should be made open and easily visible to all. Any potential violations of this requirement should be reported immediately to the TAC.

5. Community Assets

  • a. The Linux Foundation will hold title to all trade or service marks used by the Technical Initiative ("Technical Initiative Trademarks"), whether based on common law or registered rights. Technical Initiative Trademarks may be transferred and assigned to LF Technical Initiatives to hold on behalf of the Technical Initiative. Any use of any Technical Initiative Trademarks by Collaborators in the Technical Initiative will be in accordance with the trademark usage policy of the Linux Foundation, available at https://www.linuxfoundation.org/trademark-usage, and inure to the benefit of the Linux Foundation.

  • b. The Linux Foundation or Technical Initiative must own or control the repositories, social media accounts, and domain name registrations created for use by the Technical Initiative community.

  • c. Under no circumstances will the Linux Foundation be expected or required to undertake any action on behalf of the Technical Initiative that is inconsistent with the policies or tax-exempt status or purpose, as applicable, of the Linux Foundation.

6. Intellectual Property Policy

  • a. Collaborators acknowledge that the copyright in all new contributions will be retained by the copyright holder as independent works of authorship and that no contributor or copyright holder will be required to assign copyrights to the Technical Initiative.

  • b. Except as described in Section 6.c., all contributions to the Technical Initiative are subject to the following:

    • i. All new inbound code contributions to the Technical Initiative must be made using the Apache License, Version 2.0, available at https://www.apache.org/licenses/LICENSE-2.0 (the "Technical Initiative License").

    • ii. All new inbound code contributions must also be accompanied by a Developer Certificate of Origin (http://developercertificate.org) sign-off in the source code system that is submitted through a TSC-approved contribution process which will bind the authorized contributor and, if not self-employed, their employer to the applicable license;

    • iii. All outbound code will be made available under the Technical Initiative License.

    • iv. Documentation will be received and made available by the Technical Initiative under the Creative Commons Attribution 4.0 International License, available at http://creativecommons.org/licenses/by/4.0/.

    • v. To the extent a contribution includes or consists of data, any rights in such data shall be made available under the CDLA-Permissive 1.0 License.

    • vi. The Technical Initiative may seek to integrate and contribute back to other open source projects ("Upstream Projects"). In such cases, the Technical Initiative will conform to all license requirements of the Upstream Projects, including dependencies, leveraged by the Technical Initiative. Upstream Project code contributions not stored within the Technical Initiative’s main code repository will comply with the contribution process and license terms for the applicable Upstream Project.

  • c. The TSC may approve the use of an alternative license or licenses for inbound or outbound contributions on an exception basis. To request an exception, please describe the contribution, the alternative open source license(s), and the justification for using an alternative open source license for the Technical Initiative. License exceptions must be approved by a two-thirds vote of the entire Governing Board.

  • d. Contributed files should contain license information, such as SPDX short form identifiers, indicating the open source license or licenses pertaining to the file.

7. Amendments

  • a. This charter may be amended by a two-thirds vote of the entire TSC and is subject to approval by the TAC.