Description
(I recently attended Open Source Summit in Vancouver, and this issue is based on a convo with Anne Bertucio from Google, who directed me to post an issue here. Apologies in advance if there is a better place / better way to go about sharing this feedback!)
Context: I'm a long-time core maintainer and general cat herder of the Drupal open source project, a member of their security team, and a general security enthusiast since the alt.2600 days. I sort of accidentally learned about OpenSSF's existence last year (and also accidentally learned we are deemed a "critical project"), and since then have spent a few weekends digging around the website and reading a whole bunch. I've attended a couple of town halls, and attended the morning of OpenSSF Day a couple of weeks back. I would rate my knowledge about open source maintainership 9/10, my OpenSSF knowledge maybe 3/10.
So with that in mind, gulp, here goes. :)
Problem Statement
Right now, OpenSSF's activities are presented in a way that is congruent with other Linux Foundation projects: there's a strong focus on the how the OpenSSF is structured, how the governance works, how it is run day to day, what are the recent achievements, and so on. All of that makes total sense, through the lens of being a member-driven Linux Foundation project, and wanting to demonstrate your value to prospective members.
However, by and large, open source maintainers:
- Have very little time for "extracurricular activities" beyond their maintainer responsibilities, since they are often balancing these with a job and a family
- Therefore, tend to "silo" into their own projects, their own community, and their own problems, by necessity
- Therefore, be broadly unaware of OpenSSF's existence — if they go to events, and have $1000 to spend on a ticket, they will tend to attend something like DrupalCon, not something like Open Source Summit
- Once learning of OpenSSF's existence, they will have very little time to dig through information (including terms/acronyms they may not already be familiar with, such as "SBOMs") to answer the question "What are the problems you solve for my project and how do I partner with you?"
- When they attempt to answer this question based on the available information, they'll see a lot of evidence of how OpenSSF helps enterprises, governments, etc. and their customers, but not a lot of information of how it helps them as an everyday maintainer. (They may in fact leave with the opposite impression, that the OpenSSF exists to make their job harder, in order to please enterprises / customers :\ — see the blow-up when YubiKeys were distributed to maintainers of all the top Python projects, for example.)
Objectives
Taken together, it seems like in order for OpenSSF to broadly win the "hearts and minds" of maintainers, there needs to be focus on (at least) the following things:
- We need to meet maintainers where they are in order to raise awareness of OpenSSF.
- We need to ensure they achieve this understanding in as little time as possible.
- We need to present the activities of OpenSSF in a pain point/solution-focused way, to help make our benefits tangible and demonstrate empathy with their needs.
- We need to ensure there's proactive, ongoing engagement with maintainers and their projects; "once and done" is too easy to get buried under the day to day demands.
(This effort could dovetail nicely with the work going on in #165)
Proposed Solutions
There are many ways to go about this, and I'm sure you would know better than me what makes sense :), but here are some initial thoughts:
"Maintainer Experience" Working Group
Create an OpenSSF Working Group specifically around maintainers and their needs (similar to the End Users group, but for the producers of open source).
This could also manifest as something similar to the TAC but a committee made up of maintainer representatives. (Just watch the time commitment.)
Dedicated "Landing Page" Specifically Aimed At Maintainers
For example, some sort of "call to action" on the OpenSSF website "Maintainer? Click here!" and/or maybe repurpose https://github.com/openssf (which currently appears empty) for this purpose?
The contents of this page would be geared toward maintainers and their pain points, rather than oriented around how OpenSSF thinks of them. (I can assure you that maintainers don't care whether something is a working group or a project ;)).
For example:
- Want to learn best practices in secure coding? Take our free training.
- Interested your project being automatically scanned for vulnerabilities? Learn more about Alpha-Omega
- Want to ensure your end users are getting the software distributed to them that they're counting on? Check out Sigstore.
- ... (etc.) ...
- Want to talk to us to find out more? Join a dedicated Slack channel
Oh, speaking of which...
Dedicated Slack Channel (+Mailing List?) Aimed At Maintainer Relations
Upon joining OpenSSF Slack I was blown away by the calibre of people there. :O However, if I was entering that space as a maintainer, I would quickly reach the conclusion that this is not a space for me, because the vast majority of conversation in there is about promotion/enablement of OpenSSF itself, the Working Groups' day to day toils, etc.
So some sort of dedicated channel(s) where maintainers can come in, introduce themselves, ask questions related to OpenSSF's activities, get answers from someone, meet and network with other security-conscious open source maintainers. Maybe also a corresponding "Maintainer Office Hours" meeting folks could join, and periodic "What is openSSF for maintainers" onboarding sessions (could re-use these at events).
Forge Partnerships With Open Source Security Teams
Open source security projects' teams are overwhelmed and exhausted. Having partnership from an organization like OpenSSF would be a huge shot in the arm, and an excellent, pragmatic way to demonstrate OpenSSF's value in a way maintainers can fully understand.
What could this look like? Maybe a set of "tiger teams" grouped by programming language who prioritize projects with massive ecosystems, helping them to implement things like sigstore, teach best practices like CVEs, etc.
Go Where Maintainers Are
In each of the critical projects (once again, probably starting within those with massive ecosystems, such as Python), figure out where those maintainers congregate in "real life" (PyCon), and go there. Even better: co-present with the security maintainers from the previous step; now you have automatic credibility within that community, and a reason for people to show up to your talk.
Assume Zero Knowledge In Community Events
In Town Halls, OpenSSF Day, etc. always assume someone in the audience is hearing about OpenSSF for the first time (if you're doing lots of outreach, they probably are!). The first time you use terms like "SBOM" define for people what that is (and/or have a handy glossary page that's distributed ahead of time). When someone gives a status update on Sigstore, give 30 seconds of context as to what that is and why it's important.
Without this, the risk once again is giving off the strong vibe that OpenSSF is for "insiders" and not for maintainers themselves.
Thoughts?
Haha, sorry for the novel, apparently there was a lot to say. ;) Does the problem statement ring true to you? Is there already an initiative underway in OpenSSF that maintainers interested in smoothing these sorts of partnerships could join and participate in? Is this far out of what OpenSSF sees as their mission and better for some other group to tackle?
Very curious of your thoughts!