
OpenSSF: Open Source Security Foundation - PatrolX
https://github.com/ossf
======
hansjorg
Maybe this should link to [https://openssf.org](https://openssf.org) or the
press release ([https://openssf.org/press-release/2020/08/03/technology-
and-...](https://openssf.org/press-release/2020/08/03/technology-and-
enterprise-leaders-combine-efforts-to-improve-open-source-security/)) rather
than to the GitHub project?

Highlights from the FAQ:

> OpenSSF is focused on improving the security of open source software (OSS)
> by building a broader community with targeted initiatives and best
> practices. It will start with a focus on metrics, tooling, best practices,
> developer identity validation and vulnerability disclosures best practices.

> OpenSSF will be supported by Linux Foundation membership dues with targeted
> organization contributions to support initiatives

> The founding members are GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC
> Group, OWASP Foundation and Red Hat, among others.

~~~
dependenttypes
I was interested in it but when I saw the corporations supporting it I ended
up with a sour taste in my mouth. Reading the rest of the comments it seems
more like as an organization with the intention to support their own interests
rather than to support the interests of the community.

~~~
cutemonster
Can't their interests be aligned with the oss developers?

Google has project zero and Safe Browsing API which does helpful things to me,
GitHub auto scans dependencies, and owasp guidelines are helpful I think

------
TACIXAT
It is really interesting that major open source initiatives are now being ran
by corporations. I feel this will be open source in the sense that it is being
developed in the open, but not in the sense that they will foster an
environment of community contribution.

For example, the working group for vulnerability disclosure includes a lot of
corporate players, and from what I can tell, not a single security researcher.
Only one side of the disclosure process is represented in that working group.

Realizing how allergic major companies are to GPL code really creates some
skepticism when they speak about embracing open source.

~~~
bruce511
>> Realizing how allergic major companies are to GPL code really creates some
skepticism when they speak about embracing open source.

While orthogonal to your main point, this sentence conflates Free Software
(GPL) with Open Source. It should be emphasised that the GPL is NOT open
source, and that Open Source is not Free Software.

[https://www.gnu.org/philosophy/open-source-misses-the-
point....](https://www.gnu.org/philosophy/open-source-misses-the-
point.en.html)

~~~
DoctorNick
...GPL is an Open Source license as defined by the OSI. Free Software and Open
Source Software have overlapping (but not 1:1) definitions.

~~~
MaxBarraclough
This is correct. Here's the OSI's list of approved licences:
[https://opensource.org/licenses/alphabetical](https://opensource.org/licenses/alphabetical)

------
mintyc
Such a shame these initiatives don't build on existing standards working
groups but go away and reinvent a wheel instead.

Take a look for instance at ETSI TC Cyber, or ETSI NFV Sec.

Even more available in specific domains, such as intelligent transport systems
(ISG WG5)

Let's have one more standard promoting another agenda and set of priorities.

Open standards should also promote consolidated standards.

~~~
LockAndLol
What gave you the impression that they are reinventing the wheel?

~~~
kerkeslager
Did you take a look at the ETSI organizations mentioned in the comment you are
responding to?

> Take a look for instance at ETSI TC Cyber, or ETSI NFV Sec.

