From 33d1156015af318d3d70697635f49c11d1f19e20 Mon Sep 17 00:00:00 2001 From: Ben Cotton Date: Wed, 18 Dec 2024 14:08:52 -0500 Subject: [PATCH 1/3] Add a maintenance process Signed-off-by: Ben Cotton --- .github/workflows/test-build.yml | 2 +- .github/workflows/web-publish.yml | 2 +- .gitignore | 1 + docs/index.md | 17 +++++++++++++++++ docs/maintenance.md | 22 ++++++++++++++++++++++ 5 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 .gitignore create mode 100644 docs/index.md create mode 100644 docs/maintenance.md diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml index 421080a..862e28b 100644 --- a/.github/workflows/test-build.yml +++ b/.github/workflows/test-build.yml @@ -17,7 +17,7 @@ jobs: with: persist-credentials: false - name: Build content from yaml - run: cd cmd && go run . compile --output ../docs/index.md + run: cd cmd && go run . compile --output ../docs/versions/devel.md - name: Build with Jekyll uses: actions/jekyll-build-pages@44a6e6beabd48582f863aeeb6cb2151cc1716697 # v1.0.13 with: diff --git a/.github/workflows/web-publish.yml b/.github/workflows/web-publish.yml index 4bb3bea..acff25c 100644 --- a/.github/workflows/web-publish.yml +++ b/.github/workflows/web-publish.yml @@ -31,7 +31,7 @@ jobs: - name: Setup Pages uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - name: Build content from yaml - run: cd cmd && go run . compile --output ../docs/index.md + run: cd cmd && go run . compile --output ../docs/versions/devel.md - name: Build with Jekyll uses: actions/jekyll-build-pages@44a6e6beabd48582f863aeeb6cb2151cc1716697 # v1.0.13 with: diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..17986e1 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +docs/versions/devel.md diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 0000000..2129ca4 --- /dev/null +++ b/docs/index.md @@ -0,0 +1,17 @@ +# Open Source Security Baseline + +The Open Source Project Security Baseline (OSPS Baseline) is designed to act as a minimum definition of requirements for a project relative to it's maturity level. +It is maintained by the [OpenSSF Security Baseline SIG](https://github.com/ossf/security-baseline/blob/main/governance/MAINTAINERS.md) according to the [project governance documentation](https://github.com/ossf/security-baseline/blob/main/governance/GOVERNANCE.md). + +## Versions + +Previous versions are presented for historical reference. +Downstream consumers of the OSPS Baseline should specify their compliance against a specific version. +Only the version labeled as "current" should be used for new compliance efforts. + +* [In-development version](docs/development) +* Current version: [v1.0]() released YYYY-MM-DD +* Previous versions: + * [v0.1] released YYYY-MM-DD + +Versions are managed according to the [Baseline maintenance process](maintenance). \ No newline at end of file diff --git a/docs/maintenance.md b/docs/maintenance.md new file mode 100644 index 0000000..756a754 --- /dev/null +++ b/docs/maintenance.md @@ -0,0 +1,22 @@ +# OSPS Baseline Maintenance Process + +* Normal text fixes to the criteria will be accepted via pull request and reviewed by the baseline project maintainers. +Allowed changes are corrections to spelling/typos, grammar corrections, or enhancements to the supplementary text supporting the criteria, including: Objective, Implementation, Control Mappings, and Scorecard/Insights values. +At least two project maintainers must review and approve these changes. +* Substantive changes to Criteria, including changes to text that alters the originally stated meaning, new Criteria proposals, or removal of Criteria will be documented in GitHub PR(s) and reviewed regularly by the Baseline project maintainers for inclusion in the next release. +These changes may reflect changes to global cybersecurity regulations and frameworks or changes in norms around application/project security practices. +Any such substantive changes must be approved by a majority of the project's maintainers. +* As appropriate, but at least annually, the Baseline project maintainers will evaluate the set of criteria and, if necessary, publish a new version of the Baseline. +Previous versions of the Baseline will remain available, but are stable and not subject to change, except for minor changes to fix technical or typographic errors. +* Any changes to the Baseline will be reflected within the Compliance Matrix, with new requirements flagged where the Baseline Criteria are appropriate. +* Versions will follow a calendar-based identification system, using the `YYYY-MM-DD` format. +* Downstream stakeholders will be notified via the project's mailing list on the changes and updates. + +## Identifiers + +* Identifiers for retired criteria MUST NOT be reused. +Retired identifiers will remain in the source yaml files, clearly marked. +* Substantial changes to the meaning of a criterion will be treated as a new criterion, resulting in a new identifier. +Minor changes, including a change in level, between Baseline versions will not result in a new identifier. +* The numeric portion of identifiers are assigned sequentially per category. +They do not carry additional meaning. \ No newline at end of file From 6ce2294fe2ee73b9d9da6dea81237530e554c62d Mon Sep 17 00:00:00 2001 From: Ben Cotton Date: Thu, 23 Jan 2025 08:43:33 -0500 Subject: [PATCH 2/3] Remove "Scorecard/Insights values" from allowed changes Co-authored-by: Eddie Knight Signed-off-by: Ben Cotton --- docs/maintenance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/maintenance.md b/docs/maintenance.md index 756a754..ee67cf0 100644 --- a/docs/maintenance.md +++ b/docs/maintenance.md @@ -1,7 +1,7 @@ # OSPS Baseline Maintenance Process * Normal text fixes to the criteria will be accepted via pull request and reviewed by the baseline project maintainers. -Allowed changes are corrections to spelling/typos, grammar corrections, or enhancements to the supplementary text supporting the criteria, including: Objective, Implementation, Control Mappings, and Scorecard/Insights values. +Allowed changes are corrections to spelling/typos, grammar corrections, or enhancements to the supplementary text supporting the criteria, including: Objective, Implementation, and Control Mappings. At least two project maintainers must review and approve these changes. * Substantive changes to Criteria, including changes to text that alters the originally stated meaning, new Criteria proposals, or removal of Criteria will be documented in GitHub PR(s) and reviewed regularly by the Baseline project maintainers for inclusion in the next release. These changes may reflect changes to global cybersecurity regulations and frameworks or changes in norms around application/project security practices. From c4da5dc969fdddd594bb487da1c8629bbf0d2e3f Mon Sep 17 00:00:00 2001 From: Ben Cotton Date: Thu, 23 Jan 2025 08:47:11 -0500 Subject: [PATCH 3/3] Update the examples to use our CalVer scheme And also comment them out so that they aren't rendered until there are actual things to put there. Signed-off-by: Ben Cotton --- docs/index.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/index.md b/docs/index.md index 2129ca4..d4f578c 100644 --- a/docs/index.md +++ b/docs/index.md @@ -10,8 +10,10 @@ Downstream consumers of the OSPS Baseline should specify their compliance agains Only the version labeled as "current" should be used for new compliance efforts. * [In-development version](docs/development) -* Current version: [v1.0]() released YYYY-MM-DD + -Versions are managed according to the [Baseline maintenance process](maintenance). \ No newline at end of file +Versions are managed according to the [Baseline maintenance process](maintenance).