Close out adjustments to OpenSSF Best Practices badge in lifecycle stage requirements.

[jmertic]

Please share any additional details on this topic

As proposed by Jonathan Stone on the #tac channel in the ASWF Slack.... ( https://academysoftwarefdn.slack.com/archives/CKB8RR3FT/p1695761680176419 )

Hello all!
John Mertic and I have been discussing the pros and cons of requiring Silver and Gold OpenSSF badges for ASWF project graduation, and this seems like a topic that is interesting enough to open up for broader discussion.
Based on our conversation so far, here are some of the reasons that we might consider changing our lifecycle rules, maintaining Silver and Gold badges as aspirational goals for all ASWF projects, but not using them as blockers for project graduation:
No ASWF project has ever achieved either a Silver or Gold badge, including the foundational computer graphics projects that launched with the ASWF itself.
Our most recent graduating projects were approved unanimously without achieving either a Silver or Gold badge.
Outside of the ASWF, none of the foundational OSS projects in computer graphics (e.g. PBRT, Mitsuba, Embree, OpenUSD, Filament) has ever achieved either a Silver or Gold badge, and there's no evidence that they're currently pursuing them. One potential reason for this is the disconnect between the focus of the Silver and Gold badges (security guarantees, statement and branch coverage), and the emphasis of computer graphics projects on visual parity and visual regression testing.
We'd be very interested in additional thoughts from this group, and this could be a good discussion topic for a future TAC meeting.

Detail what actions or feedback you would like from the TAC

Discussion on how to proceed

How much time do you need for this topic?

At least 30 minutes

Tasks

Preview Give feedback

1. Adjust requirements for the OpenSSF Badge at the Adopted Stage #556
   4-tac-meeting-short +1
2. Update the Best Practices Page with spots for detailed instructions on how to fulfill each requirement #557
   +0

[jmertic]

Analysis of OpenEXR and OSL where they haven't completed requirements.

https://docs.google.com/spreadsheets/d/1bEacUNFizeT8QtfsvqiRNNgvty8_tweHjassHko6OhQ/edit?usp=sharing

[jmertic]

Two takeaways from the TAC Meeting:

1. Adjust the requirements to reflect progress towards badges, and then put in the following annual review that they should be completed. See proposal in Adjust requirements for the OpenSSF Badge at the Adopted Stage #556.
2. More tactical guidance on how to complete the requirements. Started work in Update the Best Practices Page with spots for detailed instructions on how to fulfill each requirement #557.

Thank you all for the great discussion!

[jmertic]

Analysis done by @jfpanisset:

https://docs.google.com/spreadsheets/d/1n8xEdbJ77fVk5YxtuqjC7KZywi0W7ZfXlGf0YjVZI9Q/edit#gid=0

[jmertic]

Discussion from 12/13 TAC Meeting:

• Plan is to determine which Silver/Gold requirements are unclear or problematic, and remove them from the TAC requirements for the Adopted Stage until the requirement is made clear and the concerns addressed.
• For the 1/10 TAC Meeting, we will review those identified to be potentially problematic for the TAC to consider and approve.
• After that, work in the CI WG to determine the specific concerns with the problematic requirements, and then work to (a) get clarity and upstream that into the Best Practices Badge project and/or (b) provide ASWF-specific guidance to complete.

[jmertic]

Hi everyone!

Follow up as a prep for Wednesday's meeting:

1. I've analyzed the badge completion per project, using scoring to determine the most problematic requirements. See this at https://docs.google.com/spreadsheets/d/1bEacUNFizeT8QtfsvqiRNNgvty8_tweHjassHko6OhQ/edit#gid=67150143. Note this data is pulled via the REST API of the BadgeApp, so projects if you want to update your badges those changes should reflect in semi-realtime.
2. I've dumped the complete badge requirements for all levels with details in a doc at https://docs.google.com/document/d/1IgE_Jaeb0Yar_Dc_iCw5FUo_AFJZiIVdDBTxhY-9Vvs/edit?usp=sharing. Please review and add comments on sections that are unclear or problematic.

Thank you all, and I look forward to discussing this more on Wednesday!

[jmertic]

Ask for @bcipriano, @carolalynn22, @kmuseth, @reinecke, @fpsunflower, and @jstone-lucasfilm - please review the Silver and Gold badge requirements for your projects. I've added direct links to the badgeapp for each of your projects in the headers for the Google Sheet

[jmertic]

Somewhat related, but there is work to bring the badge management more into project workflows and not entirely within a disconnected app.

coreinfrastructure/best-practices-badge#2094

[jmertic]

Closing this as we will align on closing out with the language in #556