[Technical Initiative Funding Request]: UI/UX support for attestations on software repos #424
Comments
steiza
added
the
TI Funding Request
github-project-automation
bot
moved this to Submitted
in OpenSSF TI Funding Project Board
riaankleinhans
moved this from Submitted
to Under TAC review
in OpenSSF TI Funding Project Board
|
To state the obvious, this is the largest funding request we've ever had at the OpenSSF. However, it does deliver a lot: improved UI/UX to PyPI and RubyGems, as well as guidance for other package repositories. We've seen how useful these attestations are in responding to supply chain attacks like the attack on the Ultralytics package on PyPI in December 2024. The Securing Repositories Working Group has a proven track record of package repositories adopting guidance we've published on repos.openssf.org, and this funding proposal will help us expand that guidance with content that PyPI and RubyGems are currently asking us for. Since this request was published, Maven Central also announced they will verify and store attestations, although Central does not currently display this information in its UI, and its possible they could also benefit from this work. Not only are these attestations a great security capability that the OpenSSF is driving delivery of to the world, it also brings together several OpenSSF TIs: the Securing Repos WG of course, but also the Sigstore project and SLSA build provenance. |
|
I think this is a worthwhile proposal but feel like it should be divided into several chunks. Start with the first 10 weeks to do the research and development of the style guide. Then do one implementation at a time. This would make the size of the funding requests much smaller and give us the opportunity to have a natural monitoring cadence as new requests come in. |
|
I support this request and see a lot of value - primarily for package repos and open source developers of course, but also for downstream users, i.e., enterprises who provide dashboards etc. to present project meta-data to internal developers. A good style guide benefits such internal tooling and the developers using it, too. |
|
I'm supportive of this request given that it directly delivers against one of the top-level points in our technical vision |
|
/vote |
Vote created@riaankleinhans has called for a vote on The members of the following teams have binding votes:
Non-binding votes are also appreciated as a sign of support! How to voteYou can cast your vote by reacting to
Please note that voting for multiple options is not allowed and those votes won't be counted. The vote will be open for |
|
+1 The ask is rather large, but I definitely see the need for making this investment in the package repos we work with. |
Vote statusSo far Summary
Binding votes (4)
|
Vote statusSo far Summary
Binding votes (6)
|
afmarcum
moved this from Under TAC review
to TAC Recommended
in OpenSSF TI Funding Project Board
afmarcum
moved this from TAC Recommended
to Under TAC review
in OpenSSF TI Funding Project Board
|
/check-vote |
Vote statusSo far Summary
Binding votes (6)
|
afmarcum
moved this from Under TAC review
to TAC Recommended
in OpenSSF TI Funding Project Board
riaankleinhans
moved this from TAC Recommended
to Under TAC review
in OpenSSF TI Funding Project Board
|
/check-vote |
Vote statusSo far Summary
Binding votes (7)
|
|
Based on vote threshold change PR #455 this vote passed with 66% |
riaankleinhans
moved this from Under TAC review
to TAC Recommended
in OpenSSF TI Funding Project Board
|
@afmarcum can you please review for final approval |
afmarcum
moved this from TAC Recommended
to Budget Approved
in OpenSSF TI Funding Project Board
|
Yes, that would be helpful! |
Vote statusSo far Summary
Binding votes (7)
|
|
/cancel-vote |
Vote cancelled@riaankleinhans has cancelled the vote in progress in this issue. |
|
@afmarcum Is it possible to get the mentioned TPM support? What are next steps here? |
|
@kborchers please work with Dustin and Zach if you were not able to attend today's WG meeting to discuss kicking off this effort. |
|
@afmarcum Thanks. At what point does this move from "Budget Approved" to "Funding Approved"? |
|
Hi hi, As both an employee of Superbloom and as a core maintainer over at https://github.com/opensourcedesign i'd love to help inform how this develops. If there's any info that i can provide to help please lemme know |
Uh oh!
There was an error while loading. Please reload this page.
Technical Initiative
Securing Repositories Working Group
Lifecycle Phase
Graduated
Funding amount
$144,000
Problem Statement
Software repositories like npmjs.org, pypi.org and rubygems.org have begun supporting the publishing of attestations (both SLSA build provenance, and/or publish attestations) on the repositories themselves.
Attestation documents are served via an API to make them easily machine-readable, but for human consumers attestations and corresponding signing certificates contain a lot of information, which the average user is unfamiliar with, and which has varying degrees of usefulness.
As a result, displaying attestations to a user via a web interface is challenging: it’s necessary to ensure that important information from within the attestation (like the upstream source repository, build infrastructure, etc) is surfaced to the user in a way that is both meaningful and clearly trustworthy. Additionally, this new UI/UX must be added to the existing interface that software repos already have.
Who does this affect?
Users who consume attestations from software repositories that support them.
Have there been previous attempts to resolve the problem?
Currently, repositories that support attestations have added UI/UX around attestations with minimal (if any) guidance from UI/UX staff. These interfaces are a minimal best-effort and are less than ideal user experiences, partly due to the lack of UI/UX support, and partly due to the nascent feature that attestations represent and lack of much prior art in how they should be displayed to an end user.
Additionally, the UI/UX is not consistent between multiple repositories, which may cause user confusion when moving from one ecosystem to another.
Examples:
Why should it be tackled now and by this TI?
We’re at a point where more repositories are interested in adding support for attestations. If we can pre-empt this work by providing a style guide, and aligning existing implementations, we likely will have a better outcome in the way that users perceive and consume attestations.
If we don’t do this work now, we run the risk of each implementation having a sub-par UI/UX, which may impact user perception and overall adoption of attestations.
Additionally, by providing a style guide, we are making it easier for repositories that do not support attestations to do the work to support them & provide a consistent UI.
Give an idea of what is required to make the funding initiative happen
We propose that the OpenSSF fund UI/UX work to:
We propose contracting a UI/UX designer to:
What is going to be needed to deliver this funding initiative?
A UI/UX engineer.
Are there tools or tech that still need to be produced to facilitate the funding initiative?
No.
Give a summary of the requirements that contextualize the costs of the funding initiative
The costs are estimated at a $150 hourly rate for a UI/UX designer to perform the following tasks:
Who is responsible for doing the work of this funding initiative?
We recommend Ian Taylor, [email protected] (RubyGems designer) and/or https://kabucreative.com/ (previous PyPI UI/UX contractor) depending on availability and rates.
The PSF has previously used Simply Secure (now branded SuperBloom) for a pip UX study: https://simplysecure.org / https://superbloom.design
Who is accountable for doing the work of this funding initiative?
Dustin Ingram, co-chair of Securing Repos Working Group
If the responsible or accountable parties are no longer available, what is the backup contact or plan?
Zach Steindler, co-chair of Securing Repos Working Group
What license is this funding initiative being used under?
Code of Conduct
List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.
If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.
TBD by the selected contractor.
Edit: formatting
The text was updated successfully, but these errors were encountered: