ForgeFlux
/
oss-virtual-incubator
mirror of https://github.com/forgeflux-org/oss-virtual-incubator
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

init commit

This commit is contained in:
Ashwin Ramaswami 2021-12-11 20:41:45 -05:00
commit 05251ee5dd
4 changed files with 256 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
LICENSE Normal file
View File

@ -0,0 +1,121 @@
Creative Commons Legal Code
CC0 1.0 Universal
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
HEREUNDER.
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator
and subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for
the purpose of contributing to a commons of creative, cultural and
scientific works ("Commons") that the public can reliably and without fear
of later claims of infringement build upon, modify, incorporate in other
works, reuse and redistribute as freely as possible in any form whatsoever
and for any purposes, including without limitation commercial purposes.
These owners may contribute to the Commons to promote the ideal of a free
culture and the further production of creative, cultural and scientific
works, or to gain reputation or greater distribution for their Work in
part through the use and efforts of others.
For these and/or other purposes and motivations, and without any
expectation of additional consideration or compensation, the person
associating CC0 with a Work (the "Affirmer"), to the extent that he or she
is an owner of Copyright and Related Rights in the Work, voluntarily
elects to apply CC0 to the Work and publicly distribute the Work under its
terms, with knowledge of his or her Copyright and Related Rights in the
Work and the meaning and intended legal effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not
limited to, the following:
i. the right to reproduce, adapt, distribute, perform, display,
communicate, and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or
likeness depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data
in a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation
thereof, including any amended or successor version of such
directive); and
vii. other similar, equivalent or corresponding rights throughout the
world based on applicable law or treaty, and any national
implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention
of, applicable law, Affirmer hereby overtly, fully, permanently,
irrevocably and unconditionally waives, abandons, and surrenders all of
Affirmer's Copyright and Related Rights and associated claims and causes
of action, whether now known or unknown (including existing as well as
future claims and causes of action), in the Work (i) in all territories
worldwide, (ii) for the maximum duration provided by applicable law or
treaty (including future time extensions), (iii) in any current or future
medium and for any number of copies, and (iv) for any purpose whatsoever,
including without limitation commercial, advertising or promotional
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
member of the public at large and to the detriment of Affirmer's heirs and
successors, fully intending that such Waiver shall not be subject to
revocation, rescission, cancellation, termination, or any other legal or
equitable action to disrupt the quiet enjoyment of the Work by the public
as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason
be judged legally invalid or ineffective under applicable law, then the
Waiver shall be preserved to the maximum extent permitted taking into
account Affirmer's express Statement of Purpose. In addition, to the
extent the Waiver is so judged Affirmer hereby grants to each affected
person a royalty-free, non transferable, non sublicensable, non exclusive,
irrevocable and unconditional license to exercise Affirmer's Copyright and
Related Rights in the Work (i) in all territories worldwide, (ii) for the
maximum duration provided by applicable law or treaty (including future
time extensions), (iii) in any current or future medium and for any number
of copies, and (iv) for any purpose whatsoever, including without
limitation commercial, advertising or promotional purposes (the
"License"). The License shall be deemed effective as of the date CC0 was
applied by Affirmer to the Work. Should any part of the License for any
reason be judged legally invalid or ineffective under applicable law, such
partial invalidity or ineffectiveness shall not invalidate the remainder
of the License, and in such case Affirmer hereby affirms that he or she
will not (i) exercise any of his or her remaining Copyright and Related
Rights in the Work or (ii) assert any associated claims and causes of
action with respect to the Work, in either case contrary to Affirmer's
express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or
warranties of any kind concerning the Work, express, implied,
statutory or otherwise, including without limitation warranties of
title, merchantability, fitness for a particular purpose, non
infringement, or the absence of latent or other defects, accuracy, or
the present or absence of errors, whether or not discoverable, all to
the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without
limitation any person's Copyright and Related Rights in the Work.
Further, Affirmer disclaims responsibility for obtaining any necessary
consents, permissions or other rights required for any use of the
Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to
this CC0 or use of the Work.

32
PROPOSAL-TEMPLATE.md Normal file
View File

@ -0,0 +1,32 @@
### Title
<!-- A short, pithy title for the proposal. -->
### Short description
<!-- A short, one-sentence description of the proposal. -->
### Author
<!-- Put your GitHub username(s) here. The proposal author will "own" the proposal and will be able to accept future changes to it. -->
### Proposal body
<!-- Explain your proposal. Add as much as you want, within reason! -->
### Due diligence
<!-- Please answer the following due diligence questions; it's okay to answer "N/A" if you don't know yet. -->
1. **What related work has already been done in this area?** <!-- Insert answer here -->
2. **How is this proposal innovative -- what distinguishes it from other related work?** <!-- -->
3. **Who is your doer -- who will execute the proposed work?** <!-- Insert answer here -->
4. **How might this work be sustained long-term after an initial seed grant?** <!-- Insert answer here -->
### Resources needed
<!-- What resources are needed (grant money, advisors, expertise, etc.) to realize this proposal? -->
### Other links and resources
<!-- Add any other links, images, or resources that are relevant to the proposal -->

54
README.md Normal file
View File

@ -0,0 +1,54 @@
# Open Source Software Virtual Incubator
👋 Hi there! We'd like to try a little experiment to help source and improve the best ideas to improve OSS sustainability, in a public way. Rather than a traditional RFP process, where the submissions are private, we hope a public submission process creates a resource for the entire community to give feedback on, improve, and collect proposals together. - [@epicfaace](https://github.com/epicfaace)
## tl;dr
1. We want **ambitious and innovative ideas** to systemically improve the sustainability of the OSS ecosystem.
2. You can **submit a proposal** by making a PR or filling out this form: [TODO].
3. You can **get or give feedback** and help refine these ideas through changes and comments on this GitHub repository.
4. We plan to provide **further support**, such as grants / funding, to promising ideas and proposals.
## 1. Ideas wanted
Like roads and bridges for the digital world, open source software (OSS) makes up much of our digital infrastructure and underlies many critical software systems, both public and private. Sometimes referred to as "free and open source software" (FOSS), OSS can be used, modified, and shared by the public according to its terms of distribution.
However, OSS faces a sustainability problem. While some OSS projects are well-resourced by companies and non-profit organizations, other OSS code is maintained and released by people who struggle to monetize their work. Moreover, flaws in OSS has been used to mount supply chain attacks such as [Heartbleed](https://heartbleed.com/) and, more recently, [log4j](https://blog.cloudflare.com/how-cloudflare-security-responded-to-log4j2-vulnerability/). Traditional methods of resourcing OSS development and maintenance such as corporate or philanthropic donations, [crowdsourcing](https://babeljs.io/blog/2021/05/10/funding-update), or [volunteer time](https://twitter.com/FiloSottile/status/1469441487175880711) may not be enough.
**We are seeking the most ambitious and innovative ideas to systemically improve the sustainability of the OSS ecosystem.** We welcome ideas from around the world, and they can range from specific technical improvements to institution-building to policymaking ideas. Here are some (not exhaustive) examples: "implement X feature in a certain package manager", "perform dependency mapping of the OSS ecosystem", "create a training program for OSS maintainers to learn how to apply to grants", "create a mechanism for the US National Science Foundation to better fund critical OSS libraries", "use X web3 mechanism to create incentives to fund OSS tools".
## 2. Submit a proposal
If you'd like to submit a proposal yourself, you have two options:
1. Fork this repo and make a copy of [PROPOSAL-TEMPLATE.md](PROPOSAL-TEMPLATE.md). Write up your proposal in the `proposals` directory, then make a pull request to this repository.
2. If you'd rather just use a form, fill out this form: [TODO]. We will copy over your proposal to this GitHub repository.
## 3. Get or give feedback
By sharing the proposals publicly on this GitHub repository, we hope this will allow you to get feedback on your proposals, give feedback on / learn from other proposals, and collectively refine and fine-tune the proposals based on feedback. You can use [GitHub Discussions](https://github.com/PlaintextGroup/oss-virtual-incubator/discussions) to organize these discussions.
## 4. Further support
Promising proposals will be selected for further support, including further feedback from policy and technical experts, access to a community of policymakers and technical engineers to help them realize their idea, and grant money from us or other partners / funders to help realize the idea.
## FAQ
### Why did you start this?
We'd like to fund systemic improvements in the open source software ecosystem  rather than just funding a specified list of OSS projects, we'd like to take risks on novel ideas that may have an outsize impact and improve sustainability for a wide variety of projects within the open source software ecosystem. Rather than a traditional RFP process, where the submissions are private, we hope a public submission process creates a resource for the entire community to give feedback on, improve, and collect proposals together.
### What is Plaintext Group?
<img width="300" alt="Highlight_1@2x" src="https://user-images.githubusercontent.com/1689183/130452345-dd163756-08a9-491b-994f-1d04da98fda5.png">
Plaintext Group is a technology innovation policy initiative being developed by <a href="https://schmidtfutures.com/">Schmidt Futures</a>. Schmidt Futures' incubation of Plaintext Group is part of our effort to take on important public problems where systemic solutions may be available, by creating interdisciplinary institutions of exceptional people.
If you are interested in collaborating with us, drop us a note at [ashwin@plaintextgroup.com](mailto:ashwin@plaintextgroup.com).
### I'm a funder and would like to collaborate with you. How can I help?
Please drop us a note at [ashwin@plaintextgroup.com](mailto:ashwin@plaintextgroup.com).
### I have more questions.
Please file a GitHub Issue or [send us an email](mailto:ashwin@plaintextgroup.com)!

49
proposals/center-for-open-source-security.md Normal file
View File

@ -0,0 +1,49 @@
### Title
<!-- A short, pithy title for the proposal. -->
Securing Open Source Software at the Source: Creating a Center for Open Source Software Infrastructure and Security
### Short description
<!-- A short, one-sentence description of the proposal. -->
Congress should establish a Center for Open Source Software Infrastructure and Security for 1) identifying and cataloging critical software in need of support and 2) funding critical improvements in open source software security.
### Author
<!-- Put your GitHub username(s) here. The proposal author will "own" the proposal and will be able to accept future changes to it. -->
@epicfaace
### Proposal body
<!-- Explain your proposal. Add as much as you want, within reason! -->
Congress should create a Center for Open Source Software Infrastructure and Security within DHS that does the following:
1. Identify and catalog critical software in need of support
Congress should initiate an effort to systematically identify the most critical open source software components and develop criteria for determining the criticality and vulnerability of open source software. This effort can be coordinated with CISA, through the National Risk Management Center (NRMC), to determine the open source software components most important to the nations critical infrastructure sectors and National Critical Functions.18 This effort should also engage NIST to determine guidelines for the criticality and vulnerability of open source software, creating criteria analogous to the Common Vulnerability Scoring System (CVSS).19 The effort should result in an ongoing catalog that could be made available to other agencies as well as the public, analogous to the National Vulnerability Database (NVD) program.
2. Congress should establish a process for funding OSS components that are determined to be both critical and in need of support, as well as improvements to the general ecosystem. Such funding could include:
- An emergency fund that supports short-term and narrowly scoped security work, such as bug bounty programs for finding high-severity vulnerabilities or grants for fixing particularly critical vulnerabilities or hardening specific software. For example, qualifying grant proposals could be similar in nature to the Django Fellowship, which helped hire full-time developers to focus on triaging bugs and managing security releases for the open source web framework Django.23
- A fund for non-software-related strategic initiatives or research that may improve the security health of the entire open source ecosystem. For example, this could include events to improve education around security practices in the OSS ecosystem or research initiatives to better understand how open source developers approach dependency management.
### Due diligence
<!-- Please answer the following due diligence questions; it's okay to answer "N/A" if you don't know yet. -->
1. **What related work has already been done in this area?** <!-- Insert answer here -->
2. **How is this proposal innovative -- what distinguishes it from other related work?** <!-- -->
3. **Who is your doer -- who will execute the proposed work?** <!-- Insert answer here -->
4. **How might this work be sustained long-term after an initial seed grant?** <!-- Insert answer here -->
### Resources needed
<!-- What resources are needed (grant money, advisors, expertise, etc.) to realize this proposal? -->
Legislative advocacy
### Other links and resources
<!-- Add any other links, images, or resources that are relevant to the proposal -->
Paper published summarizing this idea: https://www.plaintextgroup.com/reports/securing-open-source-software-at-the-source