From 05251ee5ddb28fa47f6679c8d339ad747e0e17dc Mon Sep 17 00:00:00 2001 From: Ashwin Ramaswami Date: Sat, 11 Dec 2021 20:41:45 -0500 Subject: [PATCH] init commit --- LICENSE | 121 +++++++++++++++++++ PROPOSAL-TEMPLATE.md | 32 +++++ README.md | 54 +++++++++ proposals/center-for-open-source-security.md | 49 ++++++++ 4 files changed, 256 insertions(+) create mode 100644 LICENSE create mode 100644 PROPOSAL-TEMPLATE.md create mode 100644 README.md create mode 100644 proposals/center-for-open-source-security.md diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..0e259d4 --- /dev/null +++ b/LICENSE @@ -0,0 +1,121 @@ +Creative Commons Legal Code + +CC0 1.0 Universal + + CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE + LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN + ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS + INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES + REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS + PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM + THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED + HEREUNDER. + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights (defined below) upon the creator +and subsequent owner(s) (each and all, an "owner") of an original work of +authorship and/or a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for +the purpose of contributing to a commons of creative, cultural and +scientific works ("Commons") that the public can reliably and without fear +of later claims of infringement build upon, modify, incorporate in other +works, reuse and redistribute as freely as possible in any form whatsoever +and for any purposes, including without limitation commercial purposes. +These owners may contribute to the Commons to promote the ideal of a free +culture and the further production of creative, cultural and scientific +works, or to gain reputation or greater distribution for their Work in +part through the use and efforts of others. + +For these and/or other purposes and motivations, and without any +expectation of additional consideration or compensation, the person +associating CC0 with a Work (the "Affirmer"), to the extent that he or she +is an owner of Copyright and Related Rights in the Work, voluntarily +elects to apply CC0 to the Work and publicly distribute the Work under its +terms, with knowledge of his or her Copyright and Related Rights in the +Work and the meaning and intended legal effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not +limited to, the following: + + i. the right to reproduce, adapt, distribute, perform, display, + communicate, and translate a Work; + ii. moral rights retained by the original author(s) and/or performer(s); +iii. publicity and privacy rights pertaining to a person's image or + likeness depicted in a Work; + iv. rights protecting against unfair competition in regards to a Work, + subject to the limitations in paragraph 4(a), below; + v. rights protecting the extraction, dissemination, use and reuse of data + in a Work; + vi. database rights (such as those arising under Directive 96/9/EC of the + European Parliament and of the Council of 11 March 1996 on the legal + protection of databases, and under any national implementation + thereof, including any amended or successor version of such + directive); and +vii. other similar, equivalent or corresponding rights throughout the + world based on applicable law or treaty, and any national + implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention +of, applicable law, Affirmer hereby overtly, fully, permanently, +irrevocably and unconditionally waives, abandons, and surrenders all of +Affirmer's Copyright and Related Rights and associated claims and causes +of action, whether now known or unknown (including existing as well as +future claims and causes of action), in the Work (i) in all territories +worldwide, (ii) for the maximum duration provided by applicable law or +treaty (including future time extensions), (iii) in any current or future +medium and for any number of copies, and (iv) for any purpose whatsoever, +including without limitation commercial, advertising or promotional +purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each +member of the public at large and to the detriment of Affirmer's heirs and +successors, fully intending that such Waiver shall not be subject to +revocation, rescission, cancellation, termination, or any other legal or +equitable action to disrupt the quiet enjoyment of the Work by the public +as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason +be judged legally invalid or ineffective under applicable law, then the +Waiver shall be preserved to the maximum extent permitted taking into +account Affirmer's express Statement of Purpose. In addition, to the +extent the Waiver is so judged Affirmer hereby grants to each affected +person a royalty-free, non transferable, non sublicensable, non exclusive, +irrevocable and unconditional license to exercise Affirmer's Copyright and +Related Rights in the Work (i) in all territories worldwide, (ii) for the +maximum duration provided by applicable law or treaty (including future +time extensions), (iii) in any current or future medium and for any number +of copies, and (iv) for any purpose whatsoever, including without +limitation commercial, advertising or promotional purposes (the +"License"). The License shall be deemed effective as of the date CC0 was +applied by Affirmer to the Work. Should any part of the License for any +reason be judged legally invalid or ineffective under applicable law, such +partial invalidity or ineffectiveness shall not invalidate the remainder +of the License, and in such case Affirmer hereby affirms that he or she +will not (i) exercise any of his or her remaining Copyright and Related +Rights in the Work or (ii) assert any associated claims and causes of +action with respect to the Work, in either case contrary to Affirmer's +express Statement of Purpose. + +4. Limitations and Disclaimers. + + a. No trademark or patent rights held by Affirmer are waived, abandoned, + surrendered, licensed or otherwise affected by this document. + b. Affirmer offers the Work as-is and makes no representations or + warranties of any kind concerning the Work, express, implied, + statutory or otherwise, including without limitation warranties of + title, merchantability, fitness for a particular purpose, non + infringement, or the absence of latent or other defects, accuracy, or + the present or absence of errors, whether or not discoverable, all to + the greatest extent permissible under applicable law. + c. Affirmer disclaims responsibility for clearing rights of other persons + that may apply to the Work or any use thereof, including without + limitation any person's Copyright and Related Rights in the Work. + Further, Affirmer disclaims responsibility for obtaining any necessary + consents, permissions or other rights required for any use of the + Work. + d. Affirmer understands and acknowledges that Creative Commons is not a + party to this document and has no duty or obligation with respect to + this CC0 or use of the Work. diff --git a/PROPOSAL-TEMPLATE.md b/PROPOSAL-TEMPLATE.md new file mode 100644 index 0000000..6f642f5 --- /dev/null +++ b/PROPOSAL-TEMPLATE.md @@ -0,0 +1,32 @@ +### Title + + + +### Short description + + + +### Author + + + +### Proposal body + + + +### Due diligence + + + +1. **What related work has already been done in this area?** +2. **How is this proposal innovative -- what distinguishes it from other related work?** +3. **Who is your doer -- who will execute the proposed work?** +4. **How might this work be sustained long-term after an initial seed grant?** + +### Resources needed + + + +### Other links and resources + + diff --git a/README.md b/README.md new file mode 100644 index 0000000..34299b2 --- /dev/null +++ b/README.md @@ -0,0 +1,54 @@ +# Open Source Software Virtual Incubator + +👋 Hi there! We'd like to try a little experiment to help source and improve the best ideas to improve OSS sustainability, in a public way. Rather than a traditional RFP process, where the submissions are private, we hope a public submission process creates a resource for the entire community to give feedback on, improve, and collect proposals together. - [@epicfaace](https://github.com/epicfaace) + +## tl;dr + +1. We want **ambitious and innovative ideas** to systemically improve the sustainability of the OSS ecosystem. +2. You can **submit a proposal** by making a PR or filling out this form: [TODO]. +3. You can **get or give feedback** and help refine these ideas through changes and comments on this GitHub repository. +4. We plan to provide **further support**, such as grants / funding, to promising ideas and proposals. + +## 1. Ideas wanted + +Like roads and bridges for the digital world, open source software (OSS) makes up much of our digital infrastructure and underlies many critical software systems, both public and private. Sometimes referred to as "free and open source software" (FOSS), OSS can be used, modified, and shared by the public according to its terms of distribution. + +However, OSS faces a sustainability problem. While some OSS projects are well-resourced by companies and non-profit organizations, other OSS code is maintained and released by people who struggle to monetize their work. Moreover, flaws in OSS has been used to mount supply chain attacks such as [Heartbleed](https://heartbleed.com/) and, more recently, [log4j](https://blog.cloudflare.com/how-cloudflare-security-responded-to-log4j2-vulnerability/). Traditional methods of resourcing OSS development and maintenance – such as corporate or philanthropic donations, [crowdsourcing](https://babeljs.io/blog/2021/05/10/funding-update), or [volunteer time](https://twitter.com/FiloSottile/status/1469441487175880711) – may not be enough. + +**We are seeking the most ambitious and innovative ideas to systemically improve the sustainability of the OSS ecosystem.** We welcome ideas from around the world, and they can range from specific technical improvements to institution-building to policymaking ideas. Here are some (not exhaustive) examples: "implement X feature in a certain package manager", "perform dependency mapping of the OSS ecosystem", "create a training program for OSS maintainers to learn how to apply to grants", "create a mechanism for the US National Science Foundation to better fund critical OSS libraries", "use X web3 mechanism to create incentives to fund OSS tools". + +## 2. Submit a proposal + +If you'd like to submit a proposal yourself, you have two options: +1. Fork this repo and make a copy of [PROPOSAL-TEMPLATE.md](PROPOSAL-TEMPLATE.md). Write up your proposal in the `proposals` directory, then make a pull request to this repository. +2. If you'd rather just use a form, fill out this form: [TODO]. We will copy over your proposal to this GitHub repository. + +## 3. Get or give feedback + +By sharing the proposals publicly on this GitHub repository, we hope this will allow you to get feedback on your proposals, give feedback on / learn from other proposals, and collectively refine and fine-tune the proposals based on feedback. You can use [GitHub Discussions](https://github.com/PlaintextGroup/oss-virtual-incubator/discussions) to organize these discussions. + +## 4. Further support + +Promising proposals will be selected for further support, including further feedback from policy and technical experts, access to a community of policymakers and technical engineers to help them realize their idea, and grant money from us or other partners / funders to help realize the idea. + +## FAQ + +### Why did you start this? + +We'd like to fund systemic improvements in the open source software ecosystem – rather than just funding a specified list of OSS projects, we'd like to take risks on novel ideas that may have an outsize impact and improve sustainability for a wide variety of projects within the open source software ecosystem. Rather than a traditional RFP process, where the submissions are private, we hope a public submission process creates a resource for the entire community to give feedback on, improve, and collect proposals together. + +### What is Plaintext Group? + +Highlight_1@2x + +Plaintext Group is a technology innovation policy initiative being developed by Schmidt Futures. Schmidt Futures' incubation of Plaintext Group is part of our effort to take on important public problems where systemic solutions may be available, by creating interdisciplinary institutions of exceptional people. + +If you are interested in collaborating with us, drop us a note at [ashwin@plaintextgroup.com](mailto:ashwin@plaintextgroup.com). + +### I'm a funder and would like to collaborate with you. How can I help? + +Please drop us a note at [ashwin@plaintextgroup.com](mailto:ashwin@plaintextgroup.com). + +### I have more questions. + +Please file a GitHub Issue or [send us an email](mailto:ashwin@plaintextgroup.com)! diff --git a/proposals/center-for-open-source-security.md b/proposals/center-for-open-source-security.md new file mode 100644 index 0000000..cf7f36b --- /dev/null +++ b/proposals/center-for-open-source-security.md @@ -0,0 +1,49 @@ +### Title + + + +Securing Open Source Software at the Source: Creating a Center for Open Source Software Infrastructure and Security + +### Short description + + + +Congress should establish a Center for Open Source Software Infrastructure and Security for 1) identifying and cataloging critical software in need of support and 2) funding critical improvements in open source software security. + +### Author + + + +@epicfaace + +### Proposal body + + + +Congress should create a Center for Open Source Software Infrastructure and Security within DHS that does the following: +1. Identify and catalog critical software in need of support +Congress should initiate an effort to systematically identify the most critical open source software components and develop criteria for determining the criticality and vulnerability of open source software. This effort can be coordinated with CISA, through the National Risk Management Center (NRMC), to determine the open source software components most important to the nation’s critical infrastructure sectors and National Critical Functions.18 This effort should also engage NIST to determine guidelines for the criticality and vulnerability of open source software, creating criteria analogous to the Common Vulnerability Scoring System (CVSS).19 The effort should result in an ongoing catalog that could be made available to other agencies as well as the public, analogous to the National Vulnerability Database (NVD) program. +2. Congress should establish a process for funding OSS components that are determined to be both critical and in need of support, as well as improvements to the general ecosystem. Such funding could include: + - An emergency fund that supports short-term and narrowly scoped security work, such as bug bounty programs for finding high-severity vulnerabilities or grants for fixing particularly critical vulnerabilities or hardening specific software. For example, qualifying grant proposals could be similar in nature to the Django Fellowship, which helped hire full-time developers to focus on triaging bugs and managing security releases for the open source web framework Django.23 + - A fund for non-software-related strategic initiatives or research that may improve the security health of the entire open source ecosystem. For example, this could include events to improve education around security practices in the OSS ecosystem or research initiatives to better understand how open source developers approach dependency management. + +### Due diligence + + + +1. **What related work has already been done in this area?** +2. **How is this proposal innovative -- what distinguishes it from other related work?** +3. **Who is your doer -- who will execute the proposed work?** +4. **How might this work be sustained long-term after an initial seed grant?** + +### Resources needed + + + +Legislative advocacy + +### Other links and resources + + + +Paper published summarizing this idea: https://www.plaintextgroup.com/reports/securing-open-source-software-at-the-source \ No newline at end of file