[Technical Initiative Funding Request]: User survey for understanding attestations #447
Comments
openssf-robot
added
the
TI Funding Request
github-project-automation
bot
moved this to Submitted
in OpenSSF TI Funding Project Board
riaankleinhans
moved this from Submitted
to Under TAC review
in OpenSSF TI Funding Project Board
|
Note that this is similar in some ways to #424, but the audience is fundamentally different. #424 is looking at UI/UX for people consuming attestation information and this survey is targeting people who would be publishing attestations (i.e. people who maintain packages). Additionally, the output of this survey is not just recommendations for UI/UX improvements, but also docs, FAQs, or other explainers. |
|
Have you investigated what resources LF can provide to help with this ? LF does surveys all the time - mostly through LF Research but not only -. LF AI & Data has had several of them and there may have been some internal cost but this did not require hiring an external contractor. I would suggest you first find out what's possible on that front. |
|
I like this proposal: attestations are going to be crucial and thus adoption depends a lot on understanding the rationale and details of attestations. I am particularly looking forward to follow-up improvements identified as result of the survey. Therefore, I generally support this. From an implementation perspective, I agree with @lehors comment about LF Research. |
|
I'm in support of this, if we can do it through LF Research vs paying a contractor I think that would be preferable. |
|
I'll be reaching out to LF Research. Note that LF Research does come with a cost that'll likely be higher than this request. |
|
/vote |
Vote created@riaankleinhans has called for a vote on The members of the following teams have binding votes:
Non-binding votes are also appreciated as a sign of support! How to voteYou can cast your vote by reacting to
Please note that voting for multiple options is not allowed and those votes won't be counted. The vote will be open for |
Technical Initiative
Securing Software Repos Working Group
Lifecycle Phase
Graduated
Funding amount
$5000 (Based on an assumed $100/hr rate for a professional for 50 hours of work)
Problem Statement
Package registries, such as npm, PyPI, Maven Central and RubyGems, have implemented support for signed attestations, including build provenance and publish attestations in some cases. Adoption has been encouraged through documentation on CI trusted publishing workflows, targeting both security-conscious users and the average developer.
Each time a registry has announced support for attestations, we have seen some confusion online around the feature, with questions about the purpose and value of an attestation, usability concerns, how it overlaps with other initiatives, the privacy implications, and a myriad of other security-related questions.
The working group seeks funding to create a survey for users for package registries around attestation adoption, consumption and verification. The survey will target users who have uploaded attestations to the package registry. The outcome of the survey results may include updates to registry documentation, UX/UI, blog posts, and tooling to simplify and increase provenance adoption.
Who does this affect?
The survey is relevant to registries that have adopted provenance and who plan to adopt provenance. The results of the survey may also be useful to adjacent projects like SLSA and Sigstore to better understand critical user journeys.
Have there been previous attempts to resolve the problem?
Adoption is relatively greenfield, so such a survey has not yet been conducted.
Why should it be tackled now and by this TI?
As a number of registries have either just adopted provenance or will in the coming year, it is a perfect time to conduct this survey to better understand users' questions, concerns, and assess their current level of understanding.
Give an idea of what is required to make the funding initiative happen
An individual or company will 1) create the survey with the assistance of the working group, 2) work with package registries to conduct the survey, 3) present the results of the survey to the working group and 4) work with package registries on action items to follow up on from the survey results.
Package registries will be responsible for determining which users to survey, e.g. those who have already uploaded attestations, and handling further outreach through mailing lists or banners on websites.
What is going to be needed to deliver this funding initiative?
We need to find an individual or company with the necessary expertise to create and run this survey. We will also need signoff from each of the package registries who will be responsible for sending the survey to its users. We've already had non-binding commitments from PyPI, RubyGems and npm to collaborate on the survey.
Are there tools or tech that still need to be produced to facilitate the funding initiative?
N/A
Give a summary of the requirements that contextualize the costs of the funding initiative
We estimate 50 hours of work, billed at $100/hr for a professional.
Who is responsible for doing the work of this funding initiative?
TBD - We will need to hire someone to conduct the survey.
Who is accountable for doing the work of this funding initiative?
Hayden Blauzvern (Google, wg participant)
If the responsible or accountable parties are no longer available, what is the backup contact or plan?
WG co-chairs, Dustin Ingram and Zach Steindler
What license is this funding initiative being used under?
https://github.com/ossf/wg-securing-software-repos/blob/main/LICENSE
Code of Conduct
List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.
If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.
We will work with the OSSF to create the SoW.
The text was updated successfully, but these errors were encountered: