Remaining OSSF Funding #1384
Comments
|
@mhdawson Do we still need to take action on this? |
|
@RafaelGSS yes. We still need to discussion/agree how the project wants to use the remaining fuding. |
|
I think we can come up with a conclusion once the first two questions are answered:
|
|
I added the tsc-agenda label so that we can ask TSC members if they have any concerns/suggestions about what is in the original post. If not we can take the next step of asking the Foundation about those 2 questions. |
|
The next step is to answer these questions:
The key question is how we get the money to a contractor that is seleted to work on automating the security release process. Those questions are related to 2 options that we think might be the answer. Either the Foundation handles the payments for the project or the Foundation transfers the $ to the project's LFX account so that it can make the payments itself. We are interested in what options are possible and how much support the Foundation can give us for each of the options. |
|
I've added the label as a reminder to ask in the next CPC meeting if there is not already an answer before then. If so we'll remove the agenda tag. |
|
@rginn, @bensternthal would be great if you can chime in. Otherwise I guess we'll catch you in the next Cross Project Council meeting a week from now. |
|
My vote would be for the crowdfunding platform, but let's discuss it at the next CPC meeting with Robin. |
|
I asked in the last CPC meeting and @rginn said the Foundation could handle contracting to individuals/companies that we would want to do the work. @RafaelGSS is going to put together a more detailed outline of the proposed work as the next step. @bensternthal, @rginn could you send the TSC the exact amount we have available so that we know how to scope? |
|
I will research and report back. |
|
I've created a detailed outline of the proposed work nodejs/security-wg#860 (comment). |
|
@mhdawson, the exact amount is $39k. Once you have a resource identified, let me know and I will assist with a contract. |
|
@bensternthal thanks for confirming. |
|
Adding to the TSC agenda to get approval on this and move forward with applications. |
|
@RafaelGSS We need a document describing the work we need done in detail. |
|
@mcollina Isn't what nodejs/security-wg#860 (comment) do? |
|
Ah, I load it inside the long list of comment replies. It's better if it's defined as a gist and linked in, but overall +1. Or possibly open a separate issue in the admin repo. |
|
We should put out a call for contractors on this work, possibly anonymous or via the OpenJS Foundation. We should agree how we decide this. |
|
Would a Google Form work for it? We need to get all the information OpenJS Foundation needs to create the contract. @bensternthal could you help on this? |
|
The information I would need to create a contract would be:
My initial thinking is not to create a form for this. Once you decide on the vendor I would reach out directly to collect this information and facilitate a contract being signed. I would not want to collect all this information unless we were proceeding with a contract (feel free to disagree). To me it sounds like you need something closer to a Request For Proposal or RFP, where you publish what you are looking for and folks provide an SOW/bid on the work? If that's true I can create a google form for you if you let me know what fields you would want (I think its probably just basic info like their name/company, contact info, SOW, bid amount and if you want some link to references or other work). Let me know what you decide. |
Correct. Yes, that would be much appreciated. The details of the work are described in nodejs/security-wg#860 (comment). |
|
Ok sounds like this is moving forward and that you need help with an intake form for the RFP. I'll mock something up for folks to provide feedback on. |
|
@bensternthal thanks for jumping in :) |
|
Folks, I stubbed out a basic/draft form for you: https://forms.gle/X6b6oL3SKdA4LNhx5 A few things:
|
|
@RafaelGSS I think this could probably be closed or closed soon as I think you have followed through on the proposal? |
|
Yes. Thanks! |
The project has about $30k in remaining funding from the OSSF for this year that has not been allocated. I'm opening this issue after an initial meeting of some TSC memberrs to discuss how we might use that funding so that we can have a broader discussion and cover some questions on logistics that we'd need to figure out since this would be our first time doing something like this.
The funding from the OSSF is intended to support security related work in the project. Based on that one of the initial suggestions is to use the funding to hire a contractor to help automate our security release process. Other suggestions are welcome for discussion as well. Ideally we'd hire an existing collaborator with context/knowledge of the project
A few of the questions we would need to figure out include:
The text was updated successfully, but these errors were encountered: