Dear Members, The Google Open Source Security Team is looking for feedback from the community and interested individuals to partner with us on improving the Apache project’s security processes. We are proposing a collaborative process involving audits, tooling, and funding for early engagements to help improve processes against potential security risks, benefiting all members of the Apache Software Foundation.
This is a hard problem, so we hope that by joining efforts we can collectively increase reliability of the software, reduce manual effort, strengthen user trust, and improve maintainability. We’d like to hear the community’s thoughts about current needs and worries in this space, and share some of our own ideas for possible innovations in the release process methodology. For example, we have been considering the following options to address known pain points in the process: - 1:1 collaborative working sessions; - Regression testing: Using continuous fuzzing (such as OSS-Fuzz) to catch bugs early on in the development lifecycle and limit breaking caused by new additions, contributing to a more robust codebase; - Key management improvements: Keyless signing (Sigstore) to free users from maintaining keys and allows easy signature verification from customers; - Transparent builds: Using SLSA as a framework for threat modeling to help evaluate weak links in the release process. This would also give consumers trust in the software's provenance, mitigate the risk of insider compromise, and reduce the burden on maintainers through build services usable to the community. Our team is looking for partners in this journey! We are excited to begin early engagements with projects that are in high use, critical to many corporations, and would benefit the most from improvements. Please let us know of any ideal candidate projects that could both benefit from our partnership in the areas described above and help develop the process to apply to the larger community pool in the future. We’re happy to meet directly with anyone in this group who would like to discuss their ideas and project candidates. Please use our Google group to directly reach members of GOSST: [email protected]. We look forward to working together on advancing the release process in the foundation. Thank you, Ben (on behalf of Google’s Open Source Security Team)
