OSV Schema TI Graduation Application #456
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andrewpollock
added a commit
to andrewpollock/osv-schema
that referenced
this pull request
Apr 24, 2025
This adds a CONTRIBUTING.md and CODE_OF_CONDUCT.md to address deficiencies and assist with progressing OSV Schema TI Graduation Application (ossf/tac#456) For want of something better, I used what is present at https://github.com/ossf/oss-vulnerability-guide
andrewpollock
added a commit
to andrewpollock/osv-schema
that referenced
this pull request
Apr 24, 2025
This adds a CONTRIBUTING.md and CODE_OF_CONDUCT.md to address deficiencies and assist with progressing OSV Schema TI Graduation Application (ossf/tac#456) For want of something better, I used what is present at https://github.com/ossf/oss-vulnerability-guide Signed-off-by: Andrew Pollock <[email protected]> Signed-off-by: Andrew Pollock <[email protected]>
andrewpollock
suggested changes
Apr 24, 2025
process/project-lifecycle-documents/osv-schema_graduation_stage.md
Outdated
Show resolved
Hide resolved
process/project-lifecycle-documents/osv-schema_graduation_stage.md
Outdated
Show resolved
Hide resolved
process/project-lifecycle-documents/osv-schema_graduation_stage.md
Outdated
Show resolved
Hide resolved
process/project-lifecycle-documents/osv-schema_graduation_stage.md
Outdated
Show resolved
Hide resolved
andrewpollock
added a commit
to ossf/osv-schema
that referenced
this pull request
Apr 24, 2025
This adds a CONTRIBUTING.md and CODE_OF_CONDUCT.md to address deficiencies and assist with progressing OSV Schema TI Graduation Application (ossf/tac#456) For want of something better, I used what is present at https://github.com/ossf/oss-vulnerability-guide Signed-off-by: Andrew Pollock <[email protected]> Signed-off-by: Andrew Pollock <[email protected]>
oliverchang
reviewed
Apr 24, 2025
process/project-lifecycle-documents/osv-schema_graduation_stage.md
Outdated
Show resolved
Hide resolved
process/project-lifecycle-documents/osv-schema_graduation_stage.md
Outdated
Show resolved
Hide resolved
process/project-lifecycle-documents/osv-schema_graduation_stage.md
Outdated
Show resolved
Hide resolved
| * The project has a standing agenda item in the Vulnerability Disclosures Working Group meetings. [Meeting Notes](https://docs.google.com/document/d/1TdxiFofLOfpHUEQILlKq7qkjSsRXVab0uApSDJ8c5rI/edit?tab=t.0) | ||
|
|
||
| Implements, practices, and refines mature software development and release practices, such as adherence to semantic versioning, and having a declared policy for stable releases and backported fixes. | ||
| * "link to policy for (or describe here) software development and release practices" |
There was a problem hiding this comment.
@oliverchang can you suggest an edit here to describe the release process of the schema?
There was a problem hiding this comment.
Actually, it'd be better for that to be in something like a RELEASING.md in the osv-schema repo, I think.
There was a problem hiding this comment.
I will take a look at making a RELEASING.md file, the current release process is pretty simple:
- Bump up the version (patch version bump for new ecosystems, minor version bump for non breaking schema field changes)
- Add schema changes to the changelog
- Publish github release
- Update the github pages branch to the new release.
SecurityCRob
added
the
TI Lifecycle
process/project-lifecycle-documents/osv-schema_graduation_stage.md
Outdated
Show resolved
Hide resolved
Signed-off-by: Jeff Diecks <[email protected]>
…e.md Co-authored-by: Andrew Pollock <[email protected]> Signed-off-by: Jeff Diecks <[email protected]>
…e.md Co-authored-by: Andrew Pollock <[email protected]> Signed-off-by: Jeff Diecks <[email protected]>
…e.md Co-authored-by: Andrew Pollock <[email protected]> Signed-off-by: Jeff Diecks <[email protected]>
…e.md Co-authored-by: Andrew Pollock <[email protected]> Signed-off-by: CRob <[email protected]>
updating based on Oliver's feedback Signed-off-by: CRob <[email protected]>
…e.md Co-authored-by: Andrew Pollock <[email protected]> Signed-off-by: Jeff Diecks <[email protected]>
marcelamelara
force-pushed
the
osv-schema-app
branch
from
e28c7eb to
e7f7d7b
Compare
| * https://github.com/ossf/osv-schema/blob/main/CHARTER.md | ||
|
|
||
| Have a defined and documented roadmap and annual goals for the project | ||
| * https://github.com/ossf/osv-schema/projects?query=is%3Aopen |
There was a problem hiding this comment.
The project board is currently empty. Do you a have a sense for the open issues (or other tasks) you might prioritize next?
| * https://github.com/ossf/osv-schema/projects?query=is%3Aopen | ||
|
|
||
| Project has met at least 4 times over a period of at least 2 months since becoming incubating | ||
| * The project has a standing agenda item in the Vulnerability Disclosures Working Group meetings. [Meeting Notes](https://docs.google.com/document/d/1TdxiFofLOfpHUEQILlKq7qkjSsRXVab0uApSDJ8c5rI/edit?tab=t.0) |
There was a problem hiding this comment.
Besides the requirements for graduation, there doesn't seem to be a lot of discussion about OSV in recent meetings. Per my comment about prioritization above, once this application is completed, do you have a sense for what's next?
| |-----------------------|-----| | ||
| | Repo | https://github.com/ossf/osv-schema | | ||
| | Website | https://ossf.github.io/osv-schema/ | | ||
| | Contributing guide | | |
There was a problem hiding this comment.
Can you please add the link to the CONTRIBUTING.md file?
lehors
reviewed
Aug 5, 2025
| ## Project graduation application | ||
|
|
||
| ### Project has met all Incubating requirements | ||
| * n/a |
There was a problem hiding this comment.
Why is this said to be not applicable? It is not optional. A project doesn't have to go through every step of the lifecycle and may apply for a status at any level but it still needs to fulfill all the requirements for the previous ones.
|
This PR should also include the related necessary change to be made to the table in the README.md file. |
steiza
reviewed
Aug 5, 2025
|
|
||
| ### Security Baseline | ||
|
|
||
| The project meets all applicable Security Baseline requirements: |
There was a problem hiding this comment.
It looks like there are some open issues with respect to meeting the security baseline: https://github.com/ossf/osv-schema/issues?q=state%3Aopen%20label%3A%22security%20baseline%22
| * The project has a standing agenda item in the Vulnerability Disclosures Working Group meetings. [Meeting Notes](https://docs.google.com/document/d/1TdxiFofLOfpHUEQILlKq7qkjSsRXVab0uApSDJ8c5rI/edit?tab=t.0) | ||
|
|
||
| Implements, practices, and refines mature software development and release practices, such as adherence to semantic versioning, and having a declared policy for stable releases and backported fixes. | ||
| * "link to policy for (or describe here) software development and release practices" |
There was a problem hiding this comment.
Suggested change
| * "link to policy for (or describe here) software development and release practices" | |
| * https://github.com/ossf/osv-schema/blob/main/RELEASING.md |
| |-----------------------|-----| | ||
| | Repo | https://github.com/ossf/osv-schema | | ||
| | Website | https://ossf.github.io/osv-schema/ | | ||
| | Contributing guide | | |
There was a problem hiding this comment.
Suggested change
| | Contributing guide | | | |
| | Contributing guide | https://github.com/ossf/osv-schema/blob/main/CONTRIBUTING.md | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an initial draft of the application with some of the basic information included. Submitting as a draft PR to allow for contributions from others collaborating on this app.