Apply to donate Minder to the OpenSSF

[evankanderson]

Ref: https://openssf.slack.com/archives/C019Q1VEA87/p1726855033765969

Hey all, sorry to have had the meeting cancelled. I know that someone (Craig McLuckie? Luke Hinds?) gave a presentation on August 9 about applying to donate https://github.com/stacklok/minder to the OpenSSF under the Security Tooling WG.

I think we've reached the point where we're ready to meet the Sandbox criteria, and I wanted to confirm that there was someone in the Working Group that would be willing to sponsor Minder. I think Juan Antonio Osorio (@JAORMX) and Evan Anderson (@evankanderson) would be the primary contacts who would show up at the tooling meeting on an ongoing basis, but I'm working to confirm names. (In any case, Minder would have some representative at the meetings; Craig and I were prepared to dial in today until I saw Ryan's note this morning.)

CC @craigml and @lukehinds on the IP licensing process

@mlieberman85 volunteered to help shepherd, though I think we may have several interested participants.

[marcelamelara]

Does this project have open community meetings? Or is that planned once it reaches sandbox stage?

[evankanderson]

We plan to start open community meetings shortly; we currently have a community on the Stacklok discord, but no organized weekly/biweekly meetings.

…

On Mon, Sep 23, 2024 at 1:43 PM Marcela Melara ***@***.***> wrote: Does this project have open community meetings? Or is that planned once it reaches sandbox stage? — Reply to this email directly, view it on GitHub <#386 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB4XEN5S3J33QOXDRRZQ4ZLZYB4P7AVCNFSM6AAAAABOV4E4ZOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRZGM2DIMZSGU> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[marcelamelara]

Coo! Thanks for clarifying. It would be great to show that Minder already has a larger community behind it, so if it's not already in the sandbox application, I recommend adding a link to the Discord channel.

[steiza]

Thanks for submitting this PR! I have some clarifying questions on scope and how Minder works.

First some background. Over time we've learned:

• the OpenSSF governing board wants to minimize the number of cloud-hosted services we maintain
• naming can get very confusing when you're talking about a CLI, an open source project which includes a server that end-users can run, and a hosted public-good instance a company runs

It seems like the minder CLI needs a Minder server in order to manage security properties of repositories - is that correct? And of course the Minder open source project includes a Minder server that end-users can run for their minder CLI to talk to. Last but not least, the company Stacklok runs a public-good Minder server that is the default for the minder CLI.

So the clarifying question is what's entailed in this new TI. I believe it's the open source project, including the CLI and the server that end-users can run themselves, but not the public good Minder server, that hopefully Stacklok will continue to run - do I have that right?

[evankanderson]

@steiza -- you have it correct; we would be donating the CLI and the server components (both named minder), but continuing to run a public-good instance via Stacklok's own infrastructure at https://api.stacklok.com/ (which I think may be called "Stacklok Cloud" or some other name that doesn't use the OpenSSF trademark).

The discord link: https://discord.com/channels/1184987096302239844/1185287949240242258; I expect we'll move that communication to OpenSSF slack if the donation is accepted.

[SecurityCRob]

We will discuss this at the 1October TAC call at 11am ET. Please have representatives from the project and the Working Group in attendance.

[SecurityCRob]

+1 for adoption, pending IP/license review. I'm excited to hear the project and WG come in and speak with the TAC. Policy-based decisioning is very interesting.

[mlieberman85]

I will miss tomorrow's meeting but I think my only questions might have already been addressed:

1. What are the plans with Minder docs, Stacklok's public service and stuff like that
2. Is there anything that depends on Stacklok's service? I think the answer is no reading through the code.

Separately, I would like someone to walk me through the build process at some point. I wanted to check it out but I couldn't get the build working on MacOS at least and test out some of the pieces myself, e.g. how Minder works without the public service.

[JAORMX]

1. What are the plans with Minder docs, Stacklok's public service and stuff like that

We do plan to donate the docs as well. We'd need to figure out a domain for it or just host it via github pages.

2. Is there anything that depends on Stacklok's service? I think the answer is no reading through the code.

We default the client to our hosted instance, but we can easily change that.

Separately, I would like someone to walk me through the build process at some point. I wanted to check it out but I couldn't get the build working on MacOS at least and test out some of the pieces myself, e.g. how Minder works without the public service.

What's your timezone? @evankanderson could do a walk through in US timezone and I could do so in a European timezone.

[evankanderson]

I will miss tomorrow's meeting but I think my only questions might have already been addressed:

1. What are the plans with Minder docs, Stacklok's public service and stuff like that

Currently, Stacklok maintains two sets of docs:

https://minder-docs.stacklok.dev/ is a build from https://github.com/stacklok/minder/tree/main/docs, hosted on GitHub Pages via custom domain. We expect that we'd donate all of that to the OpenSSF.

https://docs.stacklok.com/minder is Stacklok's hosted-product docs. Note that today we incorporate the open-source docs with some additional overlays. We'll need to figure out what degree of import-with-credit vs separate content is possible and appropriate; our preference would be to incentivize corporate contributors to put as much documentation content as possible into the foundation, but we also don't want to encourage sloppy trademark / copyright practices. (Yes, we may need to make some Stacklok re-branding efforts during the course of the donation.)

With respect to the public service, I believe that Stacklok is committed to continuing to provide free services for open-source projects, and to later provide commercialization for private repos and other enterprise-grade features like SSO. I can't commit on which specific parts will be OSS vs extensions, but I can commit that any extensions we'd build would be open to other implementers to build equivalents. This was somewhat covered in #386 (comment).

Stacklok has built a UI as part of our hosted service which is not part of the donation; there's been at least one community UI effort which I can dig up if needed.

2. Is there anything that depends on Stacklok's service? I think the answer is no reading through the code.

The client has some baked-in defaults which point to the Stacklok service. We could change these in the upstream OSS, but it's nice to have a client that doesn't need a lot of configuration. That sounds like a conversation best handled and honored as a community discussion on an ongoing basis. (There are a set of different client configurations in https://github.com/stacklok/minder/tree/main/config; overall the configuration is fairly flexible.)

There are two dependencies on other Stacklok code which we need to better modularize; these are cases of "where we're at, not where we want to be" -- the trusty evaluator and the minder.actions.replace_tags_with_sha action both reference Stacklok services / code directly, and we intend to rewrite them to be behind more generic interfaces such that there's a clear path for other systems or providers to integrate with Minder as well.

Separately, I would like someone to walk me through the build process at some point. I wanted to check it out but I couldn't get the build working on MacOS at least and test out some of the pieces myself, e.g. how Minder works without the public service.

https://minder-docs.stacklok.dev/run_minder_server/run_the_server is probably a good place to start. Once you have make run-docker working, you should be able to use the https://github.com/stacklok/minder/blob/main/config/cli-local.yaml file to point the CLI at your local instance. The TL;DR that works for me is:

1. Create a GitHub App of your own and store the credentials in the expected configuration locations.
2. make bootstrap to get tools installed
3. make run-docker to start the servers
4. make KC_GITHUB_CLIENT_ID=... KC_GITHUB_CLIENT_SECRET=... github-login to configure keycloak login
5. export MINDER_CONFIG=config/cli-local.yaml to set the default endpoints for the client
6. minder auth login (from either the brew install version or from make build) to log in and get started.

I'm happy to help walk you through this process; our getting started docs could probably also use some improvement, or should point to the minder-docs page.

[bobcallaway]

+1 for adoption, pending IP/license review.

[torgo]

support

[marcelamelara]

Thanks @evankanderson ! +1 to have Minder join ossf as a sandbox project. Looking forward to the upcoming discussions with the Scorecards team and other projects!

[steiza]

This was approved at the Oct 1st TAC meeting. @riaankleinhans will work with Minder to complete the IP / license review, and then we can land this pull request.