IEEE SA OPEN
Roadmap

Overview

This roadmap is to encompasses all work the SA OPEN Community has identified and scheduled to be implemented. This includes new capabilities as well as sustaining and enhancements to existing work that has already been completed. Work described in this document will be completed and reported on quarterly (every three months). The dates provided below are the final deadlines for work the SA OPEN Community is engaging with. Work has been divided into our four components knowledge, trust, governance, and tools.

New capabilities

Knowledge

Community Data

Projects that exist on the SA OPEN platform have a wide range of information associated with them. This knowledge includes the project’s contacts, CLAs signed, and associated project metadata. The IEEE SA OPEN capability keeps MyProject fields updated with information about these projects for propagation through the websites within ieee.org. The work done by the MyProject team is to create and maintain project information associated with standards, such as ‘open source’ and ‘open source CLA’, while the SA DB team makes sure those fields can be propagated across information systems. The actual knowledge entry for MyProject is provided by the IEEE SA Governance team.

Components

Create a framework to report work produced by the IEEE SA OPEN community. Components will be four logical buckets for work that any open source project would include. These buckets are data, trust, governance, and tools. The components should be presented on the https://infra.ieee-saopen.org microsite. Each component will be made out of a series of initiatives similar to the concept found in agile project management. Each initiative will have a five level of possible status: scheduled, minimal, viable, complete, and lovable.

Trust

Signed Releases

To foster a greater trust with IEEE SA OPEN projects produced by the community the final work product produced, also known as a release, by a project will be signed cryptographically. By doing this users, stakeholders and developers will be able to confirm the authenticity of a release. Templates and best practices will be documented to allow other projects, including working groups, to adopt this work for themselves. Signed releases will include documentation

Software Bill of Materials (SBOM)

Software Bills of Materials (SBOMs)](https://www.cisa.gov/sbom) are a nested list of libraries or ingredients that make up a software product, the concept has been identified by US Cybersecurity & Infrastructure Security Agency (CISA) as a key building block in distributing secure software. To enable creation and distribution of SBOMs the IEEE SA OPEN community will create and maintain: documentation, tools, and related materials. These resources will be made available to the community so any project can adopt.

Sustained / Enhanced

Data

Standards Project Tracking

Collecting project information is an ongoing task for IEEE SA OPEN Community. Project information itself, including the official project repository will be continually maintained by manual entry until the Community Data project can replace this work in an automated fashion. Additionally the list of signed CLAs will need to be updated on a quarterly cadence to ensure all projects are compliant.

Trust

Vulnerability Reporting

Reporting vulnerabilities is a high priority and ongoing task at IEEE SA OPEN. Projects that use external libraries will need to be scanned and if vulnerabilities are found the maintainers need to be notified. The creation of templates and processes are required to enable strong and robust reporting between projects and heir stakeholders. Documentation is needed to ensure these processes are reproducible. Enhancements of Mitre CVE will be made accessible to applicable projects in an easy to adopt manor. The SECURITY.md must also be enhanced as our we strength our practices and provide more reporting options.

Policy

CLA Tracking

CLA Tracking is currently a time consuming manual process. The process of tracking CLAs will be automated to facilitate importing CLAs directly from their signers and imported into MyProject via the API. Coordination with the MyProject team will be required for this process to be implemented. By automating the tracking of CLAs it should create a more streamlined path for project maintainers and contributors to collect and track CLAs using our platform. The integration with MyProject will facilitate up-to-date CLA information for the IEEE SA.

Maintainers Manual

Updating and supporting the Maintainers Manual is an ongoing task for the IEEE SA OPEN Community. New templates will need to be created to facilitate the work of the Maintainers Manual Subcommittee. Additionally continued work to facilitate the publication of the Manual will need to continue.

Tools

Communication

Ongoing security and routine updates IEEE SA OPEN Mattermost instance need to made to keep the platform current and secure for the community. The platform is deployed using a playbook for Ansible. To drive transparency, collaboration the ansible playbooks for this project will be made into an open source project known as Open Up.

Documentation will be written to facilitate adoption of notifications and DevOps features offered by Mattermost.

Collaboration

Ongoing security and routine updates IEEE SA OPEN GitLab instance need to made to keep the platform current and secure for the community. The platform is deployed using a playbook for Ansible. To drive transparency, collaboration the ansible playbooks for this project will be made into an open source project known as Open Up.

Documentation will be expanded to enable projects to more easily adopt continuous intergration / continious development (CI/CD)