Open Initiative for Process Specifications
The open source community is collaborating to establish common specifications for secure software development based on open source best practices.
Participants:
About:
What is the purpose of this new initiative?
The Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation are jointly announcing our intention to collaborate on the establishment of common specifications for secure software development based on existing open source best practices. The working group is forming to address the multifaceted challenges of cybersecurity in the open source ecosystem and to demonstrate our commitment to cooperation with and implementation of the CRA.
Why does this initiative require multiple open source software foundations?
For years, open source foundations and communities have created and maintained de facto standards for secure software development processes. Using these as our starting point, we aim to accelerate the development of cohesive cybersecurity processes required for regulatory compliance while offering a neutral environment for hosting technical discussions with the open source community at large.
Why host it at the Eclipse Foundation (vs elsewhere)?
The neutrality of foundations, vendors, and communities is central to this effort. The new working group will be hosted at the Brussels-based Eclipse Foundation AISBL under the auspices of the Eclipse Foundation Specification Process. The governance of the working group will follow the Eclipse Foundation’s usual member-led model but will be augmented by explicit representation from the open source community to ensure diversity and balance in decision-making. The deliverables will consist of one or more process specifications made available under a liberal specification copyright licence and a royalty-free patent licence.
What are the ultimate deliverables of this initiative?
The group’s initial effort will be to enumerate the respective open source foundations' security policies and procedures and similar documents describing best practices. With these as our starting point, we aim to accelerate the development of cohesive cybersecurity processes required for regulatory compliance while offering a neutral environment for hosting technical discussions with both industry and the open source community at large.
When can we expect to know more?
We are moving fast. You can expect to see additional details in the next couple months. To stay updated, sign up for the mailing list.