Best practices for security of critical Internet infrastructure services to open source projects

Public Discussion on benchmarking best practices for security of critical Internet infrastructure services to open source projects


Identify and recommend best practices for open constitution licensing initiative;
Identify and update Open Constitution’s OSS policy.
Identify best practices for IP clarification for open source contributors e.g citizens of open constitution
Suggest conclusions on how can different stakeholders - corporate, governments, non for profits, associations interact with the open source intellectual capital.

This public discussion (open research) tracks relevant case studies,
a. For benchmarking best practices for security of critical Internet Infrastructure of Open Constitution collective
b. For benchmarking best practices for receiving critical Internet Infrastructure services from corporate stakeholders
c. For benchmarking release and reduction of derivative IP into open source.

comments to House Science Committee, USA by Brian Behlendorf

Few excerpts/highlights;
Funding from our corporate partners goes towards supporting the core staff and functions that enable this community, but all the substance comes from voluntary efforts.

Executive Order 14028 for the adoption of SBOMs aligned nicely with the standardization and growing adoption of the SPDX standard by a number of OSS projects, but it was aided substantially by the involvement of personnel from NIST, CISA, and other agencies engaging directly with SPDX community members.

engage in OSS development and security work as a form of global capacity building, and in doing so, in global stability and resilience. OSS development is inherently international and has been since its earliest days.

Instead of owning or operating such services directly, the Federal Government should provide grants or other resources to operators of such services as any major stakeholder would. Along similar lines, should the Federal government fund activities like third party audits of an open source project, or fund fixes or improvements, it should ensure not only that such efforts don’t duplicate work already being done, it should ensure that the results of that work are shared (with a minimum of delay) publicly and upstream so that everyone can benefit from that investment.


209.55 KB