[IP policy and license review] Vuln-Reach Sandbox Project Entry

[louislang]

Vuln-Reach is seeking Sandbox Project Entry into the OpenSSF under the Security Tools WG.

The Vuln-Reach maintainers are requesting the "one-time IP policy and license review with The Linux Foundation" as part of our sandbox application.

VulnReach Links

• License (Apache 2.0)
• Readme

[SecurityCRob]

We will discuss this at the 1October TAC call at 11am ET. Please have representatives from the project and the Working Group in attendance.

Please review https://github.com/ossf/tac/blob/main/process/project-lifecycle.md#submission-process

[ware]

Vuln-Reach is seeking Sandbox Project Entry into the OpenSSF under the Security Tools WG.

The Vuln-Reach maintainers are requesting the "one-time IP policy and license review with The Linux Foundation" as part of our sandbox application.

VulnReach Links

• License (Apache 2.0)
• Readme

@louislang, please make sure to take a close look at the Project Lifecycle document to make sure we get all of the right information in to the Sandbox application. Specifically we need to make sure the application covers these aspects:

Sandbox Entry Requirements and Considerations

• Projects must have a minimum of three maintainers with a minimum of two different organization affiliations.
• Projects must be aligned with the OpenSSF mission and either be a novel approach for existing areas or address an unfulfilled need. It is expected that the initial code or specification developed by an OpenSSF WG be kept within their repository and will not function as a Project in its own right. Should the initial WG code or specification grow and mature that it warrants its own Project status, then it is subject to Sandbox entry requirements. It is preferred that extensions of an existing OpenSSF project collaborate with the existing project rather than seek a new project.
• Projects must seek one TAC sponsor or one WG sponsor (if reporting to a WG)
  • TAC or WG sponsor agrees to attend Project meetings regularly
  • TAC or WG sponsor does not need to have a formal role in Project, e.g., maintainer
  • TAC or WG sponsor requests TAC approval
• If contributing an existing project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF).

Additionally, we need to make sure we reach the security baseline for a sandbox project.

[sevansdell]

Are we doing the legal review in parallel, or waiting for the PR to be approved then doing the legal review?

[lehors]

Are we doing the legal review in parallel, or waiting for the PR to be approved then doing the legal review?

Historically we've done this in parallel.

[sevansdell]

This legal review is tied to the PR for sandbox appliction: #388. Has the legal review been initiated? How is it progressing? @afmarcum

[afmarcum]

@riaankleinhans can you verify this is with LF Legal and whether there is any update?