OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] Status of CTI OASIS Open Repositories


I realize this might go against the grain for some, but maybe we should talk about the organization of GitHub repos on the next working call. Personally, having one OASIS organization for _all_ GitHub repos is going to make tracking the work of any single TC more difficult. In addition, one OASIS organization prevents individual TCs from having *.github.io pages, which the STIX/TAXII group has made good use of in the past. I’d like it if we could consider a method that would provide the necessary governance AND make the management of GitHub repos a little less cumbersome.

 

I don’t know if it’s feasible, but I’d be interested in exploring a structure that has the following properties:

·         A GitHub organization for the CTI TC (e.g., github.com/oasis-cti-tc/)

·         All CTI TC repos fall under the OASIS-CTI-TC GitHub Org

·         A set of operating rules for managing repos that does NOT require a ballot. Possible operating rules:

o    New repos require sponsorship by a co-chair and sign-off by the TC chair

o    Repo maintainer has some authority over who has which rights

o    Any part of the operating rules can be superseded by a ballot on the topic (e.g., if a maintainer doesn’t want a repo deleted, but the repo really should be deleted)

·         Other considerations?

 

Basically, my goal would be to free us up a bit in terms of repo management, while staying true to the intent of participating in OASIS. What do people think?

 

Thank you.

-Mark

 

From: <cti@lists.oasis-open.org> on behalf of Robin Cover <robin@oasis-open.org>
Date: Tuesday, October 4, 2016 at 7:02 PM
To: "Ted Bedwell (tebedwel)" <tebedwel@cisco.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, "Kirillov, Ivan A." <ikirillov@mitre.org>, "Back, Greg" <gback@mitre.org>
Subject: Re: [cti] Status of CTI OASIS Open Repositories

 

Another resource on submodules

 

"Working with submodules" (February 01, 2016)

 

-rcc

 

On Tue, Oct 4, 2016 at 3:56 PM, Ted Bedwell (tebedwel) <tebedwel@cisco.com> wrote:

For the other git neophytes out there:

https://git-scm.com/book/en/v2/Git-Tools-Submodules

http://blogs.atlassian.com/2013/03/git-submodules-workflows-tips/

 

This seems like a viable approach.

 

From: <cti@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Date: Tuesday, October 4, 2016 at 3:19 PM
To: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, Robin Cover <robin@oasis-open.org>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, "Kirillov, Ivan A." <ikirillov@mitre.org>, "Back, Greg" <gback@mitre.org>
Subject: Re: [cti] Status of CTI OASIS Open Repositories

 

Couldn't we do a git repo containing submodules? Then each tool can have its own git repo, and it can be linked a submodules into the overall tools collection repo.

This then makes it easy for everyone to get a copy of all three rows from one place, and yet we avoid the problems with many different people who only need access to parts of the git tree...

Cheers
Terry MacDonald
Cosive

 

On 4 Oct. 2016 9:09 am, "Bret Jordan (CS)" <Bret_Jordan@symantec.com> wrote:

The problem with all of this is that it is not a collection of repos, but rather specific repos.  Including multiple projects in a single repo is considered "bad form".  Yes, you can do funky things with TAGS and you can even use different directories in the same repo.  But that kind of break the git model.  So instead of OASIS creating a oasis-open project with a bunch of arrant TC repos underneath, it seems like OASIS should setup a TC specific "projects".  Then the TC can create as many repos on the project that it wants.

 

Bret


From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Robin Cover <robin@oasis-open.org>
Sent: Thursday, September 29, 2016 8:28:43 AM
To: Jason Keirstead
Cc: Kirillov, Ivan A.; Back, Greg; OASIS CTI TC Discussion List; Robin Cover
Subject: Re: [cti] Status of CTI OASIS Open Repositories

 

On Thu, Sep 29, 2016 at 9:14 AM, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

RE "I don't quite understand your meaning here:


"... so the public is basically only able to contribute to things that already exist, not contribute anything new (unless they proxy through a member)""

It is basically tied back to the need, currently, to be a TC member and make a motion if you want to make a new repository

OK, I understand.  I'll raise the issue with Staff: can/should we support some means whereby a non-TC Member can easily make request for a new OASIS Open Repository where it's perceived that no existing Open Repository repository is suitable.

, combined with these repositories being tied to very specific projects and not having a generic top-level repository.

In the case at hand: the CTI TC can create an OASIS Open Repository described as "generic":  that is your choice.   I suppose you could also characterize some new OASIS Open Repository as "top-level" (notionally) if the TC members wanted to do that.

 


Imagine a non-TC member has some brand new code they want to contribute, but it does not fall into any of these existing open repository categories, and we have no "generic" type of repository. They can not make a new repository, or even motion to make one, as they are not a TC member. They're stuck. The only way they could donate this code, would be to try to proxy through another TC member to get the repository created for them to commit it to. I strongly suspect that instead of that hassle they would just put it up on their own Github.

 

Thanks for the clarification via examples.  I'll certainly raise the issue with Staff.  All such suggestions for improvement are welcome.

 

Kindest regards and best wishes,

 

- Robin

 

 


-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


active hide details for Robin Cover ---09/29/2016 09:28:30 AM---On Thu, Robin Cover ---09/29/2016 09:28:30 AM---On Thu, Sep 29, 2016 at 7:02 AM, Jason Keirstead <Jason.Keirstead@ca.ibm.com > wrote:

From: Robin Cover <robin@oasis-open.org>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: "Kirillov, Ivan A." <ikirillov@mitre.org>, "Back, Greg" <gback@mitre.org>, OASIS CTI TC Discussion List <cti@lists.oasis-open.org>, Robin Cover <robin@oasis-open.org>
Date: 09/29/2016 09:28 AM
Subject: Re: [cti] Status of CTI OASIS Open Repositories
Sent by: <cti@lists.oasis-open.org>





On Thu, Sep 29, 2016 at 7:02 AM, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

I hear what you are saying and there are definitely pros and cons to having some more generic repositories - but I am trying to envision the near future where we will hopefully have a whole bunch of various code contributions from vendors, members and hopefully non-members alike. This is just my opinion of course, but I think we should try to make the process to contribute code to the TC as light-weight as possible, to encourage people to contribute to our open repositories vs. just throw it up on their own Github account - as if they do that, then IPR and access is not as assured. Having to make a motion to create a new repository every time someone wants to contribute some new code, is a fairly heavyweight process in my opinion. It also means that only TC members can contribute any "new things", because the public can't trigger a vote on making a new repository - so the public is basically only able to contribute to things that already exist, not contribute anything new (unless they proxy through a member).


Jason, I'll raise the matter of requiring a motion/ballot with Staff.  We probably want some kind of confirmation from the TC Chairs(s) -- indicating that there was consensus on the key elements of the request (name, Maintainers, choice of FOSS license, etc)

Re:
> a whole bunch of various code contributions from vendors, members and hopefully non-members alike

That sounds great, and OASIS Open Repositories are intended to support that.   It's a TC decision whether you want more or fewer repositories. It's a TC decision as to whether the repos are described as "generic" or having closely defined focus.

I don't quite understand your meaning here:

"... so the public is basically only able to contribute to things that already exist, not contribute anything new (unless they proxy through a member)"

For the OASIS Open Repositories, once the repo is created, anyone from "the public" (non-TC member) can be a full participant, including Maintainer, per consensus.  They can contribute "new things" in the same way as anyone can contribute new things to any GitHub public repository.  Perhaps I misunderstand your concern....

I have assumed, maybe incorrectly, that your mention of a new repository (additional to those reported by Greg Back [1]) meant you want a new OASIS Open Repository ( https://www.oasis-open.org/resources/open-repositories )

- Robin


[1]

cti-stix2-json-schemas
cti-pattern-validator
cti-marking-prototype
cti-stix-visualization
cti-stix-validator
cti-documentation
cti-cybox3-json-schemas

 


-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


active hide details for Robin Cover ---09/28/2016 10:35:01 PM---Jason, TRobin Cover ---09/28/2016 10:35:01 PM---Jason, The decision about creating something like "stix-tools" is (of course) a

From:
Robin Cover <robin@oasis-open.org>
To:
Jason Keirstead/CanEast/IBM@IBMCA
Cc:
"Kirillov, Ivan A." <ikirillov@mitre.org>, "Back, Greg" <gback@mitre.org>, OASIS CTI TC Discussion List <cti@lists.oasis-open.org>, Robin Cover <robin@oasis-open.org>
Date:
09/28/2016 10:35 PM
Subject:
Re: [cti] Status of CTI OASIS Open Repositories
Sent by:
<cti@lists.oasis-open.org>





Jason,


The decision about creating something like "stix-tools" is (of course) a decision for the TC members, and I have no horse in the race.


Some might think "-tools" itself is too broad, and encourage minting a name more specific to the kind of tool (or tools) you want to develop in the repository.


One of the OASIS (SSO/SDO) peers has taken a position that specific-purpose GitHub repos works well, as opposed to (an arguably equally competent)  design that uses folders within a single repository.   Using separate repos means less work (design work, workday-work) when creating and applying labels to issues and pull requests: you don't have to permute out name elements that are scoped to the sub-projects within the repo.  Just use one taxonomy of types/labels without namespace worries.  And: you can five write privs to relatively more of the interested parties with fewer discussions about (uh) "who can/should " maintain which sub-projects...


But as always: it's up to the TC, and I am no expert here.


- Robin


On Wed, Sep 28, 2016 at 7:48 PM, Jason Keirstead <
Jason.Keirstead@ca.ibm.com> wrote:

Hello all;

IBM has been developing a STIX 2 generator, useful for testing tools. It is rudimentary at this point, but we will continue to improve upon it - and would like to share it with the community for both collaboration and improvement.

It doesn't seem to fit into any of these repositories as they are named so specifically. Should we make some more generic one called something like "stix-tools" to cover this and also future potential contributions that would not fit into these buckets?

--
Sent from my mobile device, please excuse any typos.


Kirillov, Ivan A. --- Re: [cti] Status of CTI OASIS Open Repositories ---

From:

"Kirillov, Ivan A." <ikirillov@mitre.org>

To:

"Back, Greg" <gback@mitre.org>, cti@lists.oasis-open.org

Date:

Wed, Sep 28, 2016 2:09 PM

Subject:

Re: [cti] Status of CTI OASIS Open Repositories



Great news! Trey and I hope to begin populating the CybOX 3 JSON schema repo soon :-)

Regards,
Ivan

On 9/28/16, 12:04 PM, "cti@lists.oasis-open.org on behalf of Back, Greg" <cti@lists.oasis-open.org on behalf of gback@mitre.org> wrote:

>The following OASIS Open repositories have been created and populated with content that MITRE has been developing on behalf of DHS.
>
>- cti-stix2-json-schemas
>- cti-pattern-validator
>- cti-marking-prototype
>- cti-stix-visualization
>- cti-stix-validator
>
>There are two other repositories that exist, but do not (yet) have any content:
>
>- cti-documentation
>- cti-cybox3-json-schemas
>
>The open repositories are meant to assist with the development of the TC's work products (but do not contain work products directly). Both TC members and non-members are able to contribute to the repositories, but in order to do so, you must sign a Contributor License Agreement (CLA): https://www.oasis-open.org/resources/open-repositories/cla . This applies *even to TC members*.
>
>We welcome participation from other members of the TC (or even non-members who have an interest in the TC's work). Please use GitHub for any issues/enhancement requests for the code/schemas themselves. Feel free to respond to this email if you have questions about the process, etc.
>
>You can find the repositories here: https://github.com/oasis-open 
>
>Thanks,
>
>Greg Back
>MITRE
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
>https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>




--

 



 

--

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]