Re: [openc2] OpenC2 Agenda Item for August 16; Github repositories

[Robin Cover <robin@oasis-open.org>]

There's not much to add here, but note:

1) Everyone making (substantial) contribution to any OASIS Open Repository has to sign the Individual CLA (OASIS members and non-OASIS-Members).  That's because the licensing is entirely different (under rules different than OASIS IPR Policy and OASIS TC Process

2) Initially, an open repo Maintainer will be nominated from the sponsoring TC, but the technical lead can be a non-OASIS party.  Documentation: "The proposal should identify one or more TC members willing and otherwise qualified to serve as initial Maintainer(s) for any Open Repository. Ideally, such person(s) would have substantial experience with GitHub or similar distributed version control system. Alternatively, if the TC members have informal commitment from someone outside the TC who could serve as the key technical lead, plans could be drafted to approve that person as lead Maintainer once the project has been launched...."

3) I spotted draft language for the proposed Yuuki repo, and it seems just fine to me (as implementation of "plans", if someone like Josh would not be an OASIS / TC member at the time of taking a key leadership role) ::   "...The initial maintainer of the openc2-yuuki shall be Mr. Dave Kemp (National Security Agency) with Mr. Joshua Brule acting as the technical lead (University of Maryland)...."

That's it!  We try to keep it all simple and inviting...

- Robin Cover

[in this setting: OASIS GitHub Administrator]

On Tue, Aug 8, 2017 at 10:45 AM, Chet Ensign <chet.ensign@oasis-open.org> wrote:

Hi Allan, 

Excellent  question. I've cc'ed Robin so he can provide more detail. In a nutshell though, I'll note a couple of related points: 

- The TC must elect the first Maintainer from among the TC members. 

- Any non-OASIS Maintainers must first sign an OASIS Contributor License Agreement before they can be appointed Maintainers (or indeed, have pull requests approved or do anything else that injects substantive content into the Open Project repo). 

The CLA commits them to the open project license chosen by the TC, not the OASIS IPR Mode. So due diligence will still be needed to ensure anything that the TC might wish to incorporate into a work product is safe to use. However, their signing the CLA provides the same level of commitment to their contributions as any other open source project would have. 

Hope this helps, 

/chet

On Tue, Aug 8, 2017 at 11:21 AM, Allan Thomson <athomson@lookingglasscyber.com> wrote:

Joe – I would be concerned about non-OASIS members contributing code if they have not agreed to the IPR rules of OASIS.

Code maintenance could be strongly tied to introducing IP into the code base of the repos either inadvertently or deliberately.

Can the individuals or organizations they represent sign the IPR rules of OASIS?

Otherwise whatever code they maintain may be rendered ineffective due to concerns over IP adoption.

Allan Thomson
CTO
+1-408-331-6646
LookingGlass Cyber Solutions <http://www.lookingglasscyber.com/>

On 8/8/17, 8:13 AM, "openc2@lists.oasis-open.org on behalf of Mr. Joe Brule" <openc2@lists.oasis-open.org on behalf of jmbrule@radium.ncsc.mil> wrote:

    All,

    Recall that there will be an OpenC2 TC meeting on August 16 at 11:00 eastern and 21:00 eastern.

    One of the agenda items will be whether or not to accept resolutions to form eight github repositories.  In the interest of time, we will present it as a single motion and request unanimous consent.   The motion will carry provided there are no objections from either the 11:00 or 21:00 meeting.

    There will be two related motions to accept non OASIS members as maintainers for their code.  (Adam Bradbury from Zepko and Josh Brule from University of Maryland).  BTW, per an email communication with Chet Ensign and Robin Cover, it is OK to have a non-OASIS person maintain code on an open repository provided the TC agrees to it.

    The purpose of this email is to address any issues in advance of the meeting.

    All of you should have access to the openc2-oasis/admin/DraftResolutions directory (located at https://drive.google.com/drive/folders/0B-FunCZrr-vtRFlkemZETVl5dzA ).  You will see all eight resolutions in word format and a single googledocs file named OpeC2Codebase. I pasted the contents of all eight resolutions at the end of this email for your convenience. Please contact me if you have any comments/ issues so that we can resolve them in advance.


    Thank you

    Very respectfully,



    Joe Brule

    ===== tear line =====

    Preamble:
    Whereas the OpenC2 Technical Committee
    ●   was chartered to address matters as they pertain to command and control of cyber defense technologies, and
    ●   the charter directed the committee to maintain a library of prototype implementations, and
    ●   the charter specifies that the effort shall be developed in a manner that is language and message fabric agnostic,

    Then be it resolved:
    An OASIS GitHub repository known as the openc2-yuuki shall be formed.

    With a purpose of:
    ●   Demonstrating the implementation of OpenC2 via multiple dispatch on type, and
    ●   Provision a codebase to enable other prototype efforts.

    With the description of:
    Openc2-yuuki; Yuuki is a python package for building an OpenC2 proxy.  Yuuki utilizes multiple dispatch on type and supports updating of actuators without interrupting the operations of the orchestrator or other actuators.  Yuuki is compatible with python version 2.7

    With the initial execution of:
    Openc2-yuuki shall be an open source effort in accordance with the Apache 2.0 open source license.  The initial codebase will be imported from the OpenC2 Forum’s Github repository.  The initial maintainer of the openc2-yuuki shall be Mr. Dave Kemp (National Security Agency) with Mr. Joshua Brule acting as the technical lead (University of Maryland).


    ===== tear line ====

    Preamble:
    Whereas the OpenC2 Technical Committee
    ●   was chartered to address matters as they pertain to command and control of cyber defense technologies, and
    ●   the charter directed the committee to maintain a library of prototype implementations, and
    ●   the charter specifies that the effort shall be developed in a manner that is language and message fabric agnostic,

    Then be it resolved:
    An OASIS GitHub repository known as the Orchestrator for Intelligent Defense (openc2-orchid) shall be formed.

    With a purpose of:
    ●   creating a simple, modular application programming interface to accept OpenC2 commands and convert them to python actions, and
    ●   Provision a codebase to enable other prototype efforts.

    With the description of:
    Openc2-orchid; Orchid is an OpenC2 proxy built in Django 1.10.2. Orchid aims to provide a simple, modular API to begin accepting OpenC2 commands and converting them into Python actions.

    With the initial execution of:
    Openc2-orchid shall be an open source effort in accordance with the Apache 2.0 open source license.  The initial codebase will be imported from the OpenC2 Forum’s Github repository.  The initial maintainer of the openc2-orchid shall be be Mr. Dave Kemp (National Security Agency) with Mr. Adam Bradbury acting as the technical lead (Zepko Corporation).

    ===== tear line ====

    Preamble:
    Whereas the OpenC2 Technical Committee
    ●   was chartered to address matters as they pertain to command and control of cyber defense technologies, and
    ●   the charter directed the committee to maintain a library of prototype implementations, and
    ●   the charter specifies that the effort shall be developed in a manner that is language and message fabric agnostic,

    Then be it resolved:
    An OASIS GitHub repository known as openc2-reactor-master shall be formed.

    With a purpose of:
    ●   demonstrating how OpenC2 can be deployed as a means to manage and administrate geographically disparate network , and
    ●   Provision a codebase to enable other prototype efforts.

    With the description of:
    Openc2-Reactor-master; Reactor-master provides a way to administrate multiple reactor-relay deployments. It provides an OpenC2 API to send commands to downstream relays, as well as a way for analyst to manually send commands to capable actuators deployed on client's sites that wouldn't be accessible directly from the internet.

    With the initial execution of:
    Openc2- Reactor-master shall be an open source effort in accordance with the Apache 2.0 open source license.  The initial codebase will be imported from the OpenC2 Forum’s Github repository.  The initial maintainer of the openc2-orchid shall be Mr. Dave Kemp (National Security Agency) with Adam Bradbury (Zepko Corporation) acting as the technical director.

    ===== tear line ====



    Preamble:
    Whereas the OpenC2 Technical Committee
    ●   was chartered to address matters as they pertain to command and control of cyber defense technologies, and
    ●   the charter directed the committee to maintain a library of prototype implementations, and
    ●   the charter specifies that the effort shall be developed in a manner that is language and message fabric agnostic,

    Then be it resolved:
    An OASIS GitHub repository known as openc2-reactor-relay shall be formed.

    With a purpose of:
    ●   demonstrating how OpenC2 can be deployed as a means to manage and administrate geographically disparate network , and
    ●   Provision a codebase to enable other prototype efforts.

    With the description of:
    Openc2-reactor-relay; Reactor-relay provides a simple, modular API to accepting OpenC2 commands and converting them into Python actions.  Reactor-relay can be administered by non-technical staff. It allows the end user to link profile code, to OpenC2 commands and actuators, and handles credential storage.

    The relay is called by an upstream Orchestrator (See reactor-master), the idea is, that an enterprise has multiple sites and clients, with different capabilities and network layouts, buy allowing engineers to create a topology of "Relays" commands can be routed to multiple sites from a central server, without the need for that central server to connect into each actuator directly. (i.e. remote access as root to a webserver from the internet).

    Relays provide a way for us to define specific use cases and actuators per client, and provide a secure ip-locked TLS channel to execute those actions.

    With the initial execution of:
    Openc2-reactor-relay shall be an open source effort in accordance with the Apache 2.0 open source license.  The initial codebase will be imported from the OpenC2 Forum’s Github repository.  The initial maintainer of the openc2-orchid shall be Mr. Dave Kemp (National Security Agency) with Mr. Adam Bradbury as the technical lead (Zepko Corporation).


    ===== tear line ====



    Preamble:
    Whereas the OpenC2 Technical Committee was chartered to address matters as they pertain to command and control of cyber defense technologies, and
    ●   the charter directed the committee to maintain a library of prototype implementations, and
    ●   the charter specifies that the effort shall be developed in a manner that is language and message fabric agnostic,

    Then be it resolved:
    An OASIS GitHub repository known as openc2-ocas shall be formed
    With a purpose of:
    ●   demonstrating how OpenC2 can be developed as an Erlang/OTP application (http://www.erlang.org), and
    ●   maintaining a library of prototype implementations, and
    ●   establish a codebase to enable other prototype efforts.

    With the description of:
    Openc2-ocas; OpenC2 API Simulator (ocas) is an erlang/OTP application written in Erlang to demonstrate and exercise the OpenC2 specification. Ocas is a viable simulator for testing OpenC2 code, scenarios and use cases and may be used as a template for developing actual OpenC2 applications (i.e. augment the simulator code to actually perform the security functionality commanded).
    Erlang is  especially suited for concurrent and parallel computing needed for security applications in cloud deployments. Erlang has been used by industry for applications that provide nine 9's or greater of reliability. Erlang scales particularly well for complex network simulations because concurrency and message passing are a fundamental of the language.

    With the initial execution of:
    Openc2-ocas shall be an open source effort in accordance with the Apache 2.0 open source license. The initial codebase will be imported from the OpenC2 Forum's Github repository. The initial maintainer of the openc2-ocas shall be Mr. Duncan Sparrell (s-Fractal Consulting LLC).
    ===== tear line ====


    Preamble:
    Whereas the OpenC2 Technical Committee
    ●   was chartered to address matters as they pertain to command and control of cyber defense technologies, and
    ●   the charter directed the committee to maintain a library of sample commands, schema, prototype validation code, and
    ●   the charter specifies that the effort shall be developed in a manner that is language and message fabric agnostic,
    Then be it resolved:
    An OASIS GitHub repository known as openc2-jadn shall be formed.
    With a purpose of:
    ●   providing an abstract schema that is independent of serialization, and
    ●   Provision a codebase for unit testing, validation of commands and conversion of the abstract notation to various serializations.
    With the description of:
    JSON Abstract Data Notation (JADN) is a JSON document format for defining abstract schemas. Unlike concrete schema languages such as XSD and JSON Schema, JADN defines the structure of datatypes independently of the serialization used to communicate and store data objects. An encoder/decoder (codec) validates the structure of data objects against the JADN schema and serializes/deserializes objects using a specified message format.
    With the initial execution of:
    Openc2-jadn shall be an open source effort in accordance with the Apache 2.0 open source license.  The initial codebase will be imported from the OpenC2 Forum’s Github repository.  The initial maintainer of the openc2-jadn shall be Mr. David Kemp (National Security Agency).
    ===== tear line ====

    Preamble:
    Whereas the OpenC2 Technical Committee
    ●   was chartered to address matters as they pertain to command and control of cyber defense technologies, and
    ●   the charter directed the committee to maintain a library of prototype implementations, and
    ●   the charter specifies that the effort shall be developed in a manner that is language and message fabric agnostic,

    Then be it resolved:
    An OASIS GitHub repository known as the openc2-g2bsd shall be formed.

    With a purpose of:
    ●   Demonstrating the implementation of OpenC2 in a pub-sub environment, and
    ●   Provision a codebase to enable other prototype efforts.

    With the description of:
    Openc2-g2bsd; G2bsd demonstrates OpenC2 working within a pub/sub environment.
    This implementation is written in C and developed on HardenedBSD. Though the C code is operating system agnostic, the Makefiles are BSD style Makefiles and will need modification to enable building on Linux.

    With the initial execution of:
    Openc2-g2bsd shall be an open source effort in accordance with the BSD 3 open source license.  The initial codebase will be imported from the OpenC2 Forum’s Github repository.  The initial maintainer of the openc2-g2bsd shall be Mr. Danny Martinez (G2 Corporation).


    === tear line ====
    Preamble:
    Whereas the OpenC2 Technical Committee
    ●   was chartered to address matters as they pertain to command and control of cyber defense technologies, and
    ●   the charter directed the committee to maintain a library of prototype implementations, and
    ●   the charter specifies that the effort shall be developed in a manner that is language and message fabric agnostic,

    Then be it resolved:
    An OASIS GitHub repository known as the openc2-nsa-rd shall be formed.

    With a purpose of:
    ●   Demonstrating a java implementation of OpenC2, and
    ●   Provision java libraries to enable other prototype efforts.

    With the description of:
    Openc2-nsa-rd; NSA-RD is a java implementation Implements 15 OpenC2 actions issued to nine actuators.

    With the initial execution of:
    Openc2-nsa-rd shall be an open source effort in accordance with the Apache 2.0 open source license.  The initial codebase will be imported from the National Security Agency’s Github repository.  The initial maintainer of the openc2-nsa-rd shall be Mr. Dave Kemp (National Security Agency).

--

/chet 
----------------
Chet Ensign
Director of Standards Development and TC Administration 
OASIS: Advancing open standards for the information society
http://www.oasis-open.org

Primary: +1 973-996-2298
Mobile: +1 201-341-1393 

--

Robin Cover
OASIS, Director of Information Services
Editor, Cover Pages and XML Daily Newslink
Email: robin@oasis-open.org
Staff bio: http://www.oasis-open.org/people/staff/robin-cover
Cover Pages: http://xml.coverpages.org/
Newsletter: http://xml.coverpages.org/newsletterArchive.html
Tel: +1 972-296-1783