[Technical Initiative Funding Request]: UI/UX support for attestations on software repos

[di]

Technical Initiative

Securing Repositories Working Group

Lifecycle Phase

Graduated

Funding amount

$144,000

Problem Statement

Software repositories like npmjs.org, pypi.org and rubygems.org have begun supporting the publishing of attestations (both SLSA build provenance, and/or publish attestations) on the repositories themselves.

Attestation documents are served via an API to make them easily machine-readable, but for human consumers attestations and corresponding signing certificates contain a lot of information, which the average user is unfamiliar with, and which has varying degrees of usefulness.

As a result, displaying attestations to a user via a web interface is challenging: it’s necessary to ensure that important information from within the attestation (like the upstream source repository, build infrastructure, etc) is surfaced to the user in a way that is both meaningful and clearly trustworthy. Additionally, this new UI/UX must be added to the existing interface that software repos already have.

Who does this affect?

Users who consume attestations from software repositories that support them.

Have there been previous attempts to resolve the problem?

Currently, repositories that support attestations have added UI/UX around attestations with minimal (if any) guidance from UI/UX staff. These interfaces are a minimal best-effort and are less than ideal user experiences, partly due to the lack of UI/UX support, and partly due to the nascent feature that attestations represent and lack of much prior art in how they should be displayed to an end user.

Additionally, the UI/UX is not consistent between multiple repositories, which may cause user confusion when moving from one ecosystem to another.

Examples:

• PyPI: https://pypi.org/project/sigstore/3.6.0/#sigstore-3.6.0.tar.gz
• RubyGems: https://rubygems.org/gems/sigstore-cli
• npm: https://www.npmjs.com/package/sigstore#provenance

Why should it be tackled now and by this TI?

We’re at a point where more repositories are interested in adding support for attestations. If we can pre-empt this work by providing a style guide, and aligning existing implementations, we likely will have a better outcome in the way that users perceive and consume attestations.

If we don’t do this work now, we run the risk of each implementation having a sub-par UI/UX, which may impact user perception and overall adoption of attestations.

Additionally, by providing a style guide, we are making it easier for repositories that do not support attestations to do the work to support them & provide a consistent UI.

Give an idea of what is required to make the funding initiative happen

We propose that the OpenSSF fund UI/UX work to:

• create a style guide for displaying Sigstore-signed attestations and SLSA build provenance to an end user
  • To be provided as a guide by the Securing Software Repos WG
• Improve the existing UI/UX of software repositories that provide attestations:
  • pypi.org
  • rubygems.org
  • npmjs.com (provide suggestions)

We propose contracting a UI/UX designer to:

• Perform UI/UX research on attestations
• Create a style guide and publish it at repos.openssf.org
• Work 1:1 with repositories to implement the style guide

What is going to be needed to deliver this funding initiative?

A UI/UX engineer.

Are there tools or tech that still need to be produced to facilitate the funding initiative?

No.

Give a summary of the requirements that contextualize the costs of the funding initiative

The costs are estimated at a $150 hourly rate for a UI/UX designer to perform the following tasks:

• 5 weeks: Perform UI/UX research on attestations
• 5 weeks: Create a style guide and publish it at repos.openssf.org
• 14 weeks: Work 1:1 with repositories to implement the style guide
  • 6 weeks: PyPI.org implementation
  • 6 weeks: RubyGems.org implementation
  • 2 weeks: npmjs.com (provide guidance)

Who is responsible for doing the work of this funding initiative?

We recommend Ian Taylor, [email protected] (RubyGems designer) and/or https://kabucreative.com/ (previous PyPI UI/UX contractor) depending on availability and rates.

The PSF has previously used Simply Secure (now branded SuperBloom) for a pip UX study: https://simplysecure.org / https://superbloom.design

Who is accountable for doing the work of this funding initiative?

Dustin Ingram, co-chair of Securing Repos Working Group

If the responsible or accountable parties are no longer available, what is the backup contact or plan?

Zach Steindler, co-chair of Securing Repos Working Group

What license is this funding initiative being used under?

• Style guide: https://github.com/ossf/wg-securing-software-repos/blob/main/LICENSE
• PyPI: https://github.com/pypi/warehouse/blob/main/LICENSE
• RubyGems: https://github.com/rubygems/rubygems/blob/master/LICENSE.txt

Code of Conduct

• I agree to follow the OpenSSF's Code of Conduct

List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.

• T+5 weeks: UI/UX research on attestations is complete
• T+5 weeks: Style guide is published at repos.openssf.org
• T+6 weeks: PyPI.org implementation complete
• T+6 weeks: RubyGems.org implementation complete
• T+2 weeks: npmjs.com guidance provided

If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.

TBD by the selected contractor.

Edit: formatting