Common Base CVE Help Foundation

_common-base.md

some notes wising for an open solution to the problem chainguard and hummingbird are about.

_foundations.md

Candidate Incubators & Hosts for a Boring Base Image Foundation

Evaluation Criteria

• No VC entanglement
• Strong legal governance
• Experience hosting infrastructure projects
• Cultural tolerance for boring work

1. Software Freedom Conservancy

Pros

• Strong track record
• Anti-capture governance
• Legal expertise

Cons

• Limited operational infrastructure

Fit Excellent for governance-first incubation.

2. Apache Software Foundation (with constraints)

Pros

• Proven governance model
• Vendor-neutral reputation

Cons

• Cultural bias toward growth
• Risk of scope creep

Fit Possible, but only with strict charter language.

3. NLnet / European Sovereign Tech Ecosystem

Pros

• Public-interest funding
• Long-horizon mindset
• Infrastructure focus

Cons

• Grant-based, not permanent host

Fit Strong early funding partner.

4. Linux Foundation (Selective)

Pros

• Operational scale
• Industry participation

Cons

• Corporate dominance risk

Fit High risk unless anti-capture rules are ironclad.

5. Independent Non-Profit (New Entity)

Pros

• Maximum control
• Clean governance

Cons

• Slower startup
• Requires legal effort

Fit Best long-term option if initial funding exists.

Recommendation

Start under an established non-profit for legal shelter, then transition to an independent foundation once stable.

Avoid any host requiring:

• branding rights
• roadmap influence
• exclusive sponsorships

_year_zero_plan.md

Year Zero Plan — Debian-Based Boring Base Images

Goal

Establish credibility through restraint, not scale.

Year Zero is about proving:

• governance works
• CVE response is real
• scope stays small

Scope (Hard Limits)

Ship only:

• base
• base-slim
• container-host (optional)

OCI images only in Year Zero. No desktops. No language stacks.

Staffing (Minimum Viable)

• 1 security/CVE triage lead (part-time acceptable)
• 1 build & release operator
• Shared governance/admin support

Infrastructure

• Git-based declarative image definitions
• Debian stable + security + LTS
• Reproducible builds (sbuild/pbuilder)
• Public CI logs
• Public SBOM generation

CVE Workflow

1. Monitor Debian Security Tracker and NVD
2. Triage within defined targets:
   • Critical: 72 hours
   • High: 7 days
3. Publish rationale for all decisions
4. Rebuild images on fix or mitigation

Release Cadence

• Weekly rebuilds
• Emergency rebuild path
• Signed digests only
• No silent changes

Transparency

• Public funding ledger
• Public CVE dashboard
• Public roadmap (limited to maintenance)

Success Criteria

• Images used quietly in production
• No feature creep
• No “enterprise” pressure
• Trust earned through boredom

Explicit Risks

• Underestimating CVE workload
• Sponsor pressure
• Scope creep

Mitigation: say “no” early and often.

charter.md

Debian-Based Boring Base Images Foundation — Draft Charter

1. Purpose

The Foundation exists to provide long-lived, Debian-based OCI images and cloud ISOs with fast, transparent CVE response and boring operational stability.

This Foundation is explicitly not a distribution, platform, or product company. It exists to operate a narrow, critical layer of open infrastructure.

2. Core Principles

• Artifacts are public goods
• Security response over novelty
• Governance before growth
• Predictability over features
• Debian-first, Debian-aligned

3. Non-Goals

The Foundation will not:

• Ship proprietary artifacts
• Offer “enterprise-only” images
• Gate security fixes behind payment
• Accept venture capital funding
• Compete with Debian or other general-purpose distributions
• Expand scope beyond base images and ISOs

4. Artifact Policy

• All images and ISOs are:
  • Freely redistributable
  • Cryptographically signed
  • Immutable once released
• No artifact may be withdrawn, paywalled, or relicensed after publication.
• Reproducible builds are mandatory.

5. CVE Handling

• CVE triage is a first-class responsibility.
• Public CVE status must include:
  • affected
  • mitigated
  • not exploitable
  • deferred (with justification)
• Version-based CVE counts are explicitly rejected as risk metrics.

6. Funding Policy

Allowed:

• Donations
• Grants
• Non-exclusive sponsorships
• Operator membership fees (no special access)

Forbidden:

• Venture capital
• Exclusive sponsorship agreements
• Feature-for-funding arrangements
• Control tied to funding

7. Governance

• Incorporated as a non-profit entity.
• Board composition:
  • Debian Developers
  • Independent security experts
  • Downstream operators
• No single organization may control a majority.
• Board terms are limited.
• All meetings and decisions are public by default.

8. Anti-Capture Provisions

• Artifact licenses are irrevocable.
• Governance changes require supermajority approval.
• No trademark leverage over downstream users.
• No certification or “approved vendor” programs.

9. Relationship to Debian

• Debian is an upstream dependency and partner.
• This Foundation assumes operational burdens Debian intentionally avoids.
• No divergence without documented technical justification.

10. Dissolution

If the Foundation dissolves:

• Artifacts remain public.
• Trademarks are released.
• Infrastructure is donated to a neutral non-profit.