Hear Tidelift VP of Product, Lauren Hanford introduce the Trusted Attestation and Compliance for Open Source (TACOS) framework, an open source project kept in alignment with the NIST SSDF (visit our GitHub here). TACOS is a machine-readable framework that makes it easy to self-attest and report on the development practices of the upstream open source packages .
This video clip comes from our on-demand webinar, how the NIST SSDF impacts open source software. In this webinar, Lauren and Senior Product Marketing Lead, Kanish Sharma discuss the NIST SSDF and how organizations can follow its guidance when they are building applications with open source software. You can watch the entire webinar on-demand here.
At Tidelift we've developed what we're calling TACOS, which is a Trusted Attestation and Compliance for Open Source framework. This is an open source project. It's available on GitHub and you can go read about it. We will be keeping it in alignment with the NIST SSDF, as any future enhancements come out. But essentially, this is a machine readable framework that makes it easy to self-attest and report on the development practices of upstream open source packages.
Again, we've open sourced the framework itself. We don't open source the data because we pay maintainers to generate that data. But we've taken this opportunity to really plant an early flag in the ground about what practices open source projects should be complying with and how we can assess that. And not only things that they may be doing, but the outcomes that they're driving as well.