|
More on spam countering efforts
FYI, we have implemented some simple spam countering mechanisms on the best practices badge application. Most trivially, whenever someone tries to create a project badge entry, they now see this: We'v
FYI, we have implemented some simple spam countering mechanisms on the best practices badge application. Most trivially, whenever someone tries to create a project badge entry, they now see this: We'v
|
By
David A. Wheeler
· #568
·
|
|
Need some advice addressing "unfixable" publicly known vulnerabilities
Kevin Wall: For the *badging* application this shouldn't be a big problem. I believe the criteria always talk about "exploitable" vulnerabilities of certain kinds as being unacceptable, not just vulne
Kevin Wall: For the *badging* application this shouldn't be a big problem. I believe the criteria always talk about "exploitable" vulnerabilities of certain kinds as being unacceptable, not just vulne
|
By
David A. Wheeler
· #566
·
|
|
Did logins change because of the CII-Badges new spam defenses?
Kevin W. Wall: No, absolutely not. I just logged in with a local account & it worked fine. That's mysterious. I just tried the "forget password" with a local account, and it worked fine. That shouldn'
Kevin W. Wall: No, absolutely not. I just logged in with a local account & it worked fine. That's mysterious. I just tried the "forget password" with a local account, and it worked fine. That shouldn'
|
By
David A. Wheeler
· #563
·
|
|
Projects totals for last month impacted by spam countering efforts
Some of you may have noticed that the “Total Projects” went down last month (2855 to 2852), but the number of projects at 25%+ went up (1089 to 1114). The explanation is that we’ve been working to del
Some of you may have noticed that the “Total Projects” went down last month (2855 to 2852), but the number of projects at 25%+ went up (1089 to 1114). The explanation is that we’ve been working to del
|
By
David A. Wheeler
· #561
·
|
|
Suggestions on countering spammers?
Mark Rader: I don't think that will be enough of a deterrent. The spammers are already willing to do an email confirmation. One possibility would be to *require* a repo URL, and then require that it r
Mark Rader: I don't think that will be enough of a deterrent. The spammers are already willing to do an email confirmation. One possibility would be to *require* a repo URL, and then require that it r
|
By
David A. Wheeler
· #559
·
|
|
Suggestions on countering spammers?
Mark Rader: Good idea, but for local accounts we already do that, and I believe GitHub also requires email validation for their accounts. So we're going to have to go beyond that. --- David A. Wheeler
Mark Rader: Good idea, but for local accounts we already do that, and I believe GitHub also requires email validation for their accounts. So we're going to have to go beyond that. --- David A. Wheeler
|
By
David A. Wheeler
· #556
·
|
|
Suggestions on countering spammers?
Sadly, spammers have started to add nonsense "projects" to the CII Best Practices site at a higher rate than before. It appears to be all SEO-related fraud. I suppose that was inevitable, and I guess
Sadly, spammers have started to add nonsense "projects" to the CII Best Practices site at a higher rate than before. It appears to be all SEO-related fraud. I suppose that was inevitable, and I guess
|
By
David A. Wheeler
· #554
·
|
|
Proposal: Use CVSS version 3, not version 2, in CII Best Practices measures
Here's a pull request that tries to resolve the CVSS issues: https://github.com/coreinfrastructure/best-practices-badge/pull/1367 It's more text than I'd like, but my goal was to be 100% clear. For ex
Here's a pull request that tries to resolve the CVSS issues: https://github.com/coreinfrastructure/best-practices-badge/pull/1367 It's more text than I'd like, but my goal was to be 100% clear. For ex
|
By
David A. Wheeler
· #551
·
|
|
Proposal: Use CVSS version 3, not version 2, in CII Best Practices measures
Kevin Wall: Good point. I think that shouldn't be required, & it wasn't intended. I think we can solve that. But first, I think I'm required to note that anyone can calculate a CVSS score. NVD has a l
Kevin Wall: Good point. I think that shouldn't be required, & it wasn't intended. I think we can solve that. But first, I think I'm required to note that anyone can calculate a CVSS score. NVD has a l
|
By
David A. Wheeler
· #550
·
|
|
Proposal: Use CVSS version 3, not version 2, in CII Best Practices measures
A very few of our criteria mention CVSS (a method for estimating the risk from a vulnerability). For example, [dynamic_analysis_fixed] says this: CRITERION: "All medium and high severity exploitable v
A very few of our criteria mention CVSS (a method for estimating the risk from a vulnerability). For example, [dynamic_analysis_fixed] says this: CRITERION: "All medium and high severity exploitable v
|
By
David A. Wheeler
· #548
·
|
|
FYI: CII Best Practices badge site continues to get updates
FYI: We continue the work keep the CII Best Practices badge site working smoothly. In particular, we've done a number of updates to keep things going over the last several months. You generally should
FYI: We continue the work keep the CII Best Practices badge site working smoothly. In particular, we've done a number of updates to keep things going over the last several months. You generally should
|
By
David A. Wheeler
· #546
·
|
|
CII Best Practices badge application not affected by EU GDPR "like" button issues
The Court of Justice of the European Union (ECJ) has ruled that online websites that embed a Facebook "Like" button are responsible for the data they send to Facebook and are liable for the same penal
The Court of Justice of the European Union (ECJ) has ruled that online websites that embed a Facebook "Like" button are responsible for the data they send to Facebook and are liable for the same penal
|
By
David A. Wheeler
· #544
·
|
|
FYI: BadgeApp & omniauth vulnerability CVE-2015-9284 resolved by third-party fix
All, FYI. One component we use (omniauth) has a publicly-known vulnerability (CVE-2015-9284) that is still not fixed. To deal with this, we’ve taken unusual steps to eliminate the vulnerability’s effe
All, FYI. One component we use (omniauth) has a publicly-known vulnerability (CVE-2015-9284) that is still not fixed. To deal with this, we’ve taken unusual steps to eliminate the vulnerability’s effe
|
By
David A. Wheeler
· #541
·
|
|
CII Badge project - some recent URLs that discuss it
If you’re curious about the current status of the badge project, I have a useful summary in the presentation “Core Infrastructure Initiative (CII) Best Practices Badge in 2019” (2019-03-14) - https://
If you’re curious about the current status of the badge project, I have a useful summary in the presentation “Core Infrastructure Initiative (CII) Best Practices Badge in 2019” (2019-03-14) - https://
|
By
David A. Wheeler
· #537
·
|
|
FYI: Rails upgrade for BadgeApp
FYI: In our effort to keep the Best Practices Badge website running smoothly, we just upgraded from the Rails 5.1 to Rails 5.2 (specifically version 5.2.2). If you notice a problem, please let us know
FYI: In our effort to keep the Best Practices Badge website running smoothly, we just upgraded from the Rails 5.1 to Rails 5.2 (specifically version 5.2.2). If you notice a problem, please let us know
|
By
David A. Wheeler
· #535
·
|
|
C++ static analysis tools for CII badge
Daniel Heckhenberg: > Daniel and David, you've both clarified the essential point: analysis tools detect errors or potentially error-prone code which only become identified vulnerabilities in larger c
Daniel Heckhenberg: > Daniel and David, you've both clarified the essential point: analysis tools detect errors or potentially error-prone code which only become identified vulnerabilities in larger c
|
By
David A. Wheeler
· #533
·
|
|
C++ static analysis tools for CII badge
Daniel Stenberg: I think that is the usual case. Use tools & tests so potential problems can be found & fixed before release. Since they aren't in a release, those normally potential problems do not n
Daniel Stenberg: I think that is the usual case. Use tools & tests so potential problems can be found & fixed before release. Since they aren't in a release, those normally potential problems do not n
|
By
David A. Wheeler
· #531
·
|
|
StackStorm got a passing badge... and made it clear that some people care about badges
All: The StackStorm has received a passing badge earlier this year. I had an interaction with them that you might find interesting - in particular, it shows that there are people who care whether or n
All: The StackStorm has received a passing badge earlier this year. I had an interaction with them that you might find interesting - in particular, it shows that there are people who care whether or n
|
By
David A. Wheeler
· #524
·
|
|
Over 2000 projects now participating in the CII Best Practices badge!
We’ve hit a milestone – we now have over 2000 projects participating in the CII Best Practices badge! You can see the statistics here: https://bestpractices.coreinfrastructure.org/en/project_stats My
We’ve hit a milestone – we now have over 2000 projects participating in the CII Best Practices badge! You can see the statistics here: https://bestpractices.coreinfrastructure.org/en/project_stats My
|
By
David A. Wheeler
· #523
·
|
|
"Introduction to the CII best practices badge" video now posted to Youtube!
There's a new video on Youtube, "Introduction to the CII best practices badge", at: https://youtu.be/JMptmhV06j8 As you can probably guess, it provides a brief (11 1/2 minute) introduction/overview ab
There's a new video on Youtube, "Introduction to the CII best practices badge", at: https://youtu.be/JMptmhV06j8 As you can probably guess, it provides a brief (11 1/2 minute) introduction/overview ab
|
By
David A. Wheeler
· #521
·
|