The criterion “license_location” says: > The project MUST post the license(s) of its results in a standard location in their source repository. {Met URL} [license_location] Issue #1544 proposes to als

FYI: The "Report on the 2020 FOSS Contributor Survey” has been released from the Linux Foundation & The Laboratory for Innovation Science at Harvard. Authors are: Frank Nagle (Harvard Business School)

FYI, I thought it might be useful to summarize recent minor updates to the CII Best Practices badge. They don’t change anything substantive, but I wanted to make sure you were aware of them. Hopefully

As mentioned earlier, several issues proposed tweaks to the CII Best Practices criteria or related text. Here are the pull requests that make those changes. Please note any last-minute issues, I inten

FYI: I was on FLOSS Weekly #609 to talk about “Open Source Security”. It’s available here: https://twit.tv/shows/floss-weekly/episodes/609?autostart=false I pointed out the CII Best Practices badge, t

All: Now that the CII Best Practices badge is part of the OpenSSF, there needs to be a discussion about whether or not it should eventually be rebranded to specifically note the OpenSSF, and if so, wh

We have several proposed tweaks to the CII Best Practices criteria or related text. Comments are very welcome in either the specific GitHub issue or here on the mailing list. Details below. --- David

All: There is now a *free* set of 3 courses on how to develop secure software, titled “Secure Software Development Fundamentals”. I wrote it, with lots of comments & help from others. Special thanks g

All: I must bring you the sad news that Dan Kohn has died. Dan was a pioneer who helped many people. Among many other things, he oversaw the explosive growth of the Cloud Native Computing Foundation (

For the BadgeApp we include an “assurance case”, that is, a set of claims/arguments/evidence explaining why we think it’s secure. You can see the assurance case here: https://github.com/coreinfrastruc

Some overeager people are trying to spider the entire best practices site all at once. This can cause trouble for everyone else. Our current rate limits don’t trigger soon enough, because they cover *

All: Here's some proposed criteria introduction text. Comments? It's lengthy, so I want to fix it up *before* our translators have to deal with it. The plan is to use this text to enable people to mor

FYI: I intend to soon rename the route "/criteria" to "/criteria_stats". We can then use "/criteria" to display the actual criteria in the selected locale. This is technically a change in the user-vis

All: Minor correction. The more common term seems to be "allowlist" not "acceptlist" . E.g.: https://www.zdnet.com/article/linux-team-approves-new-terminology-bans-terms-like-blacklist-and-slave/ So I

All: This pull request:https://github.com/coreinfrastructure/best-practices-badge/pull/1449 renames “whitelist” to “acceptlist” and “blacklist” to “denylist" everywhere in the CII Best Practices badge

It uses TLS to authenticate the best practices server, as well as provide confidentiality & integrity between client & server. Login session management uses an HTTP cookie, not basic authentication. A

On Wed, Aug 12, 2020 at 12:10 AM Tony Hansen <tony@...> wrote: ... > So I’d like a tool that could be used to do an identical update across a variety of CII projects. I’d like such a tool to take

All: Here's a team report, as part of an architecture class, where they examined open source software projects: https://se.ewi.tudelft.nl/desosa2019/ If you look at a part that discusses Zephyr: https

All: CHAOSS Podcast #10 is now available, titled "Managing Risks and Opportunities in Open Source with Frank Nagle & David A. Wheeler". The hosts were Georg Link, Sean Goggins, and Kate Stewart. The p

All: The CII mailing list service is expected to soon switch to the “Linux Foundation Single Sign-on (SSO)” system for logging in to the mailing list service. This is part of an LF effort to have *one