FYI: CII Best Practices badge site continues to get updates
David A. Wheeler
FYI: We continue the work keep the CII Best Practices badge site working smoothly. In particular, we've done a number of updates to keep things going over the last several months. You generally should NOT notice these updates from the user side. If you're curious, I've listed below some of the updates we've done.
That's not including various functional refinements, such as inserting word breaks in the projects page (so the display is better on small screens).
As you can see by the recent progress email, the number of participating & passing projects continues to grow. My thanks to everyone!!
--- David A. Wheeler
====== DETAILS ======
* We've updated from PostgreSQL 9.4 to 11.5.
* We've updated from Ruby 2.5.1 to Ruby 2.6.3
* Our test infrastructure (on CircleCI) uses an updated image. We had been running on an old Ubuntu 14.04 image. We're now running on a custom ruby:2.5.1-stretch image, and we have a posted Docker file to create the custom image.
* We continue to update individual libraries. This includes nokogiri, webmock, hashdiff, mini_mime, public_suffix, bundler, railroader, addressable, archive-zip, autoprefixer-rails, bindex, docile, ffi, gitlab, jwt, mime-types-data, and more.
* We've countered CVE-2015-9284 in omniauth. Unfortunately, at the time of this
writing the omniauth folks STILL have not fixed it (!). That is, of course, very concerning.
There is a shim by a third party that *does* fix it: omniauth-rails_csrf_protection.
I reviewed the code and it looks okay.
To provide a stronger guarantee that what I reviewed is what will
be loaded, I'm specifying a specific hash reference. That's no
guarantee, but it does make attacks harder to perform.