FYI: CII Best Practices badge recent minor updates

David A. Wheeler

FYI, I thought it might be useful to summarize recent minor updates to the CII Best Practices badge. They don’t change anything substantive, but I wanted to make sure you were aware of them.

Hopefully they show that we continue to maintain the project. As always, help is welcome. Details below!

--- David A. Wheeler



* We’ve tweaked some of the criteria text to make them clearer, after creating proposed tweaks and giving time for people to review those tweaks. We want the text to be as clear as possible! For more information:
* When a vulnerability is discovered in a component we use, we update it,  and
  we have tools to help notify us. For example, redcarpet was updated in
* We mention US export control law requirements. This isn’t a badge requirement, but it’s a
  legal requirement that can trip up some OSS developers. We want to
  help developers stay out of unnecessary legal trouble! Details here:
* As noted earlier, we’ve just added Swahili. There’s a lot of translation left to actually do.
* If you know natural languages other than English, as always we’d love your help.
  To help translators, we recently posted information for translators at:
* We made some minor performance improvements.
  Session cookies are no longer sent in certain cases
  The list of “bad passwords” (passwords local users aren’t allowed to use) has been moved from
  memory to the database. We have limited memory in production & there’s no need for this
  list to use so much memory when we can put it in the database instead. Details here:

Over the holidays I worked to upgrade a lot of its infrastructure.
We don’t want to fall too far behind, because when a vulnerability is found we want to be
able to immediately update to fix it. For example:

* We upgraded our OS infrastructure from ubuntu-16 to ubuntu-20.
* We upgraded from PostgreSQL 11.5 to PostgreSQL 12 (the current supported version on Heroku)
* We switched to cimg-based Docker images for use on CircleCI during testing. The old format is deprecated.

We want to update from Rails 5.X to Rails 6.X. We’ve made progress, but we’re not done
with the steps necessary to be able to try that.
The problem is that we used two gems (libraries) that aren’t compatible with Rails 6.

We’ve fixed one problem by removing the gem fastly-rails as noted here:
That was more work than expected. They recommend switching to the "fastly” gem
(aka "fastly-ruby”), but fastly-ruby is not designed to support multi-threading (WHAT?!).
So we had to modify our code to directly call the Fastly API instead.

I’ve confirmed that much of the *application* code now works with Rails 6 (other than logout, oddly).
However, there appears to be at least one more step. For system testing we currently depend on the
gem minitest-rails-capybara, which does *not* support Rails 6. The recommended approach is to
switch to Rails' standard system testing approach (which I believe did not exist when we
started this project). I don’t expect any fundamental roadblocks, we’ll just need to take
time to switch the system test infrastructure and tests to the updated API.
It’s possible there will be problems switching to Rails 6 after that, but hopefully they’ll be small.
We’re not done fixing the infrastructure to move to Rails 6, but we are making progress.

You can see lots more detail here: