Topics

LF Badging Program for OPNFV project


Sona Sarmadi <sona.sarmadi@...>
 

Emily, David, all


My name is Sona Sarmadi, I am one of the OPNFV security members. I am leading the LF Badging Program for OPNFV project, I have created some tasks in Jira for all criteria/items we need to check:
https://jira.opnfv.org/browse/SECURITY-24?jql=labels%20%3D%20LF-Badging-Program


I have some questions:
1) When we check each criteria, is this only limited to the OPNFV's own code, configuration, changes or all other upstream projects which OPNFV is heavily depended on?
Ex:
https://jira.opnfv.org/browse/SECURITY-24 Publicly-known vulnerabilities fixed

Shall I check for critical publically known vulnerabilities in OPNFV specific code or other upstream project such as Openstack, Opendaylight, KVM etc (dependendent libraries / upstream components used) as well?

2) When we are ready with all issues, should we create a report? Or will LF Badging Program just run program/script to check that all criteria are fulfilled?

Thanks
//Sona


Sona Sarmadi <sona.sarmadi@...>
 

Hi guys,

I have got the questions below from some people, could someone please help me with these:

1) When an open source project fills in the " CII-best practices" (https://bestpractices.coreinfrastructure.org/projects/new), does Linux foundation check that the project really meets all the requirements/criteria?

2) Does LF regularly (e.g. yearly) audit projects which have received badges to ensure that they still meet all the requirements/criteria set by CII-best practices?

Thanks
//Sona

-----Original Message-----
> From: Wheeler, David A [mailto:dwheeler@ida.org]
> Sent: den 23 mars 2016 20:39
> To: Sona Sarmadi <sona.sarmadi@enea.com>
> Cc: dankohn@linux.com
> Subject: RE: LF Badging Program for OPNFV project
>
> Sona - Thanks SO MUCH for this work!
>
> Quick response: answer primarily for your own project. EVERYONE
> depends on other things.
>
> --- David A. Wheeler


David A. Wheeler
 

Sona Sarmadi [mailto:sona.sarmadi@enea.com]:
I have got the questions below from some people, could someone please help me with these:
1) When an open source project fills in the " CII-best practices" (https://bestpractices.coreinfrastructure.org/projects/new), does Linux foundation check that the project really meets all the requirements/criteria?
No. As documented on the front page, "Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice." <https://bestpractices.coreinfrastructure.org/>;

This is further discussed in the introduction to the criteria here:
https://github.com/linuxfoundation/cii-best-practices-badge/blob/master/doc/criteria.md
"We have chosen to use self-certification, because this makes it possible for a large number of projects (even small ones) to participate. There's a risk that projects may make false claims, but we think the risk is small, and users can check the claims for themselves."

In addition to making all info public (allowing others to check the claims):
* we use an "autofill" process to automatically fill in some values - and in some cases we *force* those values.
* we *do* spotcheck, especially if a project says has a badge (100%) or has very low percentages (suggesting it's nonsense).
* if someone reports a specific problem (e.g., via an issue tracker) we would check it out. We *can* override badge entries - or delete them entirely - if they're just nonsense. Generally we've been doing that to counter link spam.

In some cases we do *mandate* that there be some justifying text or URLs. I can easily see that being required in more cases in the future.


2) Does LF regularly (e.g. yearly) audit projects which have received badges to ensure that they still meet all the requirements/criteria set by CII-best practices?
See above. We're working to improve the automatic analysis, and expect to be adding or modifying criteria, so people will have to revisit the criteria annually anyway.... which would have some of the same effect.

Like many other things, this is a trade-off.

Third-party evaluations can be very beneficial, but they also have problems. They tend to be expensive.. so who pays? If it's the supplier (a common situation), the evaluator really works for the supplier, and that creates a lot of potential problems (what do you mean I don't get the badge? I'm paying you!). The payment already greatly reduces the number of potential projects that could participate.

I could imagine a future higher-level badge where the self-assertions are then verified by a third party.

We don't have all the answers. Instead, we've made what we hope is a useful step, and are asking for feedback to make it better.

--- David A. Wheeler


David A. Wheeler
 

I said:
The payment already greatly reduces the number of potential projects that could participate.
I meant to say:
The payment would greatly reduce the number of potential projects that could participate.
--- David A. Wheeler