David A. Wheeler
All: We have a new badge-holder: Bareflank hypervisor. Details:
It “aims to provide all of the scaffolding needed to rapidly prototype new hypervisors.”
Overall it looks good. It’s a GitHub-host project, so we already know how some of the questions typically get answered. It’s in C++. A few interesting points:
* For static analysis they use Clang-Tidy and Coverity.
* For the “Secure development knowledge” questions they justify their knowledge using linkedin URLs. I think that is an *awesome* way to make that justification – maybe we should even modify the “details” text to mention that as a way to do it. They’re the first to use a linkedin URL this way (see below for proof).
* They originally used a non-https URL for their project page, but that wasn’t necessary – they just needed to use their https URL instead, which is: <https://bareflank.github.io/hypervisor/>. We could detect “http://NAME.github.io/” and automatically upgrade projects to their https address, since that’s a special but common case.
* They have a clear vulnerability reporting process that *requires* reports to be made public. While that’s not the way I would personally do it, we *specifically* devised the criteria to permit this, because some projects do it that way… and they are quite clear about it.
They also have a video that lacks audio, but it still makes me want to try it out. Hey, I *like* playing with stuff :-).
--- David A. Wheeler
P.S. I’m not just guessing regarding linkedin. I ran this query, and this is the *only* matching record:
SELECT id,know_secure_design_justification,know_common_errors_justification FROM projects WHERE know_secure_design_justification LIKE '%linkedin%' OR know_common_errors_justification LIKE '%linkedin%';"
So this is an interesting first.