Topics

New Badges! Congrats!


David A. Wheeler
 

As you can see, we have great news - more projects have badges:

* c-ares: https://bestpractices.coreinfrastructure.org/projects/291 - a dependency of curl’s

* BRL-CAD: https://bestpractices.coreinfrastructure.org/projects/66

 

Christopher Sean Morrison (BRL-CAD) has posted some feedback, which I appreciate & will respond to separately.

 

But I don't want to lose sight of the main objective - we're getting more projects in, and more projects are getting badges.

 

--- David A. Wheeler

 


Daniel Stenberg
 

On Mon, 22 Aug 2016, Wheeler, David A wrote:

* c-ares: https://bestpractices.coreinfrastructure.org/projects/291 - a dependency of curl's
I mentioned this to David in private already, but I have this vision that I would like curl (who reached 100% back in March) to also have all, or at least a significant portion, of its dependencies as "100% projects".

curl as a tool and library can be built to use an insane amount of different dependencies (it might be 21 different ones, many of them mutually exclusive).

Because, even if you can see one project be "sensible" and show off a 100% best practices badge, what is it actually worth to the end user if it uses N dependencies that are not?

--

/ daniel.haxx.se


Dale Visser
 

Perhaps this suggests a new criterion... In a quick look through all the criteria on a current badge, I don't see any specifically suggesting regular reviews of library/package dependencies.*

Best regards,
Dale Visser

[*] Perhaps leveraging automation tools like OWASP Dependency Check (https://www.owasp.org/index.php/OWASP_Dependency_Check) or bundler-audit (https://github.com/rubysec/bundler-audit).

-----Original Message-----
From: cii-badges-bounces@lists.coreinfrastructure.org [mailto:cii-badges-bounces@lists.coreinfrastructure.org] On Behalf Of Daniel Stenberg
Sent: Monday, August 22, 2016 5:33 PM
To: cii-badges@lists.coreinfrastructure.org
Subject: Re: [CII-badges] New Badges! Congrats!

On Mon, 22 Aug 2016, Wheeler, David A wrote:

* c-ares: https://bestpractices.coreinfrastructure.org/projects/291 -
a dependency of curl's
I mentioned this to David in private already, but I have this vision that I would like curl (who reached 100% back in March) to also have all, or at least a significant portion, of its dependencies as "100% projects".

curl as a tool and library can be built to use an insane amount of different dependencies (it might be 21 different ones, many of them mutually exclusive).

Because, even if you can see one project be "sensible" and show off a 100% best practices badge, what is it actually worth to the end user if it uses N dependencies that are not?

--

/ daniel.haxx.se
_______________________________________________
CII-badges mailing list
CII-badges@lists.coreinfrastructure.org
https://lists.coreinfrastructure.org/mailman/listinfo/cii-badges


Daniel Stenberg
 

On Tue, 23 Aug 2016, Visser, Dale wrote:

Perhaps this suggests a new criterion... In a quick look through all the criteria on a current badge, I don't see any specifically suggesting regular reviews of library/package dependencies.*
Right, because our focus is here on a per-project basis.

Also, since most FOSS projects release source code and have many optional dependencies (including mutually exclusive ones), doing automatic scanning on dependencies for this purpose is not easy. Heck, we don't even have any "universal" info about which software projects that may rely on another...

--

/ daniel.haxx.se


Dale Visser
 

Agreed. I'm not suggesting that we attempt to capture dependency information with the badge form.

What I am suggesting, is adding a new criterion, or language to an existing criterion, calling out the importance of reviewing these dependencies. I'm not so concerned with *optional* dependencies as mandatory ones. I.e., I want to capture the importance of the good, hopefully "best", *practice* of checking not just your own code, but also reviewing your dependencies.

-----Original Message-----
From: Daniel Stenberg [mailto:daniel@haxx.se]
Sent: Tuesday, August 23, 2016 9:48 AM
To: Visser, Dale <dvisser@ida.org>
Cc: cii-badges@lists.coreinfrastructure.org
Subject: RE: [CII-badges] New Badges! Congrats!

On Tue, 23 Aug 2016, Visser, Dale wrote:

Perhaps this suggests a new criterion... In a quick look through all
the criteria on a current badge, I don't see any specifically
suggesting regular reviews of library/package dependencies.*
Right, because our focus is here on a per-project basis.

Also, since most FOSS projects release source code and have many optional dependencies (including mutually exclusive ones), doing automatic scanning on dependencies for this purpose is not easy. Heck, we don't even have any "universal" info about which software projects that may rely on another...

--

/ daniel.haxx.se