Topics

Wiki page on impacts


David A. Wheeler
 

I’d like to collect stories of any changes OSS projects have made to get a badge.

 

If know of any, please edit this wiki page:

https://github.com/linuxfoundation/cii-best-practices-badge/wiki/Impacts

(Let me know if the permissions aren’t set for this to work.)

 

 

I don’t expect *every* project to make changes to get a badge.  Badges are also useful for users to know how a project stands, even if a project didn’t need to make any changes.  But I’d like to start recording when changes *do* happen.

 

--- David A. Wheeler

 


Kevin W. Wall
 

David,

Do you also want to know changes we have made (thus far) for the sole purpose of pursuing a badge not yet obtained? Because, I may not be able to recall all of them once we finally arrive as there are some like adding -Xlint:all to the javac compilation failed lags in Maven is going to take a _long_ time to resolve.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/.   | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.


On Aug 11, 2016 4:33 PM, "Wheeler, David A" <dwheeler@...> wrote:

I’d like to collect stories of any changes OSS projects have made to get a badge.

 

If know of any, please edit this wiki page:

https://github.com/linuxfoundation/cii-best-practices-badge/wiki/Impacts

(Let me know if the permissions aren’t set for this to work.)

 

 

I don’t expect *every* project to make changes to get a badge.  Badges are also useful for users to know how a project stands, even if a project didn’t need to make any changes.  But I’d like to start recording when changes *do* happen.

 

--- David A. Wheeler

 


_______________________________________________
CII-badges mailing list
CII-badges@lists.coreinfrastructure.org
https://lists.coreinfrastructure.org/mailman/listinfo/cii-badges


David A. Wheeler
 

Kevin W. Wall :
Do you also want to know changes we have made (thus far) for the sole purpose of pursuing a badge not yet obtained? Because, I may not be able to recall all of them once we finally arrive as there are some like adding -Xlint:all to the javac compilation failed lags in Maven is going to take a _long_ time to resolve.
Absolutely! Yes! Please!

I want your project to get a badge, but even if you haven't (yet), the pursuit has hopefully caused you to make some positive improvements. It's those improvements, caused by the badging process, that I'm trying to capture.

The *real* goal isn't really a badge. The real goal is (1) to encourage projects to do good things so they produce better/more secure software, and (2) to help users know if those good things are actually getting done. But since that's painful to deal with abstractly, it's much easier to focus on badges. However, I'd like some evidence that at least the first part is really happening. If *no* project changed, that'd be a sign that the criteria are far too easy. I want to have evidence that the badge is actually causing some projects to change, and the more evidence, the better.

--- David A. Wheeler