Hi, Someone pointed me to this list of projects which maintain a list of "easy bugs" for beginners to work on, so that they can gain experience with contributing to the project: https://openhatch.org/

Hi! We should talk with the TODO Group about their input on best practices for running an open source project. TODO is a roundtable of Open Source Program Offices, as has such has a lot of experience

In pull request #1, Greg KH made this suggestion for a criterion: "Tests for major feature additions as without some kind of test being present, it's hard to verify if something new even works. This i

I would like to suggest not only the intrinsic value of privacy but that leaking data poses unique security challenges, therefore protecting user privacy is a valuable piece of criteria that ought to

An important issue is how to handle authentication. Below is our current plan, which may change (suggestions welcome). --- David A .Wheeler ===========================================================

Dear David and List, The current criteria (v 0.0.4) includes best practices on both quality and security. It sets requirements for a (self) certification program, but also gives recommendations and de

Here's a technical approach for implementing the "BadgeApp" application that I think would be useful. The goal is to make the application DRY by generating the form directly from the criteria text. Th

Wheeler, David A wrote >> [...] I suggest to deliberately ignore technical difficulties [...] > > If the bar is set too high, most projects will not try. > [...] > It really will be a challenge to avo

Trevor Vaughan and Bob Basques recently posted some comments about OSS badges and their criteria on a different mailing list. Their comments are reposted below. I have asked them to further discuss th

Dear David and list, I glued together some existing ideas and came up with two proposals, for implementing respectively precise rating and optional badges. Since at the moment this is not a priority,

Hi All, Just going through another round of edits and I came across the following criterion. 'It is RECOMMENDED that git users apply tags to releases'. I'm not familiar with version control software,

Hi All, The phrase 'A vulnerability is medium to high severity if its CVSS 2.0 base score is 4 or higher.' is used multiple times throughout the criteria. I've got a few ideas we could use to reduce t

Dear David and list, I came up with this list of proposed requirements and recommendations to be added to the current criteria. I would suggest only extracting or discussing valuable material (if anyt

First, a recap. Enos proposed: > VULNERABILITIES > Do not only measure efforts but also results: if too many > vulnerabilities are discovered (e.g. total CVSS points per number of > lines of code in a

Hi All, Been lurking for a few weeks, but enjoying the conversation. It’s REALLY nice to see some organized effort around the topic of best practices and code quality. As someone that has focused heav

Yay! there's a line about the badge (accreditation) project in this article .... http://www.techweekeurope.co.uk/security/security-management/linux-foundation-open-source-security-2-178653 "The CII al

hi everyone, looks like there's a lot of activity at the moment, there is currently a link on readme.md for the BadgeApp Implementation notes. I see that we now have the flair / badge on readme.md. Is

Hi David, I noticed that coding style guidelines are only a SHOULD. Colin Percival did an experiment with FreeBSD where he divided the code into 50% stylish / 50% not-stylish based on the code's consi

Here’s where I *think* we are going in terms of naming levels. First, the small badge (to show on GitHub, etc.) will show "cii best practices" - all lower case. Dan made the interesting observation th

There have been a number of code-level changes recently, including ones that I hope will make it easier for others to get involved. I documented in doc/INSTALL.md the steps to install a development en