For the BadgeApp we include an “assurance case”, that is, a set of claims/arguments/evidence explaining why we think it’s secure. You can see the assurance case here: https://github.com/coreinfrastruc

Some overeager people are trying to spider the entire best practices site all at once. This can cause trouble for everyone else. Our current rate limits don’t trigger soon enough, because they cover *

This is an automated monthly status report of the best practices badge application covering the month 2020-08. Here are some selected statistics for most recent completed month, preceded by the same s

All: Here's some proposed criteria introduction text. Comments? It's lengthy, so I want to fix it up *before* our translators have to deal with it. The plan is to use this text to enable people to mor

FYI: I intend to soon rename the route "/criteria" to "/criteria_stats". We can then use "/criteria" to display the actual criteria in the selected locale. This is technically a change in the user-vis

All: This pull request:https://github.com/coreinfrastructure/best-practices-badge/pull/1449 renames “whitelist” to “acceptlist” and “blacklist” to “denylist" everywhere in the CII Best Practices badge

I’m one of the many people working on the Linux ONAP (Open Networking Automation Platform) Project. We chose to pursue CII badges from the very beginning, but because of the size of the project, we ch

All: Here's a team report, as part of an architecture class, where they examined open source software projects: https://se.ewi.tudelft.nl/desosa2019/ If you look at a part that discusses Zephyr: https

All: CHAOSS Podcast #10 is now available, titled "Managing Risks and Opportunities in Open Source with Frank Nagle & David A. Wheeler". The hosts were Georg Link, Sean Goggins, and Kate Stewart. The p

All: The CII mailing list service is expected to soon switch to the “Linux Foundation Single Sign-on (SSO)” system for logging in to the mailing list service. This is part of an LF effort to have *one

If you're a contributor to Free/Libre and Open Source Software (FOSS), please participate in the LF CII / Harvard FOSS survey! Here are more details, with a link at the bottom to the actual survey: ht

All: A recent paper looked at Heartbleed’s impact on OpenSSL: “The Impact of a Major Security Event on an Open Source Project:The Case of OpenSSL” by James Walden, 2020, https://arxiv.org/abs/2005.142

All - I thought you might like to know that I recently posted a blog post titled "Why CII best practices gold badges are important": https://www.linuxfoundation.org/blog/2020/06/why-cii-best-practices

All: I want to formally congratulate the Linux kernel project for earning a gold badge!! You can see their details here: https://bestpractices.coreinfrastructure.org/en/projects/34 The Linux kernel ha

Georg Link has proposed that we switch from the translation.io translation management system to a different system (in particular, Weblate). If you have thoughts on such a potential change, or informa

This is an automated monthly status report of the best practices badge application covering the month 2020-05. Here are some selected statistics for most recent completed month, preceded by the same s

I propose that for the "hardened_sites" criterion we stop requiring the HTTP header X-XSS-Protection, and that we require CSP & explain why. Here's the background. The Linux kernel is failing to meet

This change makes perfect since. Best, Jason N. Dossett, Ph.D. Research Staff Member Institute for Defense Analyses 4850 Mark Center Drive, Alexandria, VA 22311 Phone: 703-578-2773 Email: jdossett@...

This is an automated monthly status report of the best practices badge application covering the month 2020-04. Here are some selected statistics for most recent completed month, preceded by the same s

This is an automated monthly status report of the best practices badge application covering the month 2020-03. Here are some selected statistics for most recent completed month, preceded by the same s