-
Notifications
You must be signed in to change notification settings - Fork 593
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggest registering for OpenSSF Best Practices badge #1901
Comments
👋 Hi @mspi21, thanks for opening an issue. This sounds like an interesting/worthwhile idea. Would you be interested in trying to make a checklist of the requirements and checking off the ones you think we already meet? That would be a nice way for someone to help cut down on the amount of work that would be involved in applying. If you don't have the time/interest to do that I will try myself when time permits. |
Hi, thanks for your fast reply! That does sound reasonable, since I already have a good idea about the different requirements. At the moment, I am primarily focusing on finishing my thesis, but once I have some spare time on my hands, I'll definitely do my best to help out. :) |
Understood :-) Best of luck finishing that up. |
Hello 👋, since I've had some time, I have tried to summarize the requirements for the "passing" level of the badge (there's also the "silver" and "gold" levels, each requiring the previous to be achieved first). In most cases, I have filled out the "evidence" or required information indicating that the criterion is met (based on the responses from other projects), but in some cases I was not entirely sure — I'm sure other community members or the maintainer team will be able to provide insight on those. Here goes: OpenSSF Best Practices Badge Criteria ('passing' level)BasicsBasic project website content
FLOSS license
Documentation
Other
Change ControlPublic version-controlled source repository
Unique version numbering
Release notes
ReportingBug-reporting process
Vulnerability report process
QualityWorking build system
Automated test suite
New functionality testing
Warning flags
SecuritySecure development knowledge
Use basic good cryptographic practices
Secured delivery against man-in-the-middle (MITM) attacks
Publicly known vulnerabilities fixed
Other security issues
AnalysisStatic code analysis
Dynamic code analysis
|
Thank you! I will review this shortly and see if I can fill in any of the TODOs/gaps. I appreciate you digging in. |
@mspi21 This was very helpful, thanks again. I think 99% of your answers are spot on. It's validating to see that Rustls has already implemented the majority of these best practices. I went through and made some small edits where you had TODOs. Quick summary: Edits:
Adds:
In the future we could consider shoring up our static analysis coverage but I'm not in a rush to try and change anything in this department just to check a checkbox :-) If the above looks good to folks I can kick off the submission. |
I think clippy counts as static analysis, and we have local fuzzing setups as well OSFuzz for dynamic analysis. I don't really have any security credentials -- just a lot of experience building Rust software including things like rustls and Quinn. |
I hate to write things like this, but:
Feel free to do any and all wordsmithing as desired, and consider everything in my linkedin profile public: https://www.linkedin.com/in/joseph-birr-pixton-56149856/ |
I've submitted our application. |
Checklist
OpenSSF
,best practices
orbadge
.Is your feature request related to a problem? Please describe.
When developers are tasked with choosing a cryptographic library for their needs, they may want to ensure that a particular library is trustworthy and secure. While there is not a standard method to evaluate crypto libraries, there are some ways that a library can hint at its reliability. One of them is the OpenSSF Best Practices badge, which aims to certify good practices in OSS development. One example of a project which has obtained this badge is the ring library, which you are of course familiar with; another example is OpenSSL.
From what I was able to tell, the rustls project should meet most (if not all) of the criteria without any change, which is the main reason I am proposing to adopt this badge. It may not seem important, but there is scientific research (see https://dl.acm.org/doi/abs/10.1145/3180155.3180209) suggesting that displaying such badges correlate for example with more frequent PRs containing tests (apart from the obvious benefit of signaling trustworthiness to potential users).
Describe the solution you'd like
I would like the maintainers to consider if registering for the OpenSSF badge linked above is a good use of their time.
Describe alternatives you've considered
I have not considered any alternatives, as I'm not aware of any.
Additional context
This issue is motivated by my work on my bachelor's thesis, which aims to explore methods of evaluating the trustworthiness, security and usability of cryptographic libraries. If you're interested, I can provide you with a summary of the results when it is finished. The background of the OpenSSF (formerly CII) badge is explained in The Impact of a Major Security Event on an Open Source Project: The Case of OpenSSL.
The text was updated successfully, but these errors were encountered: