Core Infrastructure Initiative (CII) Best Practices

[ypid]

Proposal

Someone closely involved with the project could go thought the criteria and keep them up-to-date. I think you have a pretty good chance of meeting most criteria already 😉

References

• https://bestpractices.coreinfrastructure.org
• https://twit.tv/shows/floss-weekly/episodes/389

[rugk]

Good idea, so in case you need a way to tick the criteria:

• homepage_url
• description_good
• interact
• contribution
• contribution_requirements
• floss_license
• floss_license_osi
• license_location
• documentation_basics
• documentation_interface
• sites_https
• discussion
• english
• repo_public
• repo_track
• repo_interim
• repo_distributed
• version_unique
• version_semver
• version_tags
• release_notes
• release_notes_vulns (@marmarek: Are QSBs always mentioned in release notes?)
• report_process
• report_tracker
• report_responses
• enhancement_responses
• report_archive
• vulnerability_report_process
• vulnerability_report_private
• build
• build_common_tools (@marmarek: Does qubes-builder use "common tools"?)
• build_floss_tools
• test
• test_invocation (@marmarek: Please fill in all "test" and "warning" criteria met.)
• test_most
• test_continuous_integration
• test_policy
• tests_are_added
• tests_documented_added
• warnings
• warnings_fixed
• warnings_strict
• know_secure_design
• know_common_errors
• crypto_published
• crypto_call
• crypto_floss
• crypto_keylength
• crypto_working
• crypto_weaknesses (arguably qvm-backup still passes despite #971)
• crypto_pfs
• crypto_password_storage
• crypto_random
• delivery_mitm
• delivery_unsigned
• vulnerabilities_fixed_60_days
• vulnerabilities_critical_fixed
• no_leaked_credentials
• static_analysis (GSoC project)
• static_analysis_common_vulnerabilities (GSoC project)
• static_analysis_fixed (GSoC project)
• static_analysis_often (GSoC project)
• dynamic_analysis (GSoC project)
• dynamic_analysis_enable_assertions (GSoC project)
• dynamic_analysis_fixed (GSoC project)

Future Criteria

• installation_common (depends on how this applies to OSes)
• build_reproducible
• crypto_used_network
• crypto_tls12
• crypto_certificate_verification
• crypto_verification_private
• hardened_site
• hardening

So please tick the things you already meet.

[rugk]

Good idea, so in case you need a way to tick the criteria:

• homepage_url
• description_good
• interact
• contribution
• contribution_requirements
• floss_license
• floss_license_osi
• license_location
• documentation_basics
• documentation_interface
• sites_https
• discussion
• english
• repo_public
• repo_track
• repo_interim
• repo_distributed
• version_unique
• version_semver
• version_tags
• release_notes
• release_notes_vulns (@marmarek: Are QSBs always mentioned in release notes?)
• report_process
• report_tracker
• report_responses
• enhancement_responses
• report_archive
• vulnerability_report_process
• vulnerability_report_private
• build
• build_common_tools (@marmarek: Does qubes-builder use "common tools"?)
• build_floss_tools
• test
• test_invocation (@marmarek: Please fill in all "test" and "warning" criteria met.)
• test_most
• test_continuous_integration
• test_policy
• tests_are_added
• tests_documented_added
• warnings
• warnings_fixed
• warnings_strict
• know_secure_design
• know_common_errors
• crypto_published
• crypto_call
• crypto_floss
• crypto_keylength
• crypto_working
• crypto_weaknesses (arguably qvm-backup still passes despite #971)
• crypto_pfs
• crypto_password_storage
• crypto_random
• delivery_mitm
• delivery_unsigned
• vulnerabilities_fixed_60_days
• vulnerabilities_critical_fixed
• no_leaked_credentials
• static_analysis (GSoC project)
• static_analysis_common_vulnerabilities (GSoC project)
• static_analysis_fixed (GSoC project)
• static_analysis_often (GSoC project)
• dynamic_analysis (GSoC project)
• dynamic_analysis_enable_assertions (GSoC project)
• dynamic_analysis_fixed (GSoC project)

Future Criteria

• installation_common (depends on how this applies to OSes)
• build_reproducible
• crypto_used_network
• crypto_tls12
• crypto_certificate_verification
• crypto_verification_private
• hardened_site
• hardening

So please tick the things you already meet.

[andrewdavidwong]

Thanks, @rugk. I removed some duplicates, added some missing criteria, and filled in all the ones I know we meet (or are N/A).

[andrewdavidwong]

Thanks, @rugk. I removed some duplicates, added some missing criteria, and filled in all the ones I know we meet (or are N/A).

[andrewdavidwong]

Also added notes and messages for @marmarek.

[andrewdavidwong]

Also added notes and messages for @marmarek.

[ypid]

@rugk Great idea, thanks!

You could run the following on your comment above to link each criteria to it’s corresponding description with:

 sed --regexp-extended 's~^(-\s+\[[\sx]\]\s+)(\w+\>)~\1[\2](https://github.com/linuxfoundation/cii-best-practices-badge/blob/master/doc/criteria.md#\2)~;'

[ypid]

@rugk Great idea, thanks!

You could run the following on your comment above to link each criteria to it’s corresponding description with:

 sed --regexp-extended 's~^(-\s+\[[\sx]\]\s+)(\w+\>)~\1[\2](https://github.com/linuxfoundation/cii-best-practices-badge/blob/master/doc/criteria.md#\2)~;'

[rugk]

@ypid Good idea, your regexp did not work, but I've created and used a similar one.

[rugk]

@ypid Good idea, your regexp did not work, but I've created and used a similar one.

[jpouellet]

The static and dynamic analysis criteria should be addressed by this GSoC project (if @paraschetal's proposal is accepted and successful)

[jpouellet]

The static and dynamic analysis criteria should be addressed by this GSoC project (if @paraschetal's proposal is accepted and successful)