-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add proposed project scorecards #196
Conversation
Split table to move externals and tooling Signed-off-by: Ry Jones <ry@linux.com>
Signed-off-by: Ry Jones <ry@linux.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ryjones This is proactively adding the links to the badges, which will be available when the actual scorecard work is in place?
I would be tempted to focus the effort on resolving issues arising from the first few scorecards (and evaluating the value of that) before taking on scorecards for all the projects. |
Seconding the comment by @dstebila above and repeating my concerns from the unmerged PR regarding this on liboqs I consider it premature publishing results of "security score cards" before a) they have been done and b) before there's an agreed-upon plan to mitigate/resolve findings -- particularly for a project doing (at the face of it) security software. Already for the existing score cards the question: Are there issues in github showing the path to score improvement? Are those issues assigned people to implement them? Did these people agree on a timeline when to land these improvements? If this does not exist, you'd accept publishing bad scores for an infinite time. That I'd call corrosive for a project's reputation: If I were looking at this as a person responsible for deciding whether to use OQS or develop my own PQ software in-house, I'd surely opt for the second seeing these results. |
Getting liboqs clean was the first step we agreed to. Nearly there (I have some doc updates). open-quantum-safe/tsc#27 can track rolling this out to more repos - I think the next target should be oqsprovider If there's concern about publishing the results
|
I adamantly object to that until there's more committed and achieved contributors and at least two more committed maintainers to that sub project. |
I mentioned oqsprovider since it's a super asset & I know it's being used. There's plenty to do so will work through the other items, then we'll be in a better state to review any impacts/concerns |
Per this issue, provisionally add scorecards