Add proposed project scorecards #196
Conversation
Split table to move externals and tooling Signed-off-by: Ry Jones <ry@linux.com>
Signed-off-by: Ry Jones <ry@linux.com>
|
Yes. For now it will show a "missing project" bug: 
|
|
I would be tempted to focus the effort on resolving issues arising from the first few scorecards (and evaluating the value of that) before taking on scorecards for all the projects. |
|
Seconding the comment by @dstebila above and repeating my concerns from the unmerged PR regarding this on liboqs I consider it premature publishing results of "security score cards" before a) they have been done and b) before there's an agreed-upon plan to mitigate/resolve findings -- particularly for a project doing (at the face of it) security software. Already for the existing score cards the question: Are there issues in github showing the path to score improvement? Are those issues assigned people to implement them? Did these people agree on a timeline when to land these improvements? If this does not exist, you'd accept publishing bad scores for an infinite time. That I'd call corrosive for a project's reputation: If I were looking at this as a person responsible for deciding whether to use OQS or develop my own PQ software in-house, I'd surely opt for the second seeing these results. |
|
Getting liboqs clean was the first step we agreed to. Nearly there (I have some doc updates). open-quantum-safe/tsc#27 can track rolling this out to more repos - I think the next target should be oqsprovider If there's concern about publishing the results
|
I adamantly object to that until there's more committed and achieved contributors and at least two more committed maintainers to that sub project. |
|
I mentioned oqsprovider since it's a super asset & I know it's being used. There's plenty to do so will work through the other items, then we'll be in a better state to review any impacts/concerns |
Per this issue, provisionally add scorecards