You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I suggest we generate OpenSSF Scorecards for each project we add to PQCA (and consider same for open-quantum-safe - I can open there)
We are offering assets in the security space - cryptography. We have discussed assurance of those assets in algorithmic terms, but there are additional criteria relating to the management of the project in github, packaging, dependencies, workflows, contributor diversity, and use of various tools.
scorecards are becoming more discussed as we all worry about supply-chain security, and some organizations are using them as criteria as to which projects can be used.
The tests can be done automatically in a github action to at least generate a local report - can consider later how to share further.
I think by doing this we add credibility - even though initially we will likely fail on multiple criteria, but it gives us a best-practice list to work to
The text was updated successfully, but these errors were encountered:
I have added this to the template repository projects may use for the hackathon (if starting from scratch) at template-code. It will identify some deficiencies, but this is to be expected when starting and provides one target to work to.
planetf1
changed the title
Discuss having OpenSSF scorecard for member subprojects
OpenSSF scorecard for member subprojects
Aug 19, 2024
I suggest we generate OpenSSF Scorecards for each project we add to PQCA (and consider same for open-quantum-safe - I can open there)
We are offering assets in the security space - cryptography. We have discussed assurance of those assets in algorithmic terms, but there are additional criteria relating to the management of the project in github, packaging, dependencies, workflows, contributor diversity, and use of various tools.
scorecards are becoming more discussed as we all worry about supply-chain security, and some organizations are using them as criteria as to which projects can be used.
The tests can be done automatically in a github action to at least generate a local report - can consider later how to share further.
I think by doing this we add credibility - even though initially we will likely fail on multiple criteria, but it gives us a best-practice list to work to
The text was updated successfully, but these errors were encountered: