shannona
commented
2 years ago If someone is interested in this, also consult @ChristopherA and myself my some documents that we have in-process regarding Open Development.
Open shannona opened 2 years ago
shannona
commented
2 years ago If someone is interested in this, also consult @ChristopherA and myself my some documents that we have in-process regarding Open Development.
This is another project that would be good for a team with mixed skills, and does not require deeper software engineering experience (but at least one should have experience with build processes).
Various organizations (Linux Foundation, Google, etc.) have offered guidance as to the practices of security, supply chain, etc. , but also emphasize enterprise and OS supply chain use cases. There are also a number of automated tools (apps, GitHub actions, etc.) that can be used to audit on some of these.
However, many are not practical for smaller projects, especially the emerging blockchain security repos, where only a few people may be contributing.
The goal of this project is to survey the existing recommended practices, best practices of various important security projects (including Blockchain Commons practices), etc., to identify which address the biggest threats given the effort (threat analysis), are practical for small projects to implement, which we might be able to offer some documentation and examples of how best to install and use, and guidance to contributors to small projects on how to tool and support this practices (like docs teaching git signing for writers contributing documentation to a secure repo).
Related to: reproducible builds, scripts for protecting master branch, etc.. What are our best practices and what do we recommend to other parties (especially for our CLI apps) @nochiel