Open monperrus opened 1 year ago
In particular, we should already have Signed-Releases and Pinned-Dependencies?
What's wrong here?
"Signed-Releases": we have old releases with unsigned commits.
Possible solutions:
On the list, an interesting point is https://google.github.io/clusterfuzzlite/. I always hear good feedback about fuzzing, maybe it is time to try it for spoon?
@monperrus you as the owner have to apply here: https://bestpractices.coreinfrastructure.org/en. Then we should get 10 instead of 2 points in the category.
you as the owner have to apply here: bestpractices.coreinfrastructure.org/en.
done.
should we add the badge to the README?
Hey, I updated our scorecode, and now we have 94% see https://bestpractices.coreinfrastructure.org/en/projects/7377/edit. If you have a different opinion on some fields, feel free to change them.
should we add the badge to the README?
We can include it yes.
Trusty score computed by trustypkg.dev, from stacklok https://www.trustypkg.dev/maven/fr.inria.gforge.spoon%3Aspoon-core
Score 6.8, green, seems good
OpenSSF Best Practices: https://www.bestpractices.dev/en/projects/7377
We are almost perfect.
There is a still a bug with https, and we would need some accepted dynamic analysis.
Google's Deps.Dev supports Open Source Security Foundation scorecard
https://deps.dev/maven/fr.inria.gforge.spoon%3Aspoon-core/10.3.0
Good news:
Bad news:
How to fix that?