monperrus
commented
1 year ago In particular, we should already have Signed-Releases and Pinned-Dependencies?
What's wrong here?
Open monperrus opened 1 year ago
monperrus
commented
1 year ago In particular, we should already have Signed-Releases and Pinned-Dependencies?
What's wrong here?
monperrus
commented
1 year ago "Signed-Releases": we have old releases with unsigned commits.
Possible solutions:
MartinWitt
commented
1 year ago On the list, an interesting point is https://google.github.io/clusterfuzzlite/. I always hear good feedback about fuzzing, maybe it is time to try it for spoon?
MartinWitt
commented
1 year ago @monperrus you as the owner have to apply here: https://bestpractices.coreinfrastructure.org/en. Then we should get 10 instead of 2 points in the category.
monperrus
commented
1 year ago you as the owner have to apply here: bestpractices.coreinfrastructure.org/en.
done.
should we add the badge to the README?
MartinWitt
commented
1 year ago Hey, I updated our scorecode, and now we have 94% see https://bestpractices.coreinfrastructure.org/en/projects/7377/edit. If you have a different opinion on some fields, feel free to change them.
should we add the badge to the README?
We can include it yes.
monperrus
commented
4 months ago Trusty score computed by trustypkg.dev, from stacklok https://www.trustypkg.dev/maven/fr.inria.gforge.spoon%3Aspoon-core
Score 6.8, green, seems good
monperrus
commented
1 week ago OpenSSF Best Practices: https://www.bestpractices.dev/en/projects/7377
We are almost perfect.
There is a still a bug with https, and we would need some accepted dynamic analysis.
Google's Deps.Dev supports Open Source Security Foundation scorecard
https://deps.dev/maven/fr.inria.gforge.spoon%3Aspoon-core/10.3.0
Good news:
Bad news:
How to fix that?