JustinGOSSES
commented
8 months ago Need someone to review this and agree its a good idea before start any additional work.
Open JustinGOSSES opened 8 months ago
JustinGOSSES
commented
8 months ago Need someone to review this and agree its a good idea before start any additional work.
JustinGOSSES
commented
3 months ago Merged #86 that adds a link to the OSSF source code configuration best practices doc.
Next step is to start a PR on OSSF repo that add a link back to this page https://innersourcecommons.gitbook.io/managing-innersource-projects/innersource-tooling
JustinGOSSES
commented
2 months ago Added issue on OSSF repo. They said they are going to look into their policies to see if they can crosslink and report back.
JustinGOSSES
commented
2 months ago They have asked me to join their bi-weekly meeting to discuss: https://github.com/ossf/wg-best-practices-os-developers/issues/557
rrrutledge
commented
2 months ago 🆒❗️ Thanks, Justin!
OSSF has guidance on SCM management as well that's written from a security perspective. https://best.openssf.org/SCM-BestPractices/ . It might be good to have bi-directional links between the InnerSource Commons SCM guidance on how to safely enable sharing/collaboration via configuration? The managing InnerSource commons relevant pages are: https://innersourcecommons.gitbook.io/managing-innersource-projects/innersource-tooling/github-configuration
The OSSF SCM guidance is mostly things I agree with. However, we might want to submit PRs to add a link from their guidance against forking to the content in this repo that explains when enabling forking is and is not appropriate? https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_allows_forking_repos.html This might help clarify the guidance for those reading the OSSF guidelines.
Similarly, there's could be another sentence around creation of repositories that explains things a bit more. If read literally right now, it seems to suggest only enterprise admins can create any repository, which obviously doesn't work in practice. https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_allows_creating_public_repos.html
However, in general there's a lot of great stuff in their doc, so it would impactful to link InnerSource Commons readers to it. Additionally, I think the ISC guidance helps people understand how to follow the security guidance without accidentally creating pain and toil for their users that doesn't actually provide security value.