baentsch
commented
3 weeks ago Looking at the link above, I see lots of opt-outs ("It is SUGGESTED"...) that I'd consider mandatory for security software. But then again, there are some sensible MUST statements... What about the suggestion to create concrete issues in liboqs for all badge line items the project does not yet pass (incl. the SUGGESTED ones)? We don't need to work on them right away but maybe someone in the wider community may feel enticed to take some on before the "appropriate time" has come thus saving the core team effort? Seems to relate to https://github.com/orgs/open-quantum-safe/discussions/1892 and https://github.com/open-quantum-safe/tsc/issues/1.
The openssf best practices badge can demonstrate a project follows best practice.
I propose we consider this at an appropriate time for our PQCA projects (I went through this process in a previous project).