Open laurentsimon opened 1 year ago
laurentsimon
commented
1 year ago Note that a link for PiPy packages will become available once OIDC integration is complete https://github.com/ossf/scorecard/issues/688#issuecomment-1028144622
Such an integration is also under way for Dart packages
laurentsimon
commented
1 year ago Code pointers: Has go.mod file: github.com/golang/pkgsite/blob/8996ff632abee854aef1b764ca0501f262f8f523/internal/fetch/fetch.go#L100 Redistributable license: https://github.com/golang/pkgsite/blob/a3a009e12ea183c9e6e1abd028f5e091c9fb2601/internal/fetch/package.go#L221 Tagged and stable versions: https://github.com/golang/pkgsite/blob/f4542b7b0481da19db091c78b565f88c87ceb2ef/internal/frontend/main.go#L196-L197
diogoteles08
commented
1 year ago PiPy already implemented the OIDC integration. The issue #2761 is closely related to this issue, and talks specifically about recognizing the OIDC integration on Scorecard
github-actions[bot]
commented
1 year ago Stale issue message - this issue will be closed in 7 days
github-actions[bot]
commented
10 months ago This issue is stale because it has been open for 60 days with no activity.
Go team mentioned that they would be interested in Scorecard surfacing information about dependencies https://pkg.go.dev/about#best-practices: tagged version, stable version, etc
Since we typically have a hard time linking a source repo to a package, this is something which is hard for scorecard in general. Another difficulty is that Scorecard looks a a commit, and not all commits correspond to a package / tag.
In cases where we have a strong link between the repo and the package - do-able in Go for many packages - we could maybe surface how many of the past N releases were stable. This would be useful for consumers to know.
Note that all this could be added to the Packaging check, instead of creating a new one.