Open pnacht opened 8 months ago
I'm going to start of by saying scoring is the most opinionated part of Scorecard, and it's impossible to score things in a way that satisfies everyone. Which is part of the reason for structured/results/probes, so we can frame things differently for different audiences. I know we've talked about having different "policies" for Single-Maintainer,
- Existing check: Requiring 2 reviewers for 10/10 in Branch Protection, which is very rare in open-source and simply impossible for nebraska-dev projects.
If the difference is between a 9 and a 10, I think that difference is small enough it already counts as "extra credit".
Projects can earn "extra credit" for taking these "security-paranoid" steps.
I'm not sure I'd classify pinned dependencies as security-paranoid.
This is part of the reason for the "disconnect" between what a Scorecard score means and what it feels like (https://github.com/ossf/scorecard/issues/2466) – a 7.0/10 feels like a C-, but is actually an A/A+ (top 7% of relevant projects, top 0.2% of all projects). Either solution would lead to an overall increase in projects' Scorecard scores, which would help to close the gap between a score's meaning and sensation.
I think this is combining two distinct things. Just because a repo is in a high percentile, doesn't mean there aren't improvements to be made.
This issue has been marked stale because it has been open for 60 days with no activity.
This issue has been marked stale because it has been open for 60 days with no activity.
Is your feature request related to a problem? Please describe. There are some existing checks and feature requests which are a huge lift for many/most projects.
For example:
Likewise, other checks are more controversial:
This is part of the reason for the "disconnect" between what a Scorecard score means and what it feels like (#2466) – a 7.0/10 feels like a C-, but is actually an A/A+ (top 7% of relevant projects, top 0.2% of all projects).
Describe the solution you'd like Projects can earn "extra credit" for taking these "security-paranoid" steps.
This could happen in two ways:
Either solution would lead to an overall increase in projects' Scorecard scores, which would help to close the gap between a score's meaning and sensation.