planetf1
commented
4 months ago FYI initial PR made for liboqs. some minor findings. Agreed to get the checks clean before merge & publish.
Open planetf1 opened 4 months ago
planetf1
commented
4 months ago FYI initial PR made for liboqs. some minor findings. Agreed to get the checks clean before merge & publish.
planetf1
commented
3 months ago I have added this to the template repository projects may use for the hackathon (if starting from scratch) at template-code. It will identify some deficiencies, but this is to be expected when starting and provides one target to work to.
I suggest we generate OpenSSF Scorecards for each project we add to PQCA (and consider same for open-quantum-safe - I can open there)
We are offering assets in the security space - cryptography. We have discussed assurance of those assets in algorithmic terms, but there are additional criteria relating to the management of the project in github, packaging, dependencies, workflows, contributor diversity, and use of various tools.
scorecards are becoming more discussed as we all worry about supply-chain security, and some organizations are using them as criteria as to which projects can be used.
The tests can be done automatically in a github action to at least generate a local report - can consider later how to share further.
I think by doing this we add credibility - even though initially we will likely fail on multiple criteria, but it gives us a best-practice list to work to