Open planetf1 opened 9 months ago
FYI initial PR made for liboqs. some minor findings. Agreed to get the checks clean before merge & publish.
I have added this to the template repository projects may use for the hackathon (if starting from scratch) at template-code. It will identify some deficiencies, but this is to be expected when starting and provides one target to work to.
I suggest we generate OpenSSF Scorecards for each project we add to PQCA (and consider same for open-quantum-safe - I can open there)
We are offering assets in the security space - cryptography. We have discussed assurance of those assets in algorithmic terms, but there are additional criteria relating to the management of the project in github, packaging, dependencies, workflows, contributor diversity, and use of various tools.
scorecards are becoming more discussed as we all worry about supply-chain security, and some organizations are using them as criteria as to which projects can be used.
The tests can be done automatically in a github action to at least generate a local report - can consider later how to share further.
I think by doing this we add credibility - even though initially we will likely fail on multiple criteria, but it gives us a best-practice list to work to