Closed rootfs closed 1 year ago
I tried with https://bestpractices.coreinfrastructure.org/en/projects but some error happens as return from the website.
@sustainable-computing-io/community-manager @sustainable-computing-io/community-manager @sustainable-computing-io/maintainer @sustainable-computing-io/reviewer @sustainable-computing-io/kepler-helm-maintainer @sustainable-computing-io/kepler-deployment
we are going to sign off the trademark agreement. Please make sure your info is up to date.
about openSSF, personally I suppose we can edit and update as:
Met after https://github.com/sustainable-computing-io/kepler-doc/issues/47
The project MUST provide reference documentation that describes the external interface (both input and output) of the software produced by the project. https://github.com/sustainable-computing-io/kepler-doc/issues/22
The project SHOULD provide documentation in English and be able to accept bug reports and comments about code in English. Met?
To enable collaborative review, the project's source repository MUST include interim versions for review between releases; it MUST NOT include only final releases. Met?
Unique version numbering The project results MUST have a unique version identifier for each release intended to be used by users. Met? by github commit hash in code?
It is SUGGESTED that the Semantic Versioning (SemVer) or Calendar Versioning (CalVer) version numbering format be used for releases. It is SUGGESTED that those who use CalVer include a micro level value. Met?
It is SUGGESTED that projects identify each release within their version control system. For example, it is SUGGESTED that those using git identify each release using git tags. Met
N/A Github release workflow used? I can't open https://github.blog/2013-07-02-release-your-software/ but https://github.com/sustainable-computing-io/kepler/blob/main/.github/workflows/release.yml#L62 N/A
@rootfs , I go through parts of https://bestpractices.coreinfrastructure.org/en/projects/7391#reporting and updated my opinion here. Please take a look at.
Working build system The project SHOULD be buildable using only FLOSS tools. N/A
Automated test suite
The project MUST use at least one automated test suite that is publicly released as FLOSS (this test suite may be maintained as a separate FLOSS project). The project MUST clearly show or document how to run the test suite(s) (e.g., via a continuous integration (CI) script or via documentation in files such as BUILD.md, README.md, or CONTRIBUTING.md) Met golang
A test suite SHOULD be invocable in a standard way for that language. make test or even better in pr
It is SUGGESTED that the test suite cover most (or ideally all) the code branches, input fields, and functionality. in the pr the command make check runs all linting, unit and bdd tests
It is SUGGESTED that the project implement continuous integration (where new or changed code is frequently integrated into a central code repository and automated tests are run on the result) Met, Github action, but our test coverage is....
The project MUST enable one or more compiler warning flags, a "safe" language mode, or use a separate "linter" tool to look for code quality errors or common simple mistakes, if there is at least one FLOSS tool that can implement this criterion in the selected language. Met, golint
The project MUST address warnings. Met
It is SUGGESTED that projects be maximally strict with warnings in the software produced by the project, where practical. Met
Use basic good cryptographic practices N/A for all?
Publicly known vulnerabilities fixed Met by dep bot?
Other security issues Met
At least one static code analysis tool (beyond compiler warnings and "safe" language modes) MUST be applied to any proposed major production release of the software before its release, if there is at least one FLOSS tool that implements this criterion in the selected language. Met, golint, gofmt?
It is SUGGESTED that at least one of the static analysis tools used for the static_analysis criterion include rules or approaches to look for common vulnerabilities in the analyzed language or environment. Met, by make scripts
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Discussed in https://github.com/sustainable-computing-io/kepler/discussions/695