Suggest registering for OpenSSF Best Practices badge #1901
Comments
|
👋 Hi @mspi21, thanks for opening an issue. This sounds like an interesting/worthwhile idea. Would you be interested in trying to make a checklist of the requirements and checking off the ones you think we already meet? That would be a nice way for someone to help cut down on the amount of work that would be involved in applying. If you don't have the time/interest to do that I will try myself when time permits. |
|
Hi, thanks for your fast reply! That does sound reasonable, since I already have a good idea about the different requirements. At the moment, I am primarily focusing on finishing my thesis, but once I have some spare time on my hands, I'll definitely do my best to help out. :) |
Understood :-) Best of luck finishing that up. |
Checklist
OpenSSF,best practicesorbadge.Is your feature request related to a problem? Please describe.
When developers are tasked with choosing a cryptographic library for their needs, they may want to ensure that a particular library is trustworthy and secure. While there is not a standard method to evaluate crypto libraries, there are some ways that a library can hint at its reliability. One of them is the OpenSSF Best Practices badge, which aims to certify good practices in OSS development. One example of a project which has obtained this badge is the ring library, which you are of course familiar with; another example is OpenSSL.
From what I was able to tell, the rustls project should meet most (if not all) of the criteria without any change, which is the main reason I am proposing to adopt this badge. It may not seem important, but there is scientific research (see https://dl.acm.org/doi/abs/10.1145/3180155.3180209) suggesting that displaying such badges correlate for example with more frequent PRs containing tests (apart from the obvious benefit of signaling trustworthiness to potential users).
Describe the solution you'd like
I would like the maintainers to consider if registering for the OpenSSF badge linked above is a good use of their time.
Describe alternatives you've considered
I have not considered any alternatives, as I'm not aware of any.
Additional context
This issue is motivated by my work on my bachelor's thesis, which aims to explore methods of evaluating the trustworthiness, security and usability of cryptographic libraries. If you're interested, I can provide you with a summary of the results when it is finished. The background of the OpenSSF (formerly CII) badge is explained in The Impact of a Major Security Event on an Open Source Project: The Case of OpenSSL.
The text was updated successfully, but these errors were encountered: