Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

CII Best practices

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 15 Jun 2018 13:50:54 +0200 (CEST)

Hey,

Two years ago I added curl to the CII Best practices web site, claiming curl
meets 100% of their criteria. I think that's good checklist of things and
procedures that a good and sound open source project should do.

You can see it here:
https://bestpractices.coreinfrastructure.org/en/projects/63

(Ideally, I would like to see all third party dependencies we recommend for
users to also be at 100% there, but we're not there yet...)

Since my initial curl submission, there have been two new levels added: silver
and gold, for which there's an even stricter set of rules that a project needs
to fulfill to be able to claim compliance.

I've filled in the silver requirements we meet but at 93% silver, the
remaining four ones are simply points we don't easily fulfill at the moment. I
don't think we can become a "silver best practise" project without a
significant effort. For your information, I'm listing the requirements we
don't fulfill here with my comments on them.

1. The project SHOULD have a legal mechanism where all developers of
non-trivial amounts of project software assert that they are legally
authorized to make these contributions.

- This seems to basically require Signed-off-by: in every commit and that we
host a file saying so. Personally I don't feel that we need to start requiring
S-O-B lines so I'm leaning towards keeping this 'unmet'.

2. The project SHOULD have a "bus factor" of 2 or more. (URL required)

- There's no official nor standard way to measure this and this even requires
a URL (to what?). I'm sure we could find a way to measure it to say that it is
more than 2 if we really want to. As long as we have other silver requirements
still pending I don't think I'll bother with it.

3. The project MUST have FLOSS automated test suite(s) that provide at least
80% statement coverage if there is at least one FLOSS tool that can measure
this criterion in the selected language.

- This is really tough. We have thousands of system and unit tests and we've
been hovering around 75% coverage for a long time. I would of course *like* us
to have better coverage but I see no way way to reach 80% anytime soon.

4. The project MUST provide an assurance case that justifies why its security
requirements are met. The assurance case MUST include: a description of the
threat model, clear identification of trust boundaries, an argument that
secure design principles have been applied, and an argument that common
implementation security weaknesses have been countered.

- Nope. And it feels like boring work I'll rather not do anytime soon. 

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2018-06-15