-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update baseline.yaml - NEW - OSPS-DO-19 #122
base: main
Are you sure you want to change the base?
Conversation
suggestion for new lvl 3 criteria for external audit/risk assessment Signed-off-by: CRob <[email protected]>
happy to see this added... but.... do we need to list it specifically by major version release? or every two versions? if it happened in v1.0 and the project is now on 4, does it still count? |
@TheFoxAtWork I agree, alternatively after a time period for projects that don't cut major releases. |
Co-authored-by: Evan Anderson <[email protected]> Signed-off-by: CRob <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also agree with Evan's suggestion
Co-authored-by: Ben Cotton <[email protected]> Signed-off-by: CRob <[email protected]>
Co-authored-by: Evan Anderson <[email protected]> Signed-off-by: CRob <[email protected]>
Co-authored-by: Ben Cotton <[email protected]> Signed-off-by: CRob <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM once the build script is happy.
fixed weird crob-indent Signed-off-by: CRob <[email protected]>
software, and make plans to address those | ||
problems. The project must | ||
provide evidence on request. | ||
implementation: | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
implementation: | | |
implementation: | | |
Identify who might be able to pay for an external security audit (including major users, | |
government programs, and non-profits). | |
Engage with an external security audit firm to review the project. | |
implementation: | |
I'm a fan of security reviews of OSS projects (I've overseen OSTIF work on many), but the big problem here is funding. It's incredibly hard to get funding for security reviews of OSS projects. Maybe we need a level 4? |
suggestion for new lvl 3 criteria for external audit/risk assessment