Core Infrastructure Initiative (CII) Best Practices

[rugk]

https://bestpractices.coreinfrastructure.org/
criteria: https://bestpractices.coreinfrastructure.org/criteria

Current status:

• homepage_url (maybe GItHub?)
• description_good (2FA is no jargon…)
• interact
• contribution
• contribution_requirements
• floss_license
• floss_license_osi
• license_location
• documentation_basics
• sites_https
• english
• repo_public
• repo_track
• repo_distributed
• repo_track
• version_unique
• version_semver
• version_tags
• release_notes
• release_notes_vulns
• report_process
• report_tracker
• report_responses
• enhancement_responses
• report_archive
• vulnerability_report_process
• vulnerability_report_private
• build
• build_common_tools ( a bash script should be more or less common, no?, anyway only suggeested)
• build_floss_tools
• test
• test_invocation
• test_most
• test_continuous_integration
• test_policy
• tests_are_added
• tests_documented_added
• warnings (hmm, compiler warnings for a PHP project, seems difficult)
• warnings_fixed
• warnings_strict
• know_secure_design
• know_common_errors
• crypto_published
• crypto_call
• crypto_floss
• crypto_keylength (needs to be checked, exact key lengths are given)
• crypto_working
• crypto_weaknesses
• crypto_pfs (N/A - we have no key agreement protocol)
• crypto_password_storage (N/A - we store no passwords)
• crypto_random (a bit N/A as we fallback to XenForos native implementation)
• delivery_mitm (HTTPS, file sums, signed release files, signed git tags)
• delivery_unsigned
• vulnerabilities_fixed_60_days
• vulnerabilities_critical_fixed
• no_leaked_credentials
• static_analysis
• static_analysis_common_vulnerabilities (scrutinizer-ci.com does)
• static_analysis_fixed (there is one not really applicable, which I mitigated in 7f74c26...2995ff7)
• static_analysis_often
• dynamic_analysis (for PHP…?)
• dynamic_analysis_enable_assertions
• dynamic_analysis_fixed (probably N/A as we do not use it)
• installation_common
• build_reproducible (at least since timestamp can be modified, commit 77a8473)
• crypto_used_network (we have few influence on it, however)
• crypto_tls12 (N/A, depends on server)
• crypto_certificate_verification (N/A, depends on server)
• crypto_verification_private (N/A, depends on server)
• hardened_site (well… GitHub, download site not hardened)
• hardening