Open discussions on specific topics selected by the Software Working Group and selected from the list of SWG Topics For Discussion.
Round Table Discussion: OpenSFF Best Practices Badge, moderated by Rashmil Panchani
OpenSSF Best practices badge is a foundation of the Linux Foundation that aims to promote that the open source software adhere to best practices that help in ensuring optimal code quality, security, community driven development, and overall management of the project. The badge can be attained by satisfying required criteria. We'll discuss the importance of this badge and what it means to gain this badge. I'll share how we in the IN-CORE project are preparing to attain the Passing badge so that we can draft up proposal for additional funding opportunities. With this, we will end the roundtable discussion with some other few discussion topics.
Recording:
Slides: https://docs.google.com/presentation/d/1e_-FTSq2ZRlzD0roOy39GNH4BXQq35urjyEAA5-KIY8/edit#slide=id.p1
Attendees: Rashmil Panchani, Rob Kooper, Chen Wang, Marcos Frenkel, Dipannita Day, Chris Navarro, Rebecca Eveland, Visu Monaharajan, Max Burnette, Ya-Lan Yang, Minu Mathew, Kastan Day, Matt Berry, Yong Wook Kim, Jonathan Kim, Sara Lambert, Lisa Yanello, Luigi Marini
Discussion:
What is OpenSSF? It is a foundation that outlines the criteria for badge levels. Applications are free. Why is it Important? It builds trust, encourages external collaborations, and is a potential for acquiring more funding. There are security guidelines that must be followed in order to secure trust.
The goal of this discussion is to share current best practices, exploring projects across NCSA that could potentially turn into OS projects, and how we can incorporate some of these practices early on for easier transition to open source.
There are different types of badges that can be earned (Passing, Silver, Gold) Each of them is incremental. there are also intermediate levels of badges. Rashmil shared how to apply for a badge.
Criteria for obtaining a badge, basics reporting, content, license, documentation etc., Change Control: use of VCS, software versioning and release notes; Reporting: bug reporting process and vulnerability reporting process; Quality: refers to the overall quality of system, testing, warning and code quality and standards; Security: to ensure proper security of data, software and the cryptographic practices are followed; Analysis: code analysis procedures, CI-CD pipelines, dynamic and static code analysis procedures.
Rashmil noted that the google doc created for IN-CORE could be used as a template for other projects at NCSA. Tracking should include the following: Met, Not Met, In Development, Unknown, Recognized.
How many projects are targeting the badge program? There is a differences with contributors vs. badges. Clowder is working to get a checklist together, but as of now, we don't do this. Rob notes that IN-CORE is the first project to go through the process of getting these badges. It would be a good idea to have all OS projects use the badge system.
Rob asks if there was anything that made Rashmil think that items on the checklist was never considered, and Rashmil noted that the security checklist was something that was not heavily considered.
How long does it take to receive the badges? Rashmil notes that it takes about 2 days to obtain the badge - compiling the data and making sure the checklist is complete takes time.
Visu asks if the collaborators are aware that the badges are part of the project. Rashmil can only speak to IN-CORE.
Rob asks how to get started from Day One on a new project. This would be very subjective based on the project. You should start thinking about obtaining these badges at the beginning. Using GitHub has a checklist system built in. When you start with a change log from day one, it tracks your progress. Should we think about the badges in addition to using GitHub. GitHub, while it has a checklist system, it does not issue badges for successfully completing the documents etc.,
Chris notes that Badge Requirements should be added to the Best Practices Handbook.
How to get users to use your Open Source page? We should work with Comms to put on webpages that we have passed certain badges, noting that we are trustworthy and secure.
GitHub has a program that can run through your repository to check for package related criteria, which can be added to OpenSSF, but OpenSSF does not have an automated process for checking criteria.
Comments
Links mentioned in this Round Table:
Best Practices Handbook: https://github.com/ncsa/software-development-handbook
If you are interested in contributing to a Round Table, please see these links:
Round Table Google Sheet: https://docs.google.com/spreadsheets/d/1kbgO6sIb_4eLugfSVKQNCTXdaKp1R6m0RDczPTsUAoQ/edit#gid=0 Every one should have edit permission.