Versions Compared

Version Old Version 13 New Version Current
Changes made by

Olaf Renner

Casey Cain

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Olaf Renner Muddasar Ahmed Amy Zwarico

This is a drafting space for LFN Quality and Security goals

  1. Define common quality and security goals across LFN projects

  2. Define metrics and tools to measure and verify if goals are reached

  3. Define templates to guide, document and review project progress

Available resources:

...

Quality Goal

...

LFN Wiki

...

CNCF templates

...

OpenSSF

...

Key Measures

...

LFX

...

Github

...

Notes

...

Project Vitals

...

Project Data Template (currently used both for induction ☑️ and health review ✅ *)

...

LFN Lifecycle states and guidelines (metrics per lifecycle stage)

...

LFN Security Forum Best Practices

...

Best Practices

Passing badge

...

Scorecard

...

Project Name

...

☑️

...

README-template.md

...

PCC Project Definition

...

Project Creation Date

...

☑️

...

Age?

...

PCC Project Definition

...

Project License

...

☑️

...

LICENSE; README-template.md

...

[floss_license][floss_license_osi][license_location]

...

Degree of FOS

...

PCC Project Definition

...

Legal Details and checks

...

PCC Project Definition

...

Community Size

...

☑️

...

#s

...

Contributing organizations (Diversity)

...

☑️ ✅

...

☑️

...

#s

...

Number of contributors

...

☑️

...

#s

...

Lifecycle Stage

...

☑️

...

PCC Project Definition

...

Release schedule

...

☑️

...

Months

...

Adoption

...

☑️

...

Not sure how to measure. Downloads?

...

Health Review

...

CNCF Devstats; CLOmonitor

...

Criticality Score

...

PCC Health Metrics; Insights

...

Github health metrics

...

Release Information

...

...

Number of commits (over last year)

...

...

Number of active committers

...

...

Number of Active committers per organization

...

...

Number of PR/changeset

...

...

Mailing list activity

...

...

Project & Community Resources

...

[discussion]

...

Website

...

☑️

...

README.md

...

[description_good]

...

Yes/NO

...

PCC Domain

...

Wiki

...

☑️

...

README.md

...

Yes/NO

...

PCC Wiki

...

Mailing List

...

☑️

...

README.md

...

Yes/NO

...

PCC mailing list

...

Slack

...

☑️

...

README.md

...

Yes/NO

...

Community Meetings

...

☑️

...

README.md

...

Yes/NO

...

PCC manage meetings

...

Project Governance

...

TSC/TOC

...

☑️

...

☑️

...

GOVERNANCE.md; GOVERNANCE-elections.md; GOVERNANCE-maintainer.md; 

...

Yes/No

...

Charter

...

☑️

...

Yes/No

...

Code of Conduct

...

☑️

...

CODE_OF_CONDUCT.md; README.md

...

Yes/No

...

How to contribute

...

☑️

...

☑️

...

CONTRIBUTING.md; README.md

...

[interact]; [contribution];[contribution_requirements]

...

Yes/No

...

Project Roles

...

☑️

...

☑️

...

CONTRIBUTOR_LADDER.md

...

Yes/No

...

Maintainers

...

☑️

...

☑️

...

MAINTAINERS.md

...

How to Review

...

☑️

...

☑️

...

REVIEWING.md

...

Adding/Removing PTLs

...

☑️

...

☑️

...

MAINTAINERS.md ??

...

Sub-Project Lifecycle

...

☑️

...

☑️

...

GOVERNANCE-subprojects.md

...

Dispute Resolution

...

☑️

...

Adding/removing committers

...

☑️

...

☑️

...

Sub-projects without a lead

...

☑️

...

Documentation

...

[english]

...

Technical Documentation

...

☑️

...

☑️

...

[documentation_basics][documentation_interface]

...

what should be minimum criteria? or scale

...

Contributor onboarding Documentation

...

☑️

...

[interact]; [contribution][contribution_requirements]

...

Yes/No

...

Company Diversity (past 12 months)

...

☑️

...

Number of Contributors

...

☑️

...

Release Management

...

☑️

...

[version_unique][version_semver][version_tags][release_notes][release_notes_vulns]

...

Release notes contains patched and outstanding defects ( details)

...

CI CD integration

...

☑️

...

[build];[build_common_tools][build_floss_tools]

...

degree of automation, analysis tools, traceability of overrides, failures

...

Adoption

...

☑️

...

Security Design Principals

...

☑️

...

Use Case/ Problem Statement

...

Problem that project solves

...

☑️

...

README.md

...

[description_good]

...

Use Cases Scenarios

...

☑️

...

README.md

...

Infrastructure Tooling

...

Wiki

...

☑️

...

Repos

...

☑️

...

[repo_public][repo_track][repo_interim][repo_distributed]

...

Bug Tracking tool

...

☑️

...

[report_tracker]

...

Code review

...

☑️

...

CI/CD tooling

...

☑️

...

[build];[build_common_tools][build_floss_tools]

...

Collaboration Tooling

...

☑️

...

Roadmap

...

Roadmap Guide

...

Near/long-term objectives

...

☑️

...

Milestones

...

☑️

...

Risks/Challenges

...

☑️

...

Timeline

...

☑️

...

Security Best Practices

...

Security Guidelines for New Projects

...

Security

...

Security Contacts

...

SECURITY-CONTACTS.md

...

[know_secure_design][know_common_errors]

...

Yes, channels,

...

Code Scanning

...

☑️

...

license, code vulnerability, static, dynamic, manual

...

Snyk, Blubracket

...

Seed code handoff

...

☑️

...

Coding Standards

...

☑️

...

☑️

...

[warnings][warnings_fixed][warnings_strict]

...

Security design principals

...

☑️

...

OSSF Scorecard; OSSF Best Practices

...

self assessment or audit, outside assessment/audit

...

Vulnerability Reporting

...

☑️

...

SECURITY.md; incident-response.md

...

[release_notes_vulns][vulnerability_report_process][vulnerability_report_private][vulnerability_report_response]

...

Bug reporting

...

[report_process][report_tracker][report_responses][enhancement_responses][report_archive]

...

days to patch, bug found during ( unit, static, dynamic, integration, field operations

...

Demonstrate Security Awareness

...

☑️

...

all of this column.

...

Practice Secure Lifecycle Management (per release)

...

☑️

...

cryptographic practices;
Secured delivery against man-in-the-middle (MITM) attacks; Publicly known vulnerabilities fixed; [no_leaked_credentials]

...

Security Documentation

...

☑️

...

[vulnerabilities_fixed_60_days] [vulnerabilities_critical_fixed]

...

CI/CD best practices

...

☑️

...

Secure project architecture

...

☑️

...

[sites_https]

...

Supply Chain Security

...

☑️

...

CNCF Supply Chain Security

...

code intake scans, 3rd party code ver alignment, 3rd party code vulnerability reporting

...

There is also OpenSSF S2C2F

...

SBOM creation

...

☑️

...

Yes/NO

...

export SBOM

...

OpenChain Telco SBOM

...

Static Application Security Testing (SAST)

...

☑️

...

[static_analysis][static_analysis_common_vulnerabilities][static_analysis_fixed][static_analysis_often]

...

<--

...

Dynamic Application Security Testing (DAST)

...

☑️

...

[dynamic_analysis][dynamic_analysis_unsafe][dynamic_analysis_enable_assertions][dynamic_analysis_fixed]

...

<--

...

Software Composition Analysis (SCA)

...

☑️

...

Container vulnerablitiy scanning

...

☑️

...

Code Coverage Testing

...

☑️

...

[test][test_invocation][test_most][test_continuous_integration]; [test_policy][tests_are_added][tests_documented_added]

...

<--

...

Code Quality

...

Propose meeting on Mondays, biweekly. Casey Cain will send out poll.