2024-11-04 Quality & Security Goals
- Casey Cain
- Olaf Renner
Community Attendees:
@Olaf Renner @Gergely Csatari @Muddasar Ahmed @Robert Varga @Amy Zwarico @Nadathur Sundar
Community Attendees:
LF Staff:
Agenda
Antitrust Policy
Kickoff discussion
Organisation of work topics
Quality goals
Security goals
Minutes
Organisation of work topics
@Olaf Renner proposed to split the work into quality goals and security goals as they are not necessarily related. Depending on the time we need to spend on each we may organise dedicated meetings (alternating?) for one or the other. For both goal areas easy implementation/automation through tools will be critical as otherwise none of these goals will be adopted by projects and manually collecting metrics is just a burden.
@Muddasar Ahmed looking at the table in 2025 Quality & Security Goals | Review Matrix there seem to be duplicates/related. Add a column to mark related items.
Start with security goals for followup meeting.
@Gergely Csatari +1 on automation of metrics collection and tools to achieve goals
Quality Goals
@Olaf Renner Things like project health review and issues with LFX would fall under this. We had the case that XGVela was defunct for a long time without realising due to missing health reviews.
@Robert Varga Instead of health reviews shouldn’t this be risk assessment (e.g. of not well governed projects)?
@Muddasar Ahmed The term we use is not important but we should have the right metrics in place
@Robert Varga If (new) templates should be used it would be good to see an example. @Olaf Renner can start to work on this.
Security Goals
@Amy Zwarico pointed out that there are security measures that projects should implement like SCA and OpenSFF Badging and some of them can be achieved without major effort
Static Code Analysis: SonarCloud can be used.
SonarCloud could create a lot of alerts when first used (e.g. issues not only on production code but also tests): Pick the right metric and have best practices in place.
@Casey Cain to double check that SonarCloud could be used by all LFN projects
OpenSSF Badging
A dashboard to track OpenSSF BestPractices badge progress is available
Start with a list of prioritised items in the 2025 Quality & Security Goals | Review Matrix
@Olaf Renner Not all projects have documented their security contacts, or it’s not easy to find (need to search wikis or other documentation). Developers usually start downloading repos and security contacts should be added there.
All projects should document their security contacts in the code repo: SECURITY-CONTACTS.md (can link to wiki if project documented the contacts there)