-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Core Infrastructure Initiative (CII) Best Practices badge #154
Comments
Status: 59% https://bestpractices.coreinfrastructure.org/projects/237
@drybjed Just curious. Have you setup github-backup to backup repos and issues? I have played with github-backup and contributed a bit but have not set it up yet. |
@ypid I haven't set up |
@ypid BTW, token generation in |
Nice. Thanks.
😄 Now that there is a incentive 😉 You are encouraged to do that. Choosing MD5 because it is faster was not a very strong argument in the first place. |
Seems we are at a solid base of 71% (I have tried to not overestimate it and some criteria still need to be verified). @drybjed Want to check the Analysis and Future sections which I did go thought right now? I would add the badge to this repo when you are OK with it. |
Looks good. I like it when you implied that configuration management would require STOPPING TIME ITSELF to be reproductible. :-) However, after checking the criteria:
I don't believe that DebOps itself builds any binaries. There were some cases where Debian packages were built by DebOps, but each one is isolated and it depends on the package maintainer to ensure reproductible build. I would mark this entry as |
Thanks for your feedback. I thought about that and stated in the first sentence how I do interpret reproducible builds for the project:
So I don’t think that it is not applicable. Let me explain that a bit more. At work, I use DebOps to build a ownCloud appliance and I am working towards fully automated builds of this VM appliance with DebOps. So I am actually building an image which is later shipped to customers. I think it would be interesting to build this VM or container images reproducible so that no one needs to trust my build environment. This way, multiple employees or customers could rebuild the image and can be certain that the image corresponds to the specification and CM code. Refer to Security challenges for the Qubes build process. But at the same time I realize that it will require a lot of work and am not proposing to do that right now. Also because this is probably a not very common usage of the project. Plus this is currently a future criterion which is SUGGESTED so we don’t lose anything here in terms of getting the badge. |
Related to: https://github.com/linuxfoundation/cii-best-practices-badge/blob/master/doc/criteria.md#vulnerability_report_process Related to: debops/debops#154 When this repo is included in the docs build, a redirect from `debops.org/security` should point to the security policy. Additionally I propose to create "DebOps security mailing list <debops-security@lists.debops.org>" or "<security@lists.debops.org>"
Refer to: https://twit.tv/shows/floss-weekly/episodes/389 and https://bestpractices.coreinfrastructure.org
I am currently going thought the questions.
Project URL: https://bestpractices.coreinfrastructure.org/projects/237
The text was updated successfully, but these errors were encountered: