Initiative for CII-Best-Practices for Nodejs Projects #953
Comments
|
@rvagg can you add me to the https://bestpractices.coreinfrastructure.org/en/projects/29? We will need to make some changes soon in order to merge #954 |
|
Sorry @UlisesGascon, this one fell off my notification list in my general cull of incoming notifications, only an email from @mhdawson pointed me to it.
This is a lifetime ago, so it's something expunged from my memory, I clicked through to the page wondering why I was being pinged about it .. but my name's on it! Project #29 in CII Best Practices, I remember now when that thing started and thinking it was a good idea .. early adopters! I actually can't find any place where I can "add" or even transfer the thing, it looks like it's just me. I guess we could email and ask them to transfer it to someone else? Or if you want to list items that you want to edit in this thread I could go and do them. Lots of stuff to fill out for Silver and Gold but if you want to tell me which ones to tick I could go and do that. |
|
Thanks @rvagg for the update, seems like we are early adopters 😃
I was not able to find it as well, so I guest this feature is not yet implement. Can you help us to update the records for the entry level form? In the PR #954 we discussed about what should be included. By comparing the first and the last commit https://github.com/nodejs/security-wg/compare/84945b0..1eeb152 it will be easier to visualize what has change from the current responses. If you prefer me to do it, you can share your credentials with us (if you are using user/pass login) in the private repository 👍 We are working now in the Silver questionary in #955 |
GitHub login unfortunately! Next problem is that their form doesn't work! I can edit "passing" and "gold" but not "silver", when I go to the edit link (https://bestpractices.coreinfrastructure.org/en/projects/29/edit?criteria_level=1) it redirects back to https://bestpractices.coreinfrastructure.org/en. I'll email them and also see if I can convert the login to user/pass or add people to it, or something. |
|
Opened coreinfrastructure/best-practices-badge#1983 about the edit problem, emailed them about the login setup. |
|
... and coreinfrastructure/best-practices-badge#1984 about email problems |
|
|
|
@rvagg thanks for opening those issues. Does it make sense to open an issue asking how we transfer ownership so that you don't need to be in the loop? |
|
I asked via email, no response yet. |
|
k thanks. |
|
I've done the updates, but as I noted in the commit all of the entries require justification - text and/or a URL, I stopped commenting in the commit because there's so many without. Even the N/A ones want justification. But I found I could submit without filling those out, even though they said "Required", but now on the page you should see lots of |
|
Thanks @rvagg I will re-check all the responses and add the missing URLs/texts. |
|
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made. |
Did they confirm if is possible to transfer the ownership, @rvagg? |
|
No response to email I sent in June to cii-badges-questions@lists.coreinfrastructure.org; does someone here want to follow up and figure out how best to get in touch with these guys? Loop me in and I'm happy to confirm that I approve of transferring ownership. Opening a GitHub issue might be an alternative approach. |
Let me see if I got a better luck, I am also in the OSSF Slack, so maybe I can make some progress 👍 |
|
Hi! I'm sorry, I didn't see your requests before!! Please let me try to fix things, now that you have my attention!!
Oh no! I'm sorry. We never saw those messages. We stopped supporting the email address We'd be happy to transfer ownership! We just need the project numeric id, which is 29 for Nodejs, and the user id of the new owner (currently 24 for Rod Vagg). Normally the original owner and new owner have to approve, which we verify manually. GitHub verifies people's identities, so if Rod states the request in this issue (including who it goes to), or a new issue on our GitHub site, that'll work. If the new owner doesn't have an account on the best practices site, please create it. Ownership transfers have been rare, so we don't have an automated process for it yet. You do not need to own the badge entry to be able to edit it. The owner can add anyone else as an authorized editor of the badge entry.
Yes, that's as intended. Especially at the silver & gold level, we don't just want assertions that something is true - we want evidence that it's true. In many cases we require a URL to point to the evidence (so you can update your documents using your usual processes, instead of mucking with the badge entry every thing). So you can say it's true, but it won't count until you point to the evidence. We don't need a PhD dissertation, just a pointer to evidence. Anyway, sorry your emails got unintentionally blackholed. Now that we're talking with each other, we want to make it successful! A lot of people depend on Nodejs; we want you to be successful and show others your awesome results. |
Can you explain this a bit more? I haven't been able to find such an option, and I just went back and poked around and the only thing I seem to be able to do is edit my personal account info or the criteria for the project. Is this something I have to ask you or someone else with access to add? I'd be fine transferring it entirely to someone from the TSC (https://github.com/nodejs/node#tsc-technical-steering-committee) or a proxy they're happy to own this. Or, if I can just add people, I'd add be happy to add any of the active people in this security working group (https://github.com/nodejs/security-wg?tab=readme-ov-file#current-project-team-members). |
Gladly! Every badge entry has an "owner" but possibly many "editors". The owner or editors can add new editors. This is only visible when you edit the passing badge (most people don't care about who the editors are). After logging in, you can go here: https://www.bestpractices.dev/en/projects/29/edit?criteria_level=0 And drop to: (Advanced) What other users have additional rights to edit this badge entry? Currently: [] One thing we haven't implemented automatically is ownership changes. We can do that for you, but that's something we have to do manually (it's really rare, which is why we don't have an online mechanism for it yet).
That's entirely up to you! Let us know what you want, we'll make it happen. Basically, tell us who the "owner" should be. You can then add whoever should be editor (though we can set up a starter set to make your life easy). |
|
great, got it! @UlisesGascon do you want editorship? Can you make an account on https://www.bestpractices.dev/ and give me your "user id" (I think that's the integer representing your account). |
Yeah! I think is |
|
cool, give that a go now @UlisesGascon, do you get the "Edit" on https://www.bestpractices.dev/en/projects/29 ? |
|
Yes! It is working, I can edit now 🥳 |
|
Excellent! If there's something you need us to do, have questions, etc., just let us know. |
|
@david-a-wheeler can we create a |
|
This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off. |
|
This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off. |
|
i guess the “never stale” label isn’t respected |
|
I think it was because the label was named with a dash (-) -- |
As commented in #884 seems like there is an interest to explore this idea.
Context
I discovered that we already completed the process for Nodejs, last update at 2016-05-19.
I believe we can review the current status and check if we need to update some of the answers. Also it might be quite interesting to see if we can achieve Silver or Gold level.
More information in OpenSSF Best Practices Badge Program
Next steps
The text was updated successfully, but these errors were encountered: