On 2018-10-07 07:47, Andres Freund wrote:
> Hi,
>
> I noticed that our dear project wasn't among the projects that have
> been
> evaluated with the CII best practices guidelines. As I was curious I
> made an initial attempt. The MUST requirements for the 'passing' level
> largely seem reasonable, there's a few less sane things in the "higher"
> grades.
>
> https://bestpractices.coreinfrastructure.org/en/projects/2268
Excellent stuff Andres, that looks like a really good start. :)
The "What programming language(s) are used to implement the project?"
one
shouldn't be too hard to fill out. The info for the question says that
if there are many, then to include at least the first three (in
descending
order of most to least used).
It'll definitely be C (of course), but what should come next?
* Do we use SQL to *implement* the project? Kind of thinking "no" for
the sense they're meaning.
* Maybe the languages commonly used for stored procedures?
* Should our build system pieces by considered as well?
* That could be tricky, as several of the binary packages are
created by external parties. Maybe better to not consider
build system pieces atm.
For the Security reporting item, it sounds like we need to add PGP key
details to our Security issue reporting section. I don't remember any
recent discussion (last few years) on the -www mailing list about it,
hopefully it's not be a problem. ;)
For the Security items re: implementing crypto (SCRAM) and depending
on broken crypto (eg MD5), good question... not sure how to handle
those.
We may need to discuss with the CII people directly to get a sense for
the right way forward.
+ Justin