Wednesday, 2025-02-26

fungiopenssf finally published their first version of this yesterday: https://baseline.openssf.org/versions/2025-02-2521:40
fungiit's an interesting read, a lot of it we already do depending on how you interpret their choice of wording, some of it we could talk about trying, and a fair number of things on there that are simply unrealistic for a volunteer-run community collaboration21:41
fungialso you can see a bias toward cncf-type workflows and terminology (e.g. our ci system has "pipelines" but i think they mean something different than we do when they say it, they seem to consider dco-style attestation in commit messages safer than getting contributors to agree to a cla before being granted access, et cetera)21:44
JayFfungi: I work with someone who works very closely with openssf; if you can put together some cconstructive feedback I'm happy to point her at it21:52
JayFfungi: or maybe even just see if we can get a chat going21:52
fungiJayF: here's a braindump... https://paste.opendev.org/show/b9uQdyRH2CQ69uOZlyfC/22:31
JayFack; will pass it on when slack stops itself-ing :D 23:43
fungithe blessings of irc23:43
JayFyep23:43
JayFno login services? no problem. except inpersonation :D 23:43
fungiin particular i think idea that projects should stop releasing things when there are known vulnerabilities is actively harmful. say there's two known vulnerabilities that affect all available versions of your project, one you can fix straight away and the other one is taking more time... are users helped by remaining on an older vulnerable version, or upgrading to a new23:45
fungiversion that at least fixes one of those?23:45
JayFperfect is the enemy of good problem23:46
JayFslack actually logged in on desktop fro the first time today; so I've passed on your document and the link to this chat log23:47
fungialso release early and often23:47
JayFthanks :D 23:47
fungii've been interacting with slack (where i must, *shudder*) through a weechat plugin, and it's mostly-worked today23:48
JayFof the 4 slack ... workspaces(?) I'm in, only one that broke was the GR-OSS one23:48
JayFIt felt very much like a "we lost a shard" type of outage23:48
fungihttps://slack-status.com/2025-02/1b757d1d0f444c34 talks about "repairing affected database shards" so yes, probably23:49
JayFI've never been on the wrong side of one of those 😅23:52
fungias in the repairing side vs the causing side? ;)23:55

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!