fungi | openssf finally published their first version of this yesterday: https://baseline.openssf.org/versions/2025-02-25 | 21:40 |
---|---|---|
fungi | it's an interesting read, a lot of it we already do depending on how you interpret their choice of wording, some of it we could talk about trying, and a fair number of things on there that are simply unrealistic for a volunteer-run community collaboration | 21:41 |
fungi | also you can see a bias toward cncf-type workflows and terminology (e.g. our ci system has "pipelines" but i think they mean something different than we do when they say it, they seem to consider dco-style attestation in commit messages safer than getting contributors to agree to a cla before being granted access, et cetera) | 21:44 |
JayF | fungi: I work with someone who works very closely with openssf; if you can put together some cconstructive feedback I'm happy to point her at it | 21:52 |
JayF | fungi: or maybe even just see if we can get a chat going | 21:52 |
fungi | JayF: here's a braindump... https://paste.opendev.org/show/b9uQdyRH2CQ69uOZlyfC/ | 22:31 |
JayF | ack; will pass it on when slack stops itself-ing :D | 23:43 |
fungi | the blessings of irc | 23:43 |
JayF | yep | 23:43 |
JayF | no login services? no problem. except inpersonation :D | 23:43 |
fungi | in particular i think idea that projects should stop releasing things when there are known vulnerabilities is actively harmful. say there's two known vulnerabilities that affect all available versions of your project, one you can fix straight away and the other one is taking more time... are users helped by remaining on an older vulnerable version, or upgrading to a new | 23:45 |
fungi | version that at least fixes one of those? | 23:45 |
JayF | perfect is the enemy of good problem | 23:46 |
JayF | slack actually logged in on desktop fro the first time today; so I've passed on your document and the link to this chat log | 23:47 |
fungi | also release early and often | 23:47 |
JayF | thanks :D | 23:47 |
fungi | i've been interacting with slack (where i must, *shudder*) through a weechat plugin, and it's mostly-worked today | 23:48 |
JayF | of the 4 slack ... workspaces(?) I'm in, only one that broke was the GR-OSS one | 23:48 |
JayF | It felt very much like a "we lost a shard" type of outage | 23:48 |
fungi | https://slack-status.com/2025-02/1b757d1d0f444c34 talks about "repairing affected database shards" so yes, probably | 23:49 |
JayF | I've never been on the wrong side of one of those 😅 | 23:52 |
fungi | as in the repairing side vs the causing side? ;) | 23:55 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!