GSoC 2024: Adapting to Google Open Source Security Rules, Policies, standards
henrykironde opened this issue ยท 11 comments
An example of a project using OSSF
| Project | Pipeline source code | Results visualized |
|---|---|---|
| NumPy | actions yaml file | Logs |
- Inclusion of support for Fuzzing via OSS-Fuzz, or expansion of fuzzing coverage where already present.
- Remediation of known vulnerabilities.
- Enhancement of build/release security by automating builds and releases, incorporating build provenance, implementing signing procedures, and improving reproducibility.
- Enhancement of OpenSSF Scorecard scores for projects.
Data Retriever, https://github.com/weecology/retriever, @henrykironde
Deepforest, https://github.com/weecology/deepforest, @henrykironde
Hi. ๐ Responding to the "Adapting to Google Open Source Security Rules, Policies, standards" email the pyhf team's repository of choice is https://github.com/scikit-hep/pyhf. I (@matthewfeickert) will be the mentor from our team.
(We'll additionally propagate the security enhancements applied to our repo out to the other projects in the https://github.com/scikit-hep/ GitHub org. ๐)
Submitting PyMC and PyMC Examples for security checks. Feel free to contact me directly!
I'll be the contact point for JupyterLab security checks. I started the submission for the OpenSSF best practices badge.
Hello, I am the contact point for aeon. Feel free to send me an email, direct message or @ me on GitHub.
Hello! After discussion with our lead maintainer @ccordoba12 , Spyder ( https://github.com/spyder-ide/spyder ) would like to participate! Myself, @CAM-Gerlach , will be the contact and mentor for it. I was actually just looking into implementing and certifying the OpenSSF best practices myself for Spyder and related repos that we are the maintainers of; ideally at least https://github.com/spyder-ide/spyder-kernels https://github.com/spyder-ide/qtpy, https://github.com/spyder-ide/qtawesome , https://github.com/python-lsp/python-lsp-server , and https://github.com/jupyter/qtconsole , all of which are core dependencies of Spyder and (besides Spyder-Kernels) all widely depended upon by other projects in the scientific ecosystem and beyond. I've been wanting to add many of those things (security linting, Trusted Publishers release pipeline, etc) anyway, so this is a perfect opportunity to have some help from an expert in that area. Thanks!
Hello, I along with with @Pansysk75 will be the points of contact for HPX. Looking forward to this project :)
hii, I am interest in working on a project of Matplotlib but I'm not able to contact the mentors of that project from many months. If anyone would help me with it then feel free to contact me at yugalkaushik14@gmail.com
Hi, we are from PyBaMM (https://pybamm.org/), a NumFOCUS-sponsored project and we would love to opt in for this initiative for the main PyBaMM repository. If this is still in and remains in the ambit over the next few months, the relevant resource to contact would be me (@agriyakhetarpal) and @Saransh-cpp would like to act as an additional contact person โ both of us serve as maintainers at the time of writing. We would love to help the mentee navigate through our repository and let them propose infrastructure-related changes keeping in line with modern-day security practices in order to build up our scorecard.
PR Checklist of Repo's
- https://github.com/aeon-toolkit/aeon
- https://github.com/pymc-devs/pymc
- https://github.com/pymc-devs/pymc-examples
- https://github.com/weecology/deepforest
- https://github.com/weecology/retriever
- https://github.com/jupyterlab/jupyterlab
- https://github.com/spyder-ide/spyder
- https://github.com/spyder-ide/spyder-kernels
- https://github.com/spyder-ide/qtpy
- https://github.com/spyder-ide/qtawesome
- https://github.com/python-lsp/python-lsp-server
- https://github.com/jupyter/qtconsole
- https://github.com/pybamm-team/PyBaMM
- https://github.com/scikit-hep/pyhf
- https://github.com/STEllAR-GROUP/hpx