[Hyperledger Project TSC] Fwd: Core Infrastructure Initiative - Security Badge


Brian Behlendorf
 

This apparently was received truncated by some, though the archives have it in full, so resending now just in case others did not get the full message.

Brian


From: Brian Behlendorf <bbehlendorf@...>
Sent: December 1, 2016 11:57:58 PM GMT+02:00
To: "'hyperledger-tsc@...'" <hyperledger-tsc@...>
Subject: Core Infrastructure Initiative - Security Badge

As mentioned on today's call, as a way to telegraph publicly our community's commitment to secure coding practices, we may want to consider adopting the Core Infrastructure Initiatives's Badge Program for the entirety of Hyperledger, for all projects that have graduated from the incubator.  The badge program is described here:

https://www.coreinfrastructure.org/programs/badge-program

and the criteria are documented here:


-- 
Brian Behlendorf
Executive Director, Hyperledger
bbehlendorf@...
Twitter: @brianbehlendorf

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.


Ash <ash@...>
 

Hi Brian, Chris, et al,

I'm still new to the Hyperledger community, but would like to help with CII Badging. I was part of the core team in OPNFV and am currently implementing the scanning into our CI pipeline. Also working with 3rd parties, who aren't CII Badged, on their scanning, etc.

Best,

Ash

On Thu, Dec 1, 2016 at 8:01 PM, Brian Behlendorf via hyperledger-tsc <hyperledger-tsc@...> wrote:
This apparently was received truncated by some, though the archives have it in full, so resending now just in case others did not get the full message.

Brian


From: Brian Behlendorf <bbehlendorf@linuxfoundation.org>
Sent: December 1, 2016 11:57:58 PM GMT+02:00
To: "'hyperledger-tsc@lists.hyperledger.org'" <hyperledger-tsc@lists.hyperledger.org>
Subject: Core Infrastructure Initiative - Security Badge

As mentioned on today's call, as a way to telegraph publicly our community's commitment to secure coding practices, we may want to consider adopting the Core Infrastructure Initiatives's Badge Program for the entirety of Hyperledger, for all projects that have graduated from the incubator.  The badge program is described here:

https://www.coreinfrastructure.org/programs/badge-program

and the criteria are documented here:


-- 
Brian Behlendorf
Executive Director, Hyperledger
bbehlendorf@linuxfoundation.org
Twitter: @brianbehlendorf

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

_______________________________________________
hyperledger-tsc mailing list
hyperledger-tsc@lists.hyperledger.org
https://lists.hyperledger.org/mailman/listinfo/hyperledger-tsc



Christopher Ferris <chris.ferris@...>
 

Ash,

This is awesome! Thanks for the offer to help. I was exploring getting scanning integrated into CI, myself. We do this internally but one of the things we lack is static analysis of Go, as our toolset doesn't cover Go.

I reviewed the badging criteria and at least from a process perspective, think we are in pretty good shape. I have someone looking at the crypto-specific criteria because we have quite a bit. I fully expect that we'll need some remediation;-)

Aside from static scanning, were there any other changes that OpenNFV made to their CI? 

Chris

On Fri, Dec 16, 2016 at 10:35 AM, Ash <ash@...> wrote:
Hi Brian, Chris, et al,

I'm still new to the Hyperledger community, but would like to help with CII Badging. I was part of the core team in OPNFV and am currently implementing the scanning into our CI pipeline. Also working with 3rd parties, who aren't CII Badged, on their scanning, etc.

Best,

Ash

On Thu, Dec 1, 2016 at 8:01 PM, Brian Behlendorf via hyperledger-tsc <hyperledger-tsc@lists.hyperledger.org> wrote:
This apparently was received truncated by some, though the archives have it in full, so resending now just in case others did not get the full message.

Brian


From: Brian Behlendorf <bbehlendorf@...rg>
Sent: December 1, 2016 11:57:58 PM GMT+02:00
To: "'hyperledger-tsc@...edger.org'" <hyperledger-tsc@...dger.org>
Subject: Core Infrastructure Initiative - Security Badge

As mentioned on today's call, as a way to telegraph publicly our community's commitment to secure coding practices, we may want to consider adopting the Core Infrastructure Initiatives's Badge Program for the entirety of Hyperledger, for all projects that have graduated from the incubator.  The badge program is described here:

https://www.coreinfrastructure.org/programs/badge-program

and the criteria are documented here:


-- 
Brian Behlendorf
Executive Director, Hyperledger
bbehlendorf@...g
Twitter: @brianbehlendorf

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

_______________________________________________
hyperledger-tsc mailing list
hyperledger-tsc@...ger.org
https://lists.hyperledger.org/mailman/listinfo/hyperledger-tsc




Ash <ash@...>
 

We've been doing static and we want to gate our gerrit check-ins, pending a scan. We're kinda taking a stepping stone approach, currently. You can see here where we are hashing out our thought process.  

So, this is in process for our Danube release, which is scheduled for early May. 

On Fri, Dec 16, 2016 at 8:27 AM, Christopher Ferris <chris.ferris@...> wrote:
Ash,

This is awesome! Thanks for the offer to help. I was exploring getting scanning integrated into CI, myself. We do this internally but one of the things we lack is static analysis of Go, as our toolset doesn't cover Go.

I reviewed the badging criteria and at least from a process perspective, think we are in pretty good shape. I have someone looking at the crypto-specific criteria because we have quite a bit. I fully expect that we'll need some remediation;-)

Aside from static scanning, were there any other changes that OpenNFV made to their CI? 

Chris

On Fri, Dec 16, 2016 at 10:35 AM, Ash <ash@...> wrote:
Hi Brian, Chris, et al,

I'm still new to the Hyperledger community, but would like to help with CII Badging. I was part of the core team in OPNFV and am currently implementing the scanning into our CI pipeline. Also working with 3rd parties, who aren't CII Badged, on their scanning, etc.

Best,

Ash

On Thu, Dec 1, 2016 at 8:01 PM, Brian Behlendorf via hyperledger-tsc <hyperledger-tsc@...dger.org> wrote:
This apparently was received truncated by some, though the archives have it in full, so resending now just in case others did not get the full message.

Brian


From: Brian Behlendorf <bbehlendorf@...rg>
Sent: December 1, 2016 11:57:58 PM GMT+02:00
To: "'hyperledger-tsc@...edger.org'" <hyperledger-tsc@...dger.org>
Subject: Core Infrastructure Initiative - Security Badge

As mentioned on today's call, as a way to telegraph publicly our community's commitment to secure coding practices, we may want to consider adopting the Core Infrastructure Initiatives's Badge Program for the entirety of Hyperledger, for all projects that have graduated from the incubator.  The badge program is described here:

https://www.coreinfrastructure.org/programs/badge-program

and the criteria are documented here:


-- 
Brian Behlendorf
Executive Director, Hyperledger
bbehlendorf@...g
Twitter: @brianbehlendorf

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

_______________________________________________
hyperledger-tsc mailing list
hyperledger-tsc@...ger.org
https://lists.hyperledger.org/mailman/listinfo/hyperledger-tsc