Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initiative for CII-Best-Practices for Nodejs Projects #953

Open
3 of 7 tasks
UlisesGascon opened this issue Apr 16, 2023 · 33 comments
Open
3 of 7 tasks

Initiative for CII-Best-Practices for Nodejs Projects #953

UlisesGascon opened this issue Apr 16, 2023 · 33 comments

Comments

@UlisesGascon
Copy link
Member

UlisesGascon commented Apr 16, 2023

As commented in #884 seems like there is an interest to explore this idea.

Context

I discovered that we already completed the process for Nodejs, last update at 2016-05-19.

I believe we can review the current status and check if we need to update some of the answers. Also it might be quite interesting to see if we can achieve Silver or Gold level.

More information in OpenSSF Best Practices Badge Program

Next steps

@UlisesGascon
Copy link
Member Author

@rvagg can you add me to the https://bestpractices.coreinfrastructure.org/en/projects/29? We will need to make some changes soon in order to merge #954

@rvagg
Copy link
Member

rvagg commented Jun 22, 2023

Sorry @UlisesGascon, this one fell off my notification list in my general cull of incoming notifications, only an email from @mhdawson pointed me to it.

Entry created on 2015-11-02

This is a lifetime ago, so it's something expunged from my memory, I clicked through to the page wondering why I was being pinged about it .. but my name's on it! Project #29 in CII Best Practices, I remember now when that thing started and thinking it was a good idea .. early adopters!

I actually can't find any place where I can "add" or even transfer the thing, it looks like it's just me. I guess we could email and ask them to transfer it to someone else? Or if you want to list items that you want to edit in this thread I could go and do them. Lots of stuff to fill out for Silver and Gold but if you want to tell me which ones to tick I could go and do that.

@UlisesGascon
Copy link
Member Author

Thanks @rvagg for the update, seems like we are early adopters 😃

I actually can't find any place where I can "add" or even transfer the thing, it looks like it's just me. I guess we could email and ask them to transfer it to someone else? Or if you want to list items that you want to edit in this thread I could go and do them. Lots of stuff to fill out for Silver and Gold but if you want to tell me which ones to tick I could go and do that.

I was not able to find it as well, so I guest this feature is not yet implement. Can you help us to update the records for the entry level form? In the PR #954 we discussed about what should be included. By comparing the first and the last commit https://github.com/nodejs/security-wg/compare/84945b0..1eeb152 it will be easier to visualize what has change from the current responses.

If you prefer me to do it, you can share your credentials with us (if you are using user/pass login) in the private repository 👍

We are working now in the Silver questionary in #955

@rvagg
Copy link
Member

rvagg commented Jun 23, 2023

if you are using user/pass login

GitHub login unfortunately!

Next problem is that their form doesn't work! I can edit "passing" and "gold" but not "silver", when I go to the edit link (https://bestpractices.coreinfrastructure.org/en/projects/29/edit?criteria_level=1) it redirects back to https://bestpractices.coreinfrastructure.org/en.

I'll email them and also see if I can convert the login to user/pass or add people to it, or something.

@rvagg
Copy link
Member

rvagg commented Jun 23, 2023

Opened coreinfrastructure/best-practices-badge#1983 about the edit problem, emailed them about the login setup.

@rvagg
Copy link
Member

rvagg commented Jun 23, 2023

... and coreinfrastructure/best-practices-badge#1984 about email problems

@rvagg
Copy link
Member

rvagg commented Jun 28, 2023

Passing criteria all updated to match the diff now.
Silver editing got fixed so I should be able to do that too when needed.

@mhdawson
Copy link
Member

@rvagg thanks for opening those issues. Does it make sense to open an issue asking how we transfer ownership so that you don't need to be in the loop?

@rvagg
Copy link
Member

rvagg commented Jun 29, 2023

I asked via email, no response yet.

@mhdawson
Copy link
Member

k thanks.

@UlisesGascon
Copy link
Member Author

Hi @rvagg! Good news! The silver responses are ready in b93ef8e. Can you help us to add them in the website?

@rvagg
Copy link
Member

rvagg commented Aug 22, 2023

I've done the updates, but as I noted in the commit all of the entries require justification - text and/or a URL, I stopped commenting in the commit because there's so many without. Even the N/A ones want justification. But I found I could submit without filling those out, even though they said "Required", but now on the page you should see lots of Warning: Requires lengthier justification.

@UlisesGascon
Copy link
Member Author

Thanks @rvagg I will re-check all the responses and add the missing URLs/texts.

@UlisesGascon
Copy link
Member Author

Opened coreinfrastructure/best-practices-badge#1983 about the edit problem, emailed them about the login setup.

Did they confirm if is possible to transfer the ownership, @rvagg?

@rvagg
Copy link
Member

rvagg commented Apr 14, 2024

No response to email I sent in June to cii-badges-questions@lists.coreinfrastructure.org; does someone here want to follow up and figure out how best to get in touch with these guys? Loop me in and I'm happy to confirm that I approve of transferring ownership. Opening a GitHub issue might be an alternative approach.

@UlisesGascon
Copy link
Member Author

does someone here want to follow up and figure out how best to get in touch with these guys?

Let me see if I got a better luck, I am also in the OSSF Slack, so maybe I can make some progress 👍

@david-a-wheeler
Copy link

david-a-wheeler commented Apr 24, 2024

Hi! I'm sorry, I didn't see your requests before!! Please let me try to fix things, now that you have my attention!!

No response to email I sent in June to cii-badges-questions@lists.coreinfrastructure.org; does someone here want to follow up and figure out how best to get in touch with these guys? Loop me in and I'm happy to confirm that I approve of transferring ownership. Opening a GitHub issue might be an alternative approach.

Oh no! I'm sorry. We never saw those messages. We stopped supporting the email address cii-badges-questions@lists.coreinfrastructure.org a while ago, and it's not listed on the bestpractices.dev website. There was too much spam, it doesn't track things, it doesn't allow comments by others, and so on. I guess since you were early adopters you had that old email address and kept using it. The current requested approach is to open a GitHub issue (that's the process we recommend at the bottom of every page of the website). If we don't respond, you can also email me directly (I'm technical lead). That is dwheeler AT linuxfoundation DOT org and tell me to get going :-).

We'd be happy to transfer ownership! We just need the project numeric id, which is 29 for Nodejs, and the user id of the new owner (currently 24 for Rod Vagg). Normally the original owner and new owner have to approve, which we verify manually. GitHub verifies people's identities, so if Rod states the request in this issue (including who it goes to), or a new issue on our GitHub site, that'll work. If the new owner doesn't have an account on the best practices site, please create it. Ownership transfers have been rare, so we don't have an automated process for it yet.

You do not need to own the badge entry to be able to edit it. The owner can add anyone else as an authorized editor of the badge entry.

I've done the updates, but as I noted in the commit all of the entries require justification - text and/or a URL, I stopped commenting in the commit because there's so many without. Even the N/A ones want justification. But I found I could submit without filling those out, even though they said "Required", but now on the page you should see lots of Warning: Requires lengthier justification.

Yes, that's as intended. Especially at the silver & gold level, we don't just want assertions that something is true - we want evidence that it's true. In many cases we require a URL to point to the evidence (so you can update your documents using your usual processes, instead of mucking with the badge entry every thing). So you can say it's true, but it won't count until you point to the evidence. We don't need a PhD dissertation, just a pointer to evidence.

Anyway, sorry your emails got unintentionally blackholed. Now that we're talking with each other, we want to make it successful! A lot of people depend on Nodejs; we want you to be successful and show others your awesome results.

@rvagg
Copy link
Member

rvagg commented Apr 29, 2024

@david-a-wheeler

You do not need to own the badge entry to be able to edit it. The owner can add anyone else as an authorized editor of the badge entry.

Can you explain this a bit more? I haven't been able to find such an option, and I just went back and poked around and the only thing I seem to be able to do is edit my personal account info or the criteria for the project. Is this something I have to ask you or someone else with access to add?

I'd be fine transferring it entirely to someone from the TSC (https://github.com/nodejs/node#tsc-technical-steering-committee) or a proxy they're happy to own this. Or, if I can just add people, I'd add be happy to add any of the active people in this security working group (https://github.com/nodejs/security-wg?tab=readme-ov-file#current-project-team-members).

@david-a-wheeler
Copy link

You do not need to own the badge entry to be able to edit it. The owner can add anyone else as an authorized editor of the badge entry.

Can you explain this a bit more? I haven't been able to find such an option, and I just went back and poked around and the only thing I seem to be able to do is edit my personal account info or the criteria for the project. Is this something I have to ask you or someone else with access to add?

Gladly! Every badge entry has an "owner" but possibly many "editors". The owner or editors can add new editors. This is only visible when you edit the passing badge (most people don't care about who the editors are). After logging in, you can go here: https://www.bestpractices.dev/en/projects/29/edit?criteria_level=0

And drop to: (Advanced) What other users have additional rights to edit this badge entry? Currently: []

One thing we haven't implemented automatically is ownership changes. We can do that for you, but that's something we have to do manually (it's really rare, which is why we don't have an online mechanism for it yet).

I'd be fine transferring it entirely to someone from the TSC (https://github.com/nodejs/node#tsc-technical-steering-committee) or a proxy they're happy to own this. Or, if I can just add people, I'd add be happy to add any of the active people in this security working group (https://github.com/nodejs/security-wg?tab=readme-ov-file#current-project-team-members).

That's entirely up to you! Let us know what you want, we'll make it happen. Basically, tell us who the "owner" should be. You can then add whoever should be editor (though we can set up a starter set to make your life easy).

@rvagg
Copy link
Member

rvagg commented Apr 29, 2024

great, got it! @UlisesGascon do you want editorship? Can you make an account on https://www.bestpractices.dev/ and give me your "user id" (I think that's the integer representing your account).

@UlisesGascon
Copy link
Member Author

UlisesGascon commented Apr 30, 2024

do you want editorship?

Yeah! I think is 26967 based on this profile details.

@rvagg
Copy link
Member

rvagg commented Apr 30, 2024

cool, give that a go now @UlisesGascon, do you get the "Edit" on https://www.bestpractices.dev/en/projects/29 ?

@UlisesGascon
Copy link
Member Author

Yes! It is working, I can edit now 🥳

@david-a-wheeler
Copy link

Excellent! If there's something you need us to do, have questions, etc., just let us know.

@mhdawson
Copy link
Member

mhdawson commented May 1, 2024

@david-a-wheeler can we create a nodejs-tsc account on https://www.bestpractices.dev and then have @rvagg transfer ownership over to that user? That would allow us to best manage this going forward. We can have editors like @UlisesGascon who manage our updates, and the nodejs-tsc acount would allow us to recover, add new editors if/when that is needed.

Copy link
Contributor

github-actions bot commented Aug 6, 2024

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

Copy link
Contributor

github-actions bot commented Nov 5, 2024

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

@github-actions github-actions bot added the stale label Nov 5, 2024
@ljharb
Copy link
Member

ljharb commented Nov 5, 2024

i guess the “never stale” label isn’t respected

@RafaelGSS
Copy link
Member

I think it was because the label was named with a dash (-) -- never-stale instead of never stale. I have just fixed it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants