Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GSoC 2024: Adapting to Google Open Source Security Rules, Policies, standards #470

Open
henrykironde opened this issue Mar 13, 2024 · 11 comments

Comments

@henrykironde
Copy link
Contributor

henrykironde commented Mar 13, 2024

An example of a project using OSSF

Project Pipeline source code Results visualized
NumPy actions yaml file Logs
  • Inclusion of support for Fuzzing via OSS-Fuzz, or expansion of fuzzing coverage where already present.
  • Remediation of known vulnerabilities.
  • Enhancement of build/release security by automating builds and releases, incorporating build provenance, implementing signing procedures, and improving reproducibility.
  • Enhancement of OpenSSF Scorecard scores for projects.

Ref: https://github.com/ossf/scorecard?tab=readme-ov-file

@henrykironde
Copy link
Contributor Author

henrykironde commented Mar 13, 2024

@matthewfeickert
Copy link

matthewfeickert commented Mar 16, 2024

Hi. 👋 Responding to the "Adapting to Google Open Source Security Rules, Policies, standards" email the pyhf team's repository of choice is https://github.com/scikit-hep/pyhf. I (@matthewfeickert) will be the mentor from our team.

(We'll additionally propagate the security enhancements applied to our repo out to the other projects in the https://github.com/scikit-hep/ GitHub org. 👍)

@fonnesbeck
Copy link
Contributor

Submitting PyMC and PyMC Examples for security checks. Feel free to contact me directly!

@fcollonval
Copy link
Contributor

fcollonval commented Mar 18, 2024

I'll be the contact point for JupyterLab security checks. I started the submission for the OpenSSF best practices badge.

@MatthewMiddlehurst
Copy link
Contributor

MatthewMiddlehurst commented Mar 18, 2024

Hello, I am the contact point for aeon. Feel free to send me an email, direct message or @ me on GitHub.

@CAM-Gerlach
Copy link
Member

Hello! After discussion with our lead maintainer @ccordoba12 , Spyder ( https://github.com/spyder-ide/spyder ) would like to participate! Myself, @CAM-Gerlach , will be the contact and mentor for it. I was actually just looking into implementing and certifying the OpenSSF best practices myself for Spyder and related repos that we are the maintainers of; ideally at least https://github.com/spyder-ide/spyder-kernels https://github.com/spyder-ide/qtpy, https://github.com/spyder-ide/qtawesome , https://github.com/python-lsp/python-lsp-server , and https://github.com/jupyter/qtconsole , all of which are core dependencies of Spyder and (besides Spyder-Kernels) all widely depended upon by other projects in the scientific ecosystem and beyond. I've been wanting to add many of those things (security linting, Trusted Publishers release pipeline, etc) anyway, so this is a perfect opportunity to have some help from an expert in that area. Thanks!

@isidorostsa
Copy link

Hello, I along with with @Pansysk75 will be the points of contact for HPX. Looking forward to this project :)

@PatriceJada
Copy link

Hello @di ,
I am interested in working on this project . I am submitting my proposal and I was wondering if you are able to increase the number of hours to a large project based on the number of repsos that are involved.

@yugalkaushik
Copy link

hii, I am interest in working on a project of Matplotlib but I'm not able to contact the mentors of that project from many months. If anyone would help me with it then feel free to contact me at [email protected]

@agriyakhetarpal
Copy link

agriyakhetarpal commented Apr 21, 2024

Hi, we are from PyBaMM (https://pybamm.org/), a NumFOCUS-sponsored project and we would love to opt in for this initiative for the main PyBaMM repository. If this is still in and remains in the ambit over the next few months, the relevant resource to contact would be me (@agriyakhetarpal) and @Saransh-cpp would like to act as an additional contact person – both of us serve as maintainers at the time of writing. We would love to help the mentee navigate through our repository and let them propose infrastructure-related changes keeping in line with modern-day security practices in order to build up our scorecard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants