2026 Q1 TAC Update of the BEST WG #563
Conversation
Signed-off-by: Georg Kunz <georg.kunz@ericsson.com>
steiza
left a comment
steiza
left a comment
There was a problem hiding this comment.
Thanks for the update! A few minor questions about links, service funding, and Scorecard checks.
TI-reports/2026/2026-Q1-BEST-WG.md
Outdated
| * [C/C++ Compiler Option Hardening](https://github.com/ossf/tac/diffs/0?base_sha=eed2ae23a0d8a2e5b18d9bcdeeb7fa40b75ac241&branch=87769be64cb25d5808e856910370771544fbe4e6&commentable=true&head_user=gkunz&name=87769be64cb25d5808e856910370771544fbe4e6&pull_number=423&qualified_name=87769be64cb25d5808e856910370771544fbe4e6&sha1=eed2ae23a0d8a2e5b18d9bcdeeb7fa40b75ac241&sha2=87769be64cb25d5808e856910370771544fbe4e6&short_path=409950f&unchanged=expanded&w=false#cc-compiler-option-hardening-guide) | ||
| * [Python Secure Coding Guide](https://github.com/ossf/tac/diffs/0?base_sha=eed2ae23a0d8a2e5b18d9bcdeeb7fa40b75ac241&branch=87769be64cb25d5808e856910370771544fbe4e6&commentable=true&head_user=gkunz&name=87769be64cb25d5808e856910370771544fbe4e6&pull_number=423&qualified_name=87769be64cb25d5808e856910370771544fbe4e6&sha1=eed2ae23a0d8a2e5b18d9bcdeeb7fa40b75ac241&sha2=87769be64cb25d5808e856910370771544fbe4e6&short_path=409950f&unchanged=expanded&w=false#python-secure-coding-guide) |
There was a problem hiding this comment.
These links don't work for me - they seem to be in the ossf/tac repo?
There was a problem hiding this comment.
Sorry, not sure what happened here. I'll replace the broken links with proper ones.
|
|
||
| * The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice. | ||
|
|
||
| #### **Status Update** |
There was a problem hiding this comment.
In the meeting, should we talk a little bit about the Best Practices service and how it's being funded?
There was a problem hiding this comment.
I don't actually know the details. @david-a-wheeler would be the best person to elaborate on this.
|
|
||
| * Discussions with the TAC and OpenSSF staff ongoing regarding funding of hosted services. | ||
| * Scorecard audit completed: [https://openssf.org/blog/2025/10/10/openssf-scorecard-audit-is-complete/](https://openssf.org/blog/2025/10/10/openssf-scorecard-audit-is-complete/) | ||
| * Work on new checks is ongoing |
There was a problem hiding this comment.
This might be a question for the Scorecard project directly, but do we have a sense on if there's plans in 2026 to revisit some of the checks from 2020 based on community feedback? In particular the critical / high risk checks, like:
- https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow (critical) differentiating between workflow permissions and per-job permissions
- https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained (high) differentiating between maintained and actively developed
Signed-off-by: Georg Kunz <georg.kunz@ericsson.com>
|
|
||
| #### **Up Next** | ||
|
|
||
| * Continue working on roadmap \+ funding situation |
There was a problem hiding this comment.
At the risk of sounding like a broken record I have to say again that I hope the roadmap will include exploring how Scorecard can integrate with the BP badge.
3 participants
No description provided.