Many projects these days are recording progress wrt CII best practices for FLOOS projects. I filled out a record for QEMU:
https://bestpractices.coreinfrastructure.org/projects/1309 I only looked at the 'Passing' criteria, not considered the 'Silver' and 'Gold' criteria. So if anyone else wants to contribute, register an account there and tell me the username whereupon I can add you as a collaborator. Two items I don't think QEMU achieves for the basic "Passing" criteria - The release notes MUST identify every publicly known vulnerability that is fixed in each new release. I don't see a list of CVEs mentioned in our release Changelogs or indeed a historic list of CVEs anywhere even outside the release notes ? - It is SUGGESTED that if the software produced by the project includes software written using a memory-unsafe language (e.g., C or C++), then at least one dynamic tool (e.g., a fuzzer or web application scanner) be routinely used in combination with a mechanism to detect memory safety problems such as buffer overwrites. NB this is not 'coverity' which falls under the 'static anlaysis' group. I'm unclear if anyone in the community does regular fuzzing or analysis with ASAN & equiv ? If i'm wrong just say.... There's many questions under Silver/Gold level we likely don't meet and some of them start to get quiet opinionated about the way a project should be run, so IMHO its not unreasonable to say we're not going to aim for perfection in this respect. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
