Difference between revisions of "CII Badge Program Checklist"
Lars.kurth (talk | contribs) (→FLOSS License) |
Lars.kurth (talk | contribs) (Added Change Control section) |
||
| Line 57: | Line 57: | ||
<em>Besides in-tree documentation as highlighted earlier, the project has an entire website and wiki dedicated to documentation. See [http://wiki.xenproject.org/ http://wiki.xenproject.org/] and [http://www.xenproject.org/ http://www.xenproject.org/]</em> |
<em>Besides in-tree documentation as highlighted earlier, the project has an entire website and wiki dedicated to documentation. See [http://wiki.xenproject.org/ http://wiki.xenproject.org/] and [http://www.xenproject.org/ http://www.xenproject.org/]</em> |
||
| + | == Change Control == |
||
| − | <!-- |
||
| − | Public version-controlled source repository |
+ | === Public version-controlled source repository === |
| − | The project MUST have a version-controlled source repository that is publicly readable and has a URL. |
+ | {{Tick}}The project MUST have a version-controlled source repository that is publicly readable and has a URL. <br> |
| + | <em>Repositories are at [http://xenbits.xen.org/gitweb/ http://xenbits.xen.org/gitweb/]</em> |
||
| − | Repo public justification |
||
| − | The source repository MUST track what changes were made, who made the changes, and when the changes were made. |
+ | {{Tick}}The source repository MUST track what changes were made, who made the changes, and when the changes were made.<br> |
| − | Uses git to track |
+ | <em>Uses git to track.</em> |
| − | Repo track justification |
||
| − | To enable collaborative review, the project's source repository MUST include interim versions for review between releases; it MUST NOT include only final releases. |
+ | {{Tick}}To enable collaborative review, the project's source repository MUST include interim versions for review between releases; it MUST NOT include only final releases. <br> |
| − | Interim versions are put on git, not just final versions. |
+ | <em>Interim versions are put on git, not just final versions.</em> |
| − | Repo interim justification |
||
| + | {{Tick}}It is SUGGESTED that common distributed version control software be used (e.g., git). <br> |
||
| + | <em>Uses git.</em> |
||
| + | === Version numbering === |
||
| − | It is SUGGESTED that common distributed version control software be used (e.g., git). [repo_distributed] Show details |
||
| − | Uses git. |
||
| − | Repo distributed justification |
||
| + | {{Tick}}The project MUST have a unique version number for each release intended to be used by users. <br> |
||
| − | Version numbering |
||
| + | <em>The primary single user uses git commit records to identify releases.</em> |
||
| + | {{Tick}}It is SUGGESTED that the Semantic Versioning (SemVer) format be used for releases. <br> |
||
| − | The project MUST have a unique version number for each release intended to be used by users. [version_unique] |
||
| + | <em>Major changes are recorded using Semantic Versioning (SemVer), beginning with version 2.0.0</em> |
||
| − | The primary single user uses git commit records to identify releases. |
||
| − | Version unique justification |
||
| + | {{Tick}}It is SUGGESTED that projects identify each release within their version control system. For example, it is SUGGESTED that those using git identify each release using git tags. </em> |
||
| − | It is SUGGESTED that the Semantic Versioning (SemVer) format be used for releases. [version_semver] Show details |
||
| + | <em>Full releases are tagged using 'git tag'.</em> |
||
| − | Major changes are recorded using Semantic Versioning (SemVer), beginning with version 0.8.0. |
||
| − | Version semver justification |
||
| + | === Release Notes (ChangeLog) === |
||
| − | It is SUGGESTED that projects identify each release within their version control system. For example, it is SUGGESTED that those using git identify each release using git tags. [version_tags] |
||
| − | Full releases are tagged using 'git tag'. |
||
| − | Version tags justification |
||
| + | {{Tick}}The project MUST provide, in each release, release notes that are a human-readable summary of major changes in that release. <br> |
||
| − | Release Notes (ChangeLog) |
||
| + | <em>Release notes for major and minor releases are available from download pages, e.g. [http://xenproject.org/downloads/xen-archives/xen-46-series/xen-460.html http://xenproject.org/downloads/xen-archives/xen-46-series/xen-460.html] and [http://xenproject.org/downloads/xen-archives/xen-46-series/xen-461.html http://xenproject.org/downloads/xen-archives/xen-46-series/xen-461.html].</em> |
||
| + | {{Tick}}The release notes MUST identify every publicly known vulnerability that is fixed in each new release. <br> |
||
| + | <em>We do this explicitly for point releases (e.g. [http://xenproject.org/downloads/xen-archives/xen-46-series/xen-461.html http://xenproject.org/downloads/xen-archives/xen-46-series/xen-461.html]). However, we do not explicitly list fixed vulnerabilities for major releases which by default contain fixes for all known vulnerabilities as listed in [http://xenbits.xen.org/xsa/ http://xenbits.xen.org/xsa/] up to the release date, unless there has been an oversight (note that this has not happened yet), in which case this would be stated in release notes.</em> |
||
| + | <!-- |
||
| − | The project MUST provide, in each release, release notes that are a human-readable summary of major changes in that release. (URL required)[release_notes] Show details |
||
| + | == Reporting == |
||
| − | |||
| + | === Bug reporting process === |
||
| − | |||
| + | {{Tick}}The project MUST provide a process for users to submit bug reports (e.g., using an issue tracker or a mailing list). <br> |
||
| − | Release notes justification |
||
| + | [http://wiki.xenproject.org/wiki/Reporting_Bugs_against_Xen_Project http://wiki.xenproject.org/wiki/Reporting_Bugs_against_Xen_Project] |
||
| − | The release notes MUST identify every publicly known vulnerability that is fixed in each new release. [release_notes_vulns] |
||
| − | We do this explicitly for point releases, but not for major releases which by default contain fixes for all known vulnerabilities. As such, we don’t explicitly list what has been fixed in a major release. |
||
| − | Bug reporting process |
||
| − | The project MUST provide a process for users to submit bug reports (e.g., using an issue tracker or a mailing list). (URL required) [report_process] |
||
| − | Report process justification |
||
The project SHOULD use an issue tracker for tracking individual issues. [report_tracker] |
The project SHOULD use an issue tracker for tracking individual issues. [report_tracker] |
||
Revision as of 11:01, 15 June 2016
- Overview at https://www.coreinfrastructure.org/programs/badge-program
- Existing submissions are at https://bestpractices.coreinfrastructure.org/projects
- Example of a certifying submission at https://bestpractices.coreinfrastructure.org/projects/1 (multiple tabs)
Draft of submission, including some open issues and questions below.
Contents
Basics
Basic Project Website Content
✓ The project website MUST succinctly describe what the software does (what problem does it solve?).
The Xen ProjectTM is the leading open source virtualization platform that is powering some of the largest clouds in production today. Amazon Web Services, Aliyun, Rackspace Public Cloud, Verizon Cloud and many hosting services use Xen Project software. Plus, it is integrated into multiple cloud orchestration projects like OpenStack.
✓ The project website MUST provide information on how to: obtain, provide feedback (as bug reports or enhancements), and contribute to the software.
http://wiki.xenproject.org/wiki/Reporting_Bugs_against_Xen_Project
http://xenproject.org/help/contribution-guidelines.html
✓ The information on how to contribute MUST explain the contribution process (e.g., are pull requests used?)
http://xenproject.org/developers/governance.html
http://xenproject.org/help/contribution-guidelines.html
✓ The information on how to contribute SHOULD include the requirements for acceptable contributions (e.g., a reference to any required coding standard).
http://wiki.xenproject.org/wiki/Submitting_Xen_Project_Patches
FLOSS License
✓ What license(s) is the project released under?
Mostly GPLv2 with some files being released under more permissive licenses to allow interaction with other open source projects
✓ The software MUST be released as FLOSS.
The project is mostly GPLv2, with some exceptions which all must be be OSI approved licenses.
✓It is SUGGESTED that any required license(s) be approved by the Open Source Initiative (OSI).
The project is mostly GPLv2, with some exceptions which all must be be OSI approved licenses.
✓The project MUST post license(s) in a standard location.
http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=COPYING
Other repositories by the project also have a COPYING file in the top level of the tree
Documentation
✓The project MUST provide basic documentation for the software.
The project creates man pages and other documentation via http://xenbits.xen.org/docs/
✓The project MUST include reference documentation that describes its interface.
http://xenbits.xen.org/docs/ contains interface definitions, protocol specifications, designs, ...
Other
✗The project sites (website, repository, and download URLs) MUST support HTTPS using TLS.
This is in progress via ticket "[OSSC #77650] Migrating Xen Project websites from http to https"
Notes:
- xenbits.xenproject.org, wiki.xenproject.org, lists.xenproject.org, downloads.xenproject.org are straightforward and can be done by Credativ
- blog.xenproject.org is already done, but does not redirect
- xenproject.org will have to be done via cloudaccess.net at an additional cost of USD 100 per year
- bits.xensource.com does have an https variant without redirect and we do not know who controls the Akamai instance: download links from xenproject.org should use https rather than http
✓The project MUST have one or more mechanisms for discussion (including proposed changes and issues) that are searchable, allow messages and topics to be addressed by URL, enable new people to participate in some of the discussions, and do not require client-side installation of proprietary software.
http://www.xenproject.org/help/mailing-list.html
✓The project SHOULD include documentation in English and be able to accept bug reports and comments about code in English.
Besides in-tree documentation as highlighted earlier, the project has an entire website and wiki dedicated to documentation. See http://wiki.xenproject.org/ and http://www.xenproject.org/
Change Control
Public version-controlled source repository
✓The project MUST have a version-controlled source repository that is publicly readable and has a URL.
Repositories are at http://xenbits.xen.org/gitweb/
✓The source repository MUST track what changes were made, who made the changes, and when the changes were made.
Uses git to track.
✓To enable collaborative review, the project's source repository MUST include interim versions for review between releases; it MUST NOT include only final releases.
Interim versions are put on git, not just final versions.
✓It is SUGGESTED that common distributed version control software be used (e.g., git).
Uses git.
Version numbering
✓The project MUST have a unique version number for each release intended to be used by users.
The primary single user uses git commit records to identify releases.
✓It is SUGGESTED that the Semantic Versioning (SemVer) format be used for releases.
Major changes are recorded using Semantic Versioning (SemVer), beginning with version 2.0.0
✓It is SUGGESTED that projects identify each release within their version control system. For example, it is SUGGESTED that those using git identify each release using git tags. Full releases are tagged using 'git tag'.
Release Notes (ChangeLog)
✓The project MUST provide, in each release, release notes that are a human-readable summary of major changes in that release.
Release notes for major and minor releases are available from download pages, e.g. http://xenproject.org/downloads/xen-archives/xen-46-series/xen-460.html and http://xenproject.org/downloads/xen-archives/xen-46-series/xen-461.html.
✓The release notes MUST identify every publicly known vulnerability that is fixed in each new release.
We do this explicitly for point releases (e.g. http://xenproject.org/downloads/xen-archives/xen-46-series/xen-461.html). However, we do not explicitly list fixed vulnerabilities for major releases which by default contain fixes for all known vulnerabilities as listed in http://xenbits.xen.org/xsa/ up to the release date, unless there has been an oversight (note that this has not happened yet), in which case this would be stated in release notes.
