generated from ossf/project-template
-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Ben Cotton <[email protected]>
- Loading branch information
1 parent
6adf8bb
commit 33d1156
Showing
5 changed files
with
42 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| docs/versions/devel.md |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # Open Source Security Baseline | ||
|
|
||
| The Open Source Project Security Baseline (OSPS Baseline) is designed to act as a minimum definition of requirements for a project relative to it's maturity level. | ||
| It is maintained by the [OpenSSF Security Baseline SIG](https://github.com/ossf/security-baseline/blob/main/governance/MAINTAINERS.md) according to the [project governance documentation](https://github.com/ossf/security-baseline/blob/main/governance/GOVERNANCE.md). | ||
|
|
||
| ## Versions | ||
|
|
||
| Previous versions are presented for historical reference. | ||
| Downstream consumers of the OSPS Baseline should specify their compliance against a specific version. | ||
| Only the version labeled as "current" should be used for new compliance efforts. | ||
|
|
||
| * [In-development version](docs/development) | ||
| * Current version: [v1.0]() released YYYY-MM-DD | ||
| * Previous versions: | ||
| * [v0.1] released YYYY-MM-DD | ||
|
|
||
| Versions are managed according to the [Baseline maintenance process](maintenance). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # OSPS Baseline Maintenance Process | ||
|
|
||
| * Normal text fixes to the criteria will be accepted via pull request and reviewed by the baseline project maintainers. | ||
| Allowed changes are corrections to spelling/typos, grammar corrections, or enhancements to the supplementary text supporting the criteria, including: Objective, Implementation, Control Mappings, and Scorecard/Insights values. | ||
| At least two project maintainers must review and approve these changes. | ||
| * Substantive changes to Criteria, including changes to text that alters the originally stated meaning, new Criteria proposals, or removal of Criteria will be documented in GitHub PR(s) and reviewed regularly by the Baseline project maintainers for inclusion in the next release. | ||
| These changes may reflect changes to global cybersecurity regulations and frameworks or changes in norms around application/project security practices. | ||
| Any such substantive changes must be approved by a majority of the project's maintainers. | ||
| * As appropriate, but at least annually, the Baseline project maintainers will evaluate the set of criteria and, if necessary, publish a new version of the Baseline. | ||
| Previous versions of the Baseline will remain available, but are stable and not subject to change, except for minor changes to fix technical or typographic errors. | ||
| * Any changes to the Baseline will be reflected within the Compliance Matrix, with new requirements flagged where the Baseline Criteria are appropriate. | ||
| * Versions will follow a calendar-based identification system, using the `YYYY-MM-DD` format. | ||
| * Downstream stakeholders will be notified via the project's mailing list on the changes and updates. | ||
|
|
||
| ## Identifiers | ||
|
|
||
| * Identifiers for retired criteria MUST NOT be reused. | ||
| Retired identifiers will remain in the source yaml files, clearly marked. | ||
| * Substantial changes to the meaning of a criterion will be treated as a new criterion, resulting in a new identifier. | ||
| Minor changes, including a change in level, between Baseline versions will not result in a new identifier. | ||
| * The numeric portion of identifiers are assigned sequentially per category. | ||
| They do not carry additional meaning. |