Conversation

Notices

1. Embed this notice
   Jeff Triplett (webology@mastodon.social)'s status on Saturday, 06-Apr-2024 20:14:37 JST Jeff Triplett

   🔥 An update on OpenSSF's XZ fumble: https://micro.webology.dev/2024/04/01/an-update-on.html

   • Embed this notice
     Jeff Triplett (webology@mastodon.social)'s status on Saturday, 06-Apr-2024 20:14:35 JST Jeff Triplett

     in reply to

     • Seth Larson

     @sethmlarson I don't believe grepping for "pip install" and then failing is useful or healthy for anyone, which is what those sections appear to be pointing out.

     I get that this is a hard problem to know the right context and to differentiate, which is why many of us are pointing out that it's a bad tool.

     A bad tool is one we can't trust or that commonly reports false positives, which is where we are at.

     clacke likes this.
   • Embed this notice
     Jeff Triplett (webology@mastodon.social)'s status on Saturday, 06-Apr-2024 20:14:36 JST Jeff Triplett

     in reply to

     • Seth Larson

     @sethmlarson Django was also dinged because of their security details because the file includes a link to the website.

     Some points for the filename existing, so GitHub's API can pick up on it.

     Negative points for keywords not existing because the file is a URL that appears to be on the external website.

     🤷

     clacke likes this.
   • Embed this notice
     Seth Larson (sethmlarson@fosstodon.org)'s status on Saturday, 06-Apr-2024 20:14:37 JST Seth Larson

     in reply to

     @webology Pinned dependencies is one of the metrics I'd consider to be actually helpful, usually trips on GitHub Workflows and pip commands not being pinned commits/hashes which for release workflows should be pinned. Test/quality workflows though probably are okay to be unpinned, hard to differentiate though.

     "CII Best Practices" is a checklist of things that can never be automated, so yeah I don't love that metric.

     clacke likes this.
   • Embed this notice
     Jeff Triplett (webology@mastodon.social)'s status on Saturday, 06-Apr-2024 20:14:37 JST Jeff Triplett

     in reply to

     • Seth Larson

     @sethmlarson The context matters 💯

     Flask runs a `pip install -e . ` to install itself to run tests. This gets a negative mark.

     Same for running `pip install -U pip` to always be on the latest pip.

     I don't know how someone may reasonably pin those.

     They also get tripped up on locked Python dependencies via `pip install -r locked-filename.txt`.

     These aren't helpful.

     clacke likes this.
   • Embed this notice
     jacobian (jacob@social.jacobian.org)'s status on Saturday, 06-Apr-2024 20:14:42 JST jacobian

     in reply to

     @webology holy shit I just noticed that one of the factors that contributes to the score is whether you put their badge in your README. Total fucking garbage.

     clacke likes this.