You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* Improve text on Packaging
Make various improvements to the text on packaging.
* The original text assumes that only software developers install software
packages, which is absurd; end-users install software packages all
the time.
* The original text seemed to assume that there are only
language-level packages, but system-level packages & containers
are a thing :-). At least acknowledge them.
Also, this doesn't make sense in some cases
(e.g., software specific to one website that's updated through commits,
or IoT software where there are no "packages" - you
upload the entire image); that should be admitted.
* Fix main text to stop using "you/your" to mean "project developer".
There are at least two *different* readers: (1) developers of the project
being measured and (2) potential users of the project being measured.
Many users of scorecard will be #2, they'll
reading scorecard results to decide if they want to use the software
being measured. So don't say "you" and assume that "you" means
project developers. I left "you" meaning "project developers"
inside remediation, under the assumption that this was remdediation
text for project developers.
To be fair, *users* of software can also sometimes
take remediation steps; that might be worth adding as its own
section if we text to add there (e.g., `user_remediation`).
I have intentionally not run `make generate-docs` as that would add other
irrelevant changes. Instead, after this PR is accepted there should be a
`make generate-docs` & a pull of *that*.
Signed-off-by: David A. Wheeler <[email protected]>
* Add note about filing an issue
Add note about filing an issue if scorecard fails to detect
the packaging mechanism, per review by @naveensrinivasan (thanks!).
Signed-off-by: David A. Wheeler <[email protected]>
Copy file name to clipboardExpand all lines: docs/checks/internal/checks.yaml
+27-3
Original file line number
Diff line number
Diff line change
@@ -363,16 +363,40 @@ checks:
363
363
Packaging:
364
364
risk: Medium
365
365
tags: supply-chain, security, releases
366
-
short: Determines if the project is published as a package that other developers can install/download.
366
+
short: Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.
367
367
description:
368
-
This check tries to determine if the project is published as a package that other developers can install/download.
368
+
This check tries to determine if the project is published as a package that others can easily download, install, easily update, and uninstall.
369
+
370
+
It's important that the project provide an easy way to
371
+
download, install, update, and uninstall the software.
372
+
It's particularly important to make it easy for users to
373
+
receive security patches as updates.
374
+
375
+
This is often done by creating a "package" that is
376
+
easy to install and uninstall by a package manager.
377
+
Many program language ecosystems have a generally-used packaging format
378
+
supported by a language-level package manager
379
+
tool and public package repository.
380
+
Many operating system platforms also have at least one package format,
381
+
tool, and public repository (in some cases the source repository
382
+
generates system-independent source packages, which are then
383
+
used by others to generate system executable packages).
384
+
Container images are yet another way to package software.
385
+
In some situations packaging is not sensible, but it's wise to package
386
+
software in so many circumstances that it's worth checking for it.
369
387
370
-
Packaging your project is essential for users to receive updates and security patches automatically.
371
388
A low score is considered `Medium` risk.
372
389
373
390
The check currently looks for [GitHub packaging workflows]( https://docs.github.com/en/packages/learn-github-packages/publishing-a-package)
374
391
and language-specific GitHub Actions that upload the package to a corresponding hub, e.g., [Npm](https://www.npmjs.com/).
375
392
There is a plan to add better support to query package manager hubs directly in the future, e.g., for [Npm](https://www.npmjs.com/), [PyPi](https://pypi.org/).
393
+
A project may meet this criterion yet have a failing scorecard report;
394
+
some widely-used tools are relatively easy to detect, but it's
395
+
challenging for an automated tool (like scorecard) to detect
396
+
them all.
397
+
If scorecard fails to detect the way you publish a package and
398
+
you think scorecard should support your use case, please
399
+
[open an issue in the scorecard project](https://github.com/ossf/scorecard/issues/new/choose).
376
400
remediation:
377
401
- Publish your project as a [downloadable package](https://docs.github.com/en/packages/learn-github-packages/publishing-a-package).
378
402
- Use a GitHub action to release your package to language-specific hubs.
0 commit comments