Skip to content

2023 08 14 Open NEST Developer Video Conference

Dennis Terhorst edited this page Aug 14, 2023 · 7 revisions

previous | list | next

Agenda

  1. Welcome
  2. Review of NEST User Mailing List
  3. Project team round
  4. In-depth discussion
    • Open-Source Software Foundation (OpenSSF) Badges, SLSA, …

Mailing list

Project team round

Here we discuss topics that need broader attention, for example questions that came up but are outside a single project's scope, larger planned changes/PRs that affect all teams or pending work that is blocked by external factors.

Go to the Project boards.

In-depth discussion

Some "Salsa" for NEST: https://slsa.dev

Supply-chain Levels for Software Artifacts, or SLSA ("salsa").

It’s a security framework, a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. It’s how you get from "safe enough" to being as resilient as possible, at any link in the chain.

Automatic "linting" of CI workflow by Step-Security bot:

  • #2874 – GITHUB_TOKEN permissions
    • sensible, trivial, done.
  • #2877 – Add CodeQL workflow
    • yet another code chcker
  • #2878 – Dependency review
    • github action
  • #2879 – Create OpenSSF Scorecard workflow
  • #2875 – Harden Runner and pin Actions
    • dependency to step-security/harden-runner action (current results)
      • linting of CI workflows
      • auditing/blocking of outbound connections
      • monitor overwritten source files
    • procedure for version updates after pinning
  • #2876 – Update Dependabot
    • might solve pinning
  • #2880 – Update pre-commit configuration
    • adding more developer-local checks/lints before PRs reduces annoying CI failures due to formatting, etc.
    • requires more setup for development environment
Clone this wiki locally