-
Notifications
You must be signed in to change notification settings - Fork 371
2023 08 14 Open NEST Developer Video Conference
Dennis Terhorst edited this page Aug 14, 2023
·
7 revisions
- Welcome
- Review of NEST User Mailing List
- Project team round
- In-depth discussion
- Open-Source Software Foundation (OpenSSF) Badges, SLSA, …
Here we discuss topics that need broader attention, for example questions that came up but are outside a single project's scope, larger planned changes/PRs that affect all teams or pending work that is blocked by external factors.
Go to the Project boards.
Some "Salsa" for NEST: https://slsa.dev
Supply-chain Levels for Software Artifacts, or SLSA ("salsa").
It’s a security framework, a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. It’s how you get from "safe enough" to being as resilient as possible, at any link in the chain.
Automatic "linting" of CI workflow by Step-Security bot:
-
#2874 – GITHUB_TOKEN permissions
- sensible, trivial, done.
-
#2877 – Add CodeQL workflow
- yet another code chcker
-
#2878 – Dependency review
- github action
-
#2879 – Create OpenSSF Scorecard workflow
- https://github.com/ossf/scorecard (result see here, lookup CVEs here)
-
#2875 – Harden Runner and pin Actions
- dependency to step-security/harden-runner action (current results)
- linting of CI workflows
- auditing/blocking of outbound connections
- monitor overwritten source files
- procedure for version updates after pinning
- dependency to step-security/harden-runner action (current results)
-
#2876 – Update Dependabot
- might solve pinning
-
#2880 – Update
pre-commit
configuration- adding more developer-local checks/lints before PRs reduces annoying CI failures due to formatting, etc.
- requires more setup for development environment
NEST Homepage: www.nest-simulator.org
NEST Initiative: www.nest-initiative.org