What's a Safe Choice?

How to identify safe open source applications

We have tested the software described here.

~~How~~https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide-for-Evaluating-Open-Source-Software.md
^ tohelpful

~~identify~~

~~safe~~

~~open~~

Assessment source

~~applications~~

Verify authenticity

Consider necessity. every new service increases the attack surface

Open source license type

~~Active community~~

~~Open to feedback~~

~~Regular updates~~

~~Multiple developers~~

Does the software require an account, especially one that requires you to provide information like your name or email? ~~What~~Many ~~about~~oss ~~the~~rely ~~forums?~~on email ~~Are~~to ~~they~~build ~~publicly~~a ~~accessible~~community by few reputable projects require them.

DOCUMENTATION

Typosqiatting obs

Maintenance & Sustainability

Is there a docker image?

~~Code~~Is ~~quality~~it ~~reports,~~developer ~~code~~created ~~maintenance~~community
created or user created?

~~Security~~Activity ~~audits~~level

~~Trusted~~Active ~~repository such as GitHub or gitlab~~community

~~Stability;~~Open ~~number~~to offeedback ~~open~~

~~issue~~

Regular ~~reports~~updates

Multiple ~~and or very active forums~~developers

Alpha , beta, stable,

Is the software a proof of concept or a refined software model?

Maintainers and developers are after unpaid. They are passion projects. While some open source software is funded by foundations, many are small community projects that are self funded by donations.

Code quality reports, code maintenance

Is it maintained

GitHub badges. Is it compiling? Etc

Do they offer a way to deploy using docker?

Security

Assessment framework

Trusted repository such as GitHub or gitlab

Security audits

Security Through Transparency

It’s How You Implement Software That Matters

Certifications

Security is not necessarily incorporated into the design and development of OSS.

Many large organizations support OSS projects. However, these projects may rely on work conducted by smaller, volunteer-run OSS projects. For smaller OSS projects, volunteers may have less time to fix problems or conduct security testing. Also, these projects may not receive the funding needed to hire expert security auditors.

~~How much do they ask for support and in what ways? Are they building community or exploiting it?~~

~~Is it maintained~~

~~GitHub badges. Is it compiling? Etc~~

~~Do they offer a way to deploy using docker?~~

~~Security Through Transparency~~

~~It’s How You Implement Software That Matters~~

The blueprints (source code) reveal the layout, but they don’t tell you where the alarm system is located or the combination to the safe.

~~https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide-for-Evaluating-Open-Source-Software.md~~

Community

Stability; number of open issue reports and or very active forums

^What ~~helpful~~about the forums? Are they publicly accessible

~~Maintainer~~How ~~Diversity~~much ~~Verify~~do ~~the~~they ~~presence~~ask offor ~~more~~support ~~than~~and ~~one~~in ~~maintainer,~~what ~~ideally~~ways? ~~from~~ ~~different~~Are ~~organizations,~~they tobuilding ~~reduce single-point-of-failure risk.~~

~~Release Recency Confirm that the last release was issued within the previous 12 months.~~

~~Communication Verify the existence of recent releases~~community or ~~announcements~~exploiting ~~from the project maintainer(s).~~
it?

~~Certifications~~

~~DOCUMENTATION~~

~~Typosqiatting obs~~