docs: restructure concise evaluating guide, add terminology list #832
Conversation
|
Definitely prettier! It's also much longer (e.g., when printed). I don't know which is better for people. Does anyone else have any thoughts? |
|
Thanks. The terminology list could be removed as it takes up a lot of the new document. Maybe a terminology list could be an idea for a separate md-doc (in the future). But as for now, I could just remove it from the suggestion above. |
There was a problem hiding this comment.
I in fact like the new layout, the check boxes and the languages changes. I think that the increase in length is outweighed by the more prominent structure. However, at the end of the day, it is a matter of taste.
Independent of the structure, I made two proposed additions to the content: the Security Baseline and API Stability as a new criterion. Probably we shouldn't mix structural changes and content changes, so I am happy to add them independently to the guide. Still, curious about feedback.
| |------|-------------|:--------:| | ||
| | **License Clarity** | Verify that every component has a license, that it's a widely-used [OSI license](https://opensource.org/licenses) if it's OSS, and that it's consistent with your intended use. Projects that won't provide clear license information are less likely to follow other good practices that lead to secure software. | □ | | ||
| | **Name Verification** | Check if a similar name is more popular - that could indicate a typosquatting attack. | □ | | ||
| | **Usage Metrics** | Assess if it has significant use. Software with many users or large users may be inappropriate for your use. However, widely-used software is more likely to offer useful information on how to use it securely, and more people will care about its security. | □ | |
There was a problem hiding this comment.
I have to admit that I don't understand the reasoning behind: "Software with many users or large users may be inappropriate for your use."? This is already part of the original version, so this question is more directed to @david-a-wheeler.
There was a problem hiding this comment.
Yes, I just used the original. I also think the sentence is not clear, and even that it should be clearer without that sentence. '...use. Widely-used....'
There was a problem hiding this comment.
I was thinking about the point of You are not Google: "if you’re using a technology that originated at a large company, but your use case is very different, it’s unlikely that you arrived there deliberately; no, it’s more likely you got there through a ritualistic belief that imitating the giants would bring the same riches."
Basically, while software with many users is often capable, it might not be a good match for your use case. You need to choose software relevant to your problem, not just choosing some software because it's the latest fad. The text is an attempt to counter fad-driven development aka Hype Driven Development.
I'm quite open to finding another way to say it.
There was a problem hiding this comment.
I think this should be a separate issue/PR. Let's not hold up the restructure for rewording this one point. This is the same wording as earlier.
There was a problem hiding this comment.
Thanks for clarifying, I understand better now. While I understand and agree to the philosophical reasoning - , I wonder if a reader would catch that, without a longer explanation. An idea would be to put the sentence under the "Consider Necessity"-paragraph , and in a more straightforward form? Something in the style of -> Does your use case really motivate the addition, or are there simpler solutions?
But, maybe the whole discussion as you suggest, should be moved to another issue.
There was a problem hiding this comment.
I've captured this in issue #853 so we can separately discuss & resolve it.
|
Note: If you decide you want the checkbox to stay in, I will change it to '[ ]' instead of the current Unicode character □. The '[ ]' format is commonly used in markdown and makes it easy to tick off items, ie not just for printout. I was in a bit of a hurry when I added the Unicode character column - I should have used '[ ]' from the start. |
|
Colleague of @janderssonse chiming in. I would recommend to use "real" checkboxes |
|
Thanks! As the guide is rendered to https://best.openssf.org/Concise-Guide-for-Evaluating-Open-Source-Software, do we know what the output of |
|
Regarding Checkbox rendering: I did some further experimentation and investigated both GitHub flavored markdown and the kramdown conversions (the rendering of the markdown in the link above is done with Jekyll, which uses kramdown GFM). I came to the conclusion that a Unicode character is the only solution that works for both cases I.E- rendering with GitHub's native renderer directly, and through Jekyll/Kramdown. The official GitHub checkbox syntax - [ ] and above suggestion will render a checkbox in GitHub, but not in Jekyll/Kramdown. So, to summarize, sadly, the best approach to support both cases (GitHub native rendering and Jekyll-kramdown-GFM rendering) seems to be to use a Unicode character checkbox (as is then). Note: |
janderssonse
force-pushed
the
feat/improve-evaluting-structure
branch
from
1c660ed to
ad66b75
Compare
|
Thanks @janderssonse for looking into this. I also confirmed the same result in the meantime. |
|
The formatting changes seem like a positive improvement for readability/scannability of the content. Thanks for the contribution! |
|
We don't need the version number, the date is sufficient. We normally only use dates. |
Fixed, versions removed, only using date |
janderssonse
force-pushed
the
feat/improve-evaluting-structure
branch
from
4963b96 to
e48ea3b
Compare
|
I have rebased, and fixed most of the suggestions. Questions still:
|
|
My thoughts:
If we can get the checkboxes to "work" online they have some value. We use Kramdown with Jekyll (the default for GitHub Pages). We can modify its configuration, but is there a configuration that makes them "work"? I'm not sure the Unicode checkboxes add much value, but it doesn't matter much to me either way.
I think it should stay. Having clear terms' definitions seems useful. Having them at the end means people can see the meat first.
You mean "Software with many users or large users may be inappropriate for your use." yes? Let's make that a separate PR. I don't want to hold up this reorg while also trying to rewrite the text, and trying to do too many things at once can be confusing. |
|
janderssonse found that Kramdown can't be configured to make this work. At first I thought we could configure Kramdown to make the checkboxes work ("that can't be right!") but I sure don't find a solution either :-(. |
|
I found this which uses JavaScript to fix up some things. I'm not sure this effort is worth it: https://thatgurjot.com/til/clickable-checkboxes-on-jekyll-hugo/ |
|
In the long term we're working on an OpenSSF glossary. Once that has real content we could point off to that for the terminology. |
janderssonse
force-pushed
the
feat/improve-evaluting-structure
branch
from
e48ea3b to
3750962
Compare
As the checkbox currently seems to be of limited use, and is causing problems for different renderings options.. Another option would be that we just remove the Check-cell. |
janderssonse
force-pushed
the
feat/improve-evaluting-structure
branch
from
3750962 to
6fd105b
Compare
|
Rebased. Any chance of seeing this move forward? :) What is left is, from what I can tell, are the following actions:
|
|
Hi @janderssonse. Sorry for the slow response times (Kubecon and other things happened). I support moving this forward and focusing this PR on restructuring the content. Specifically:
|
|
Thanks, hope kubecon was great. I notice that the markdowlinter complains so will fix that, and also change to your suggestion "Checked". I'll fix it later. |
janderssonse
force-pushed
the
feat/improve-evaluting-structure
branch
2 times, most recently
from
e485dc8 to
8754af8
Compare
Both of them should now be fixed |
|
To continue the bikeshedding, maybe |
janderssonse
force-pushed
the
feat/improve-evaluting-structure
branch
from
8754af8 to
d5b68db
Compare
Done... is Done!:) |
|
Looks good to me. If we get another approving review, I'll merge this PR. |
|
The new alphabetic organization seems to suggest that consulting SAFECode’s guide Principles for Software Assurance Assessment (2019) is the first thing to do. Originally this was point 9, as merely something you COULD do. Do we want to emphasize it that strongly? |
How about changing "Utilize established... " to "Consider utililzing established ..." which should make it clear that you could, not should? |
|
That helps, but s/utilizing/using/ ("utilizing" is an unnecessarily fancy word). |
janderssonse
force-pushed
the
feat/improve-evaluting-structure
branch
from
d5b68db to
699e766
Compare
Rebased and utilized! Fixed I meant! |
|
thanks @janderssonse. I'd like to really get this merged, so I propose doing so. The WG approved the restructure some time ago already. Now, one last thing: there is a brand bew OpenSSF global glossary now: https://github.com/ossf/glossary I suggest moving the terms from this doc to that glossary (I am also fine with first merging and then moving things around) @david-a-wheeler ? |
janderssonse
force-pushed
the
feat/improve-evaluting-structure
branch
2 times, most recently
from
e196e6a to
4b15bb8
Compare
Signed-off-by: Josef Andersson <janderssonse@proton.me>
janderssonse
force-pushed
the
feat/improve-evaluting-structure
branch
from
4b15bb8 to
ed16bcb
Compare
Thanks, I removed the glossary for now and will add to the global glossary in seperete PR, after this one is done. |
|
Ok. I think we need merge, then improve further, or the bikeshedding will continue forever. |
This restructure suggestion PR does the following:
The most important:
Other:
This suggestion came from another PR where I asked about translations, and, while translating, I thought I would like to make the structure a bit more clearer in the original document.