Extend Security Best Practices for your Project #3465
Conversation
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
|
|
||
| Using open source dependencies can speed up development, but each package includes a license that defines how it can be used, modified, or distributed. Some licenses are permissive, while others (like AGPL or SSPL) impose restrictions that may not be compatible with your project's goals or your users' needs. | ||
|
|
||
| Imagine this: You add a powerful library to your project, unaware that it uses a restrictive license. Later, a company wants to adopt your project but raises concerns about license compliance. The result? You lose adoption, need to refactor code, and your project’s reputation takes a hit. |
There was a problem hiding this comment.
@Jeffrey-Luszcz feel free to suggest a better example for the mixed-license scenario in the license section. You probably have a much stronger one than mine 🙏
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
xcorail
left a comment
xcorail
left a comment
There was a problem hiding this comment.
Nice additions!
I will let @Jeffrey-Luszcz weigh in on the licensing stuff, and I made a suggestion for the IR plan section, but I like the rest.
|
@UlisesGascon I see @xcorail has some suggestions above. Can you take a look and discuss/accomodate? I've pinged @Jeffrey-Luszcz and he'll be taking a look when he can. Thank you for the contribution. |
|
|
||
| Imagine this: You add a powerful library to your project, unaware that it uses a restrictive license. Later, a company wants to adopt your project but raises concerns about license compliance. The result? You lose adoption, need to refactor code, and your project's reputation takes a hit. | ||
|
|
||
| To avoid these pitfalls, consider including automated license checks as part of your development workflow. These checks can help identify incompatible licenses early in the process, preventing problematic dependencies from being introduced into your project. |
There was a problem hiding this comment.
Is there an existing auto license check tool that we could link users to?
There was a problem hiding this comment.
Not an expert on this, but we could point readers to a couple of options but not easy to adopt (IMO).
For example, FOSSA is a commercial tool that provides automated license-compliance scanning, and there’s also the OSS Review Toolkit (ORT), an open-source option that includes a license scanner: https://oss-review-toolkit.org/ort/docs/tools/scanner/
Most of the scanners I use personally are specific to npm universe 🤔.
This comment has been minimized.
This comment has been minimized.
This comment was marked as spam.
This comment was marked as spam.
|
Converting to draft until author re-engages. |
|
I plan to rework on this PR next week once I am back from vacations |
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
Co-authored-by: Xavier RENE-CORAIL <xcorail@github.com>
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
Co-authored-by: Xavier RENE-CORAIL <xcorail@github.com>
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
xcorail
left a comment
xcorail
left a comment
There was a problem hiding this comment.
LGTM for me - I just suggested a typo fix.
I will approve the PR, but I defer to @Jeffrey-Luszcz for the licensing part
Thanks @UlisesGascon for these additions!
Co-authored-by: Xavier RENE-CORAIL <xcorail@github.com>
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
| A new contributor gets write access to the main branch and accidentally pushes changes that have not been tested. A dire security flaw is then uncovered, courtesy of the latest changes. To prevent such issues, branch protection rules ensure that changes cannot be pushed or merged into important branches without first undergoing reviews and passing specified status checks. You're safer and better off with this extra measure in place, guaranteeing top-notch quality every time. | ||
|
|
||
| ## Set up an intake mechanism for vulnerability reporting | ||
| ## Make it easy (and safe) to report security issues |
There was a problem hiding this comment.
0x217ee1740bc4ba7d6b708b79094b675783201402
There was a problem hiding this comment.
0x217ee1740bc4ba7d6b708b79094b675783201402
There was a problem hiding this comment.
0x217ee1740bc4ba7d6b708b79094b675783201402
|
|
||
| A new contributor gets write access to the main branch and accidentally pushes changes that have not been tested. A dire security flaw is then uncovered, courtesy of the latest changes. To prevent such issues, branch protection rules ensure that changes cannot be pushed or merged into important branches without first undergoing reviews and passing specified status checks. You're safer and better off with this extra measure in place, guaranteeing top-notch quality every time. | ||
|
|
||
| ## Set up an intake mechanism for vulnerability reporting |
There was a problem hiding this comment.
0x217ee1740bc4ba7d6b708b79094b675783201402
12 participants
cc: @KevinCrosby, @Jeffrey-Luszcz @DUBSOpenHub @jonchurch @blakeembrey @ljharb @RafaelGSS
Note: This PR will impact #3462 and #3461