No Code Attached Yet
avatar gabibguti
gabibguti
21 Oct 2022

Proposal

Hello! I'm Gabriela and Google hired me to help essential open-source projects improve their supply-chain security. My role is to reach out to projects like yours and see if I can offer my time and help to secure your project, since it’s considered critical to the open source ecosystem. I see joomla-cms already follows some security best practices, such as automated flows to update dependencies, and that's great!

To build on that, I’d like to suggest a tool called Scorecards. Scorecards’ goal is to make maintainers aware of possible supply-chain security issues. This includes keeping dependencies updated to protect against vulnerabilities and guaranteeing that binary files are not present in source code, since they are targets for attacks. Scorecards runs these automated security checks and reports the results to the repository's security dashboard. There are tips for remediating any issues, which I can also help with!

If you would like to add Scorecards, let me know! I can open a PR. If not, are there any other security efforts I can help you with?

avatar gabibguti gabibguti - open - 21 Oct 2022
avatar gabibguti gabibguti - change - 21 Oct 2022
Labels Removed: ?
avatar joomla-cms-bot joomla-cms-bot - change - 21 Oct 2022
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 21 Oct 2022
avatar ReLater
ReLater - comment - 21 Oct 2022

When the American billion-dollar corporation Google hires people to offer help to open source projects and these people mention Google in the introductory sentence as if it were a seal of approval, I am exclusively sceptical. Apart from that, I don't see anything on the Scorecard site that I think would be helpful for Joomla developers. Except another tool that praises itself to the skies and produces automated noise.

Of course, it's not up to me to decide.

avatar drmenzelit
drmenzelit - comment - 22 Oct 2022

Thank you for the offer, we will discuss it in the team and contact you.

avatar chmst chmst - change - 6 Nov 2022
Status New Closed
Closed_Date 0000-00-00 00:00:00 2022-11-06 07:54:37
Closed_By chmst
avatar chmst chmst - close - 6 Nov 2022

Add a Comment

Login with GitHub to post a comment