I’m spending some time over the next few days looking for the next round of projects which might benefit from an SOS Fund security audit. (Here‘s what’s been done and published so far; a few more are in the works.) The criteria for what makes a good project are recorded on the MOSS website. We have two hard-and-fast criteria:
- The software must be open source/free software, with a license that is OSI-certified and/or FSF-approved
- The software must be actively maintained
And then we have a series of factors we consider when evaluating an application:
- How commonly used is the software?
- Is the software network-facing or does it regularly process untrusted data?
- How vital is the software to the continued functioning of the Internet or the Web?
- Is the project known for something besides the code we are relying on?
- Does the software depend on closed-source code, e.g. in a web service?
- Are the software’s maintainers aware of and supportive of the application for support from the SOS fund?
- Has the software been audited before? If so, when and how extensively? Was the audit made public? If so, where?
- Does the software have existing corporate backing or involvement?
People do have a tendency to suggest the entirely impractical, such as “Linux Mint” or “Copperhead OS”. We aren’t able to do full audits on corpuses of software of that size. In general, if it’s more than about 200kloc, we are going to have to pick and choose.
If you know of a project which fits, please submit a suggestion, or drop me an email. Thanks!