Seeking SOS Fund Projects

I’m spending some time over the next few days looking for the next round of projects which might benefit from an SOS Fund security audit. (Here‘s what’s been done and published so far; a few more are in the works.) The criteria for what makes a good project are recorded on the MOSS website. We have two hard-and-fast criteria:

  • The software must be open source/free software, with a license that is OSI-certified and/or FSF-approved
  • The software must be actively maintained

And then we have a series of factors we consider when evaluating an application:

  • How commonly used is the software?
  • Is the software network-facing or does it regularly process untrusted data?
  • How vital is the software to the continued functioning of the Internet or the Web?
  • Is the project known for something besides the code we are relying on?
  • Does the software depend on closed-source code, e.g. in a web service?
  • Are the software’s maintainers aware of and supportive of the application for support from the SOS fund?
  • Has the software been audited before? If so, when and how extensively? Was the audit made public? If so, where?
  • Does the software have existing corporate backing or involvement?

People do have a tendency to suggest the entirely impractical, such as “Linux Mint” or “Copperhead OS”. We aren’t able to do full audits on corpuses of software of that size. In general, if it’s more than about 200kloc, we are going to have to pick and choose.

If you know of a project which fits, please submit a suggestion, or drop me an email. Thanks!

2 thoughts on “Seeking SOS Fund Projects

  1. Hi Gerv,

    It’s not directly what you’re asking for, but after reading this – https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5 – I wondered, are there any tools out there for proving that a minified JavaScript file came from its purported non-minified source? I’ve never heard of anything, and a quick Google didn’t turn up anything obvious. It seems like something that’s missing that ought to be a standard part of toolchains. Of course, to make sure, you can always re-minify something and ignore a provided .min.js; but that’s non-optimal.

    David

  2. Pingback: Links 21/1/2018: Wine 3.0 Coverage, KaOS 2018.01, Red Hat Among ‘Admired Companies’ | Techrights

Leave a Reply

Your email address will not be published. Required fields are marked *