Comments (8)
Hi @giantcroc thanks for the post and thanks for integrating isa-l. Glad to know you found a fit in Envoy.
We take security seriously so we are always interested on how to improve. Let's look at each of these. Please let us know if this spurs any ideas.
Add security policy: This one we should be able to put into a file as we already have a policy of course as part of our security lifecycle.
Branch-Protection: I'll have to look into this one further. I think the org only has the permissions to change branch permissions on the main branch.
CI-Tests: We have two levels of CI testing and it looks like the ossf tool is not recognizing either of them. The first is internal and perhaps difficult to register even though every commit and PR goes through this stage. The second is with github actions but not getting detected I suspect because of necessary rebasing to get the gerrit ID added for the first stage. This also seems to be an issue with the next item
Code-Review: We have two levels of code review also and these also are not getting picked up. Looking at the first three commit ids listed, they were all PRs with multiple reviews in github but not detected by the ossf tool. Again I think this is because of the necessary rebase to get the gerrit ID added for the first review step. Perhaps we can promote PRs to add the gerrit ID and fewer will need to be rebased.
CII-Best-Practices: Looking at the list of criteria we should already comply so perhaps we can enroll.
Dependency-Update-Tool: isa-l is a library without any other runtime library dependencies so dependabot or renovatebot are probably not beneficial.
Fuzzing: We do employ fuzz tools where appropriate (compression and decompression) but they are not detected by the tool.
Maintained: Isa-l is actively maintained and not sure why we miss the activity trigger levels.
Token-Permissions: If I understand this correctly the only token we use in ci github actions is the main actions/[email protected]
. Is it better to pick a version in this case and perhaps get bug fixes or pin to a hash value?
Pinned-Dependencies: As before we really don't have any dependencies so nothing to pin.
SAST: We do run static analysis as part of CI testing just none of the tools that ossf detects.
Signed-Releases: We don't push any binaries ourselves so nothing to sign. Not sure how we get 10 on Binary-Artifacts for this same reason but not here.
from isa-l.
@gbtucker Hi, thanks for your help! I think it is enough to make the score bigger than 5.0, and there is no need to fix all items listed, so we can choose some eaiser one to improve the score.
- Add security policy: the simplest one, just place a security policy file SECURITY.md in the root directory of the repository.
- Branch-Protection: we can add some constraints on main branch like disabling
force pushes
andallow deletion
. - Token-Permissions: I don't konw if it's possible to make token read-only. If it's ok, we can add permissions for the GITHUB_TOKEN as add permissions.
After finish fixing these items above, I think the score should be able to reach 5.0 or more. Thanks!
from isa-l.
@giantcroc. I have integrated ISA-L as a dependency in some other projects and my experiences are as follows:
- ISA-L not having dependencies is great. This means ISA-L never causes a dependency conflict.
- ISA-L provides only one feature over zlib: speed. This means that functionally-wise, it is redundant. Which in turn means you can add the dependency by adding optional code path for speed instead of building your whole library on top of ISA-L.
Reason 1 means ISA-L is very unlikely to become a liability in your project and reason 2 means that if for some reason it does, there is very little cost to removing the code that uses ISA-L. The speed benefits are non-trivial so integrating is worth it when compression/decompression is a bottleneck.
from isa-l.
@rhpvorderman Thanks! Your sharing is very helpful to me.
And I think the most difficult thing is building nasm in bazel because envoy uses bazel as the build tool.
Do you have any experience to build isa-l using bazel?
from isa-l.
- I build nasm first: https://github.com/pycompression/python-isal/blob/develop/.github/workflows/ci.yml#L168
- Then I simply use the commands as provided on the readme:
./autogen.sh
./configure --prefix /somewhere/in/build/directory
make
make install
You need to statically link isa-l_static.lib
.
from isa-l.
Added security policy file in 2bcbaf4.
from isa-l.
- I build nasm first: https://github.com/pycompression/python-isal/blob/develop/.github/workflows/ci.yml#L168
- Then I simply use the commands as provided on the readme:
./autogen.sh ./configure --prefix /somewhere/in/build/directory make make installYou need to statically link
isa-l_static.lib
.
OK, thanks!
from isa-l.
Added security policy file in 2bcbaf4.
@gbtucker Look good. Thanks!
I have ran the scorecard again and the score is already up to 4.6.
And I think it's easy to get to 5.0+ with more small improvements.
Aggregate score: 4.6 / 10
from isa-l.
Related Issues (20)
- Is this condition correct? HOT 3
- Add support for inflate flush points
- igzip for containerd become slow
- Benchmark: isa-l vs zlib, zlib-ng, libdeflate, brotli, zstd
- build break HOT 1
- Upcoming release v2.31 HOT 9
- Broken compilation on ARM/PowerPC HOT 1
- Looking for ARM/PowerPC owner/maintainers HOT 11
- Add isal_zlib_header_init HOT 2
- Error in functional tests for ppc64le HOT 2
- Failed to load symbolec_init_tables HOT 3
- undefined reference to `ec_init_tables' HOT 2
- erasure_code/gf_vect_mul: If the value of len is not aligned with 32B, a non-zero value should be returned
- v2.31.0 tag not annotated HOT 2
- Failed to decompress gz file which has multi-header
- how use raid lib to recover lost data?
- ARM OSX build fails HOT 7
- raid: why does the simd version xor_gen not provide an entry for loop64?
- Windows build fails - yasm doesn't understand %use HOT 4
- If raid xor_gen passed-in array pointers is not aligned to 32B, what's the impact?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from isa-l.