Open Source Checklist

About

Identity, Privacy and Cybersecurity follows this checklist when releasing a code repository as open source.

Many of the file-based repository requirements can be created using the Create-OpenSourceRequirements script, or by creating the repository as using the SecDev Template Repository.

To ensure an existing repository stays in sync with preferred versions of these files, we sometimes add Borg - Template Repo Sync to our CI/CD checks.

Checklist

• Do we expect Open Sourcing this solution to provide value to other members of the Academic / Security Community?
  • Do we expect campus IT professionals to adopt this through a shared public repository? I.e. PowerShell Gallery or PyPI,
  • Does this release support our use of the InCommon Trusted Access Platform? i.e. integrates with Shibboleth, Grouper, CoManage, or MidPoint
  • Does this release support sharing a common incident response solution set with our frequent collaborators? i.e. our shared Black Hole Router automation with NCSA
• An acceptable open source license has been applied.
  • Any license that contains a clause to protect the University against liability is acceptable.
  • We typically apply the U of I / NCSA Open Source License.
  • If significant maintenance costs are anticipated, consider AGPLV3 - to ensure we have access to any patches or security updates created by external entities.
  • If we're re-using substantial amounts of code, or making a fork of something, we default to keeping the existing license.
  • For code that requires a highly customized license, we will work with the University of Illinois Office of Technology Management.
• Support expectations are added to the repository.
  • README.md or CHANGELOG.md includes a statement that only best effort support is provided.
  • An End of life date is included at the top of ReadMe.md or CHANGELOG.md, and is at least 6 months in the future.
  • A SECURITY.md file commits to providing security patches only for the latest major release.
  • Endpoints and Data Stores are documented - typically in README.md
  • Add a Code of Conduct file - Consider reusing an existing Code of Conduct.md
• Consider and commit to relevant practices put forth in the Cybersecurity Example Development Standards
  • This helps maintain the University brand, contributes to security event remediation and is the foundation of healthy collaboration.
  • At minimum, maintain a CHANGELOG.md file.
• Review the repository permissions (branches, pushes, pull requests, etc.)
• Team Manager has approved releasing this product as open source.
  • Discuss any planned variations from the above defaults with your manager.

References

• Note that these and other team best practices help comply with expectations set in the Campus Administrative Manual
• Example GitHub Branch Protection Rules