The Geomys Standard of Care
6 months ago
- #Open Source
- #Maintenance
- #Security
- Professionalizing open source maintenance allows for safer and more reliable projects through standards.
- The Geomys Standard of Care was developed by surveying recent supply chain compromises and expert feedback.
- Covers maintenance philosophy, stability, dependency management, security, vulnerability handling, licensing, and more.
- Future goals include adopting binary transparency tools and periodic reviews of browser extensions and OAuth apps.
- Projects under this standard include Go standard library packages, Staticcheck, Gotraceui, and more.
- Code review, complexity management, static analysis, and strict backwards compatibility are emphasized.
- Dependency management avoids automatic tools like Dependabot, focusing on govulncheck and isolated CI jobs.
- Phishing-resistant authentication is mandatory for critical accounts, with strict modes enabled where possible.
- Long-lived credentials are avoided; hardware-bound SSH keys are preferred.
- CI security includes zizmor for GitHub Actions, read-only workflows by default, and cache poisoning mitigations.
- Third-party access is limited; project abandonment leads to archiving rather than handover.
- Availability monitoring and transparency logging are in place for critical endpoints and domains.
- Vulnerability handling includes documented reporting mechanisms, honoring embargoes, and accurate CVE reporting.
- Permissive licenses like BSD-3-Clause, MIT, and Apache-2.0 are used.
- Geomys is funded by companies like Smallstep, Ava Labs, and Tailscale, ensuring sustainable open source maintenance.