|
| 1 | +--- |
| 2 | +layout: base |
| 3 | +title: "Open Source Checklist" |
| 4 | +--- |
| 5 | + |
| 6 | +# <span style="color:green;font-size:150%">✓</span> Open Source Check List |
| 7 | + |
| 8 | +Prior to releasing a project to GitHub.com, walk through these items and ensure they are addressed. |
| 9 | + |
| 10 | +- **Has PII been removed?** |
| 11 | + - Use [Clouseau](https://github.com/virtix/clouseau) for scanning source code. |
| 12 | + - For an Open Source Release, attach the Clouseau output. |
| 13 | + - If there are images, visually inspect each image to ensure there is no CFPB-specific information. |
| 14 | + |
| 15 | +- **Have security vulnerabilities been remediated?** |
| 16 | + - Use the [OWASP Top 10](https://www.owasp.org/index.php/Top_10_2013) |
| 17 | + - [National Vulnerability Database](http://nvd.nist.gov/) |
| 18 | + - [SANS Swat Checklist](http://www.securingthehuman.org/developer/swat) |
| 19 | + |
| 20 | +- **Are we including any other open source products? If so, is there any conflict with our public domain release?** |
| 21 | + |
| 22 | +- **Is our `TERMS.md` included?** |
| 23 | + |
| 24 | +- **Is a `CHANGELOG.md` present and does it contain structured, consistently formatted recent history?** |
| 25 | + - See <https://github.com/cfpb/qu> and <https://github.com/cfpb/hmda-explorer> |
| 26 | + - Some Inspiration: <http://keepachangelog.com/> |
| 27 | + |
| 28 | +- **Are instructions for contributing included (`CONTRIBUTING.md`)?** |
| 29 | + |
| 30 | +- **Are installation instructions clearly written in the `README` _and_ tested on a clean machine?** |
| 31 | + |
| 32 | +- **Are all dependencies described in the `README`, `requirements.txt`, and/or `buildout.cfg`?** |
| 33 | + |
| 34 | +- **Are the API docs generated?** |
| 35 | + |
| 36 | +- **Are there unit tests?** |
| 37 | + |
| 38 | +- **If appplicable and possible, is it set up in TravisCI?** |
| 39 | + |
| 40 | +- **Have multiple people reviewed the code?** |
| 41 | + |
| 42 | +- **Is there a screenshot in the `README`, if applicable?** |
| 43 | + |
| 44 | + |
| 45 | +## Copy this version to paste into a GitHub issue with live checkboxes: |
| 46 | + |
| 47 | +~~~ |
| 48 | +- [ ] **Has PII been removed?** |
| 49 | + - Use [Clouseau](https://github.com/virtix/clouseau) for scanning source code. |
| 50 | + - If there are images, visually inspect each image to ensure there is no CFPB-specific information. |
| 51 | +- [ ] **Have security vulnerabilities been remediated?** |
| 52 | +- [ ] **Are we including any other open source products? If so, is there any conflict with our public domain release?** |
| 53 | +- [ ] **Is our `TERMS.md` included?** |
| 54 | +- [ ] **Is a `CHANGELOG.md` present and does it contain structured, consistently formatted recent history?** |
| 55 | +- [ ] **Are instructions for contributing included (`CONTRIBUTING.md`)?** |
| 56 | +- [ ] **Are installation instructions clearly written in the `README` _and_ tested on a clean machine?** |
| 57 | +- [ ] **Are all dependencies described in the `README`, `requirements.txt`, and/or `buildout.cfg`?** |
| 58 | +- [ ] **Are the API docs generated?** |
| 59 | +- [ ] **Are there unit tests?** |
| 60 | +- [ ] **If applicable and possible, is it set up in TravisCI?** |
| 61 | +- [ ] **Have multiple people reviewed the code?** |
| 62 | +- [ ] **Is there a screenshot in the `README`, if applicable?** |
| 63 | +~~~ |
| 64 | + |
| 65 | +---- |
| 66 | + |
| 67 | + |
| 68 | +## Take a look at the following projects as good models to follow: |
| 69 | + |
| 70 | + - [https://github.com/cfpb/qu](https://github.com/cfpb/qu) |
| 71 | + - [https://github.com/cfpb/idea-box](https://github.com/cfpb/idea-box) |
| 72 | + - [https://github.com/cfpb/hmda-tool](https://github.com/cfpb/hmda-tools) |
| 73 | + - [https://github.com/cfpb/django-cache-tools](https://github.com/cfpb/django-cache-tools) |
| 74 | + |
| 75 | + |
0 commit comments