fineract-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Shaposhnik <ro...@shaposhnik.org>
Subject Re: Please help evaluation Fineract's readiness for graduation
Date Sat, 07 Jan 2017 01:41:38 GMT
On Fri, Jan 6, 2017 at 4:24 PM, Ed Cable <edcable@mifos.org> wrote:
> Could our Apache Fineract mentors please provide some guidance on a couple
> of the areas we need to improve upon:
>
> QU10 "*The project is open and honest about the quality of its code.
> Various levels of quality and maturity for various modules are natural and
> acceptable as long as they are clearly communicated." -*
>
> Do you have any other projects you could point to that have strong
> transparent measures of quality and maturity clearly available We want to
> follow best practices and adopt similar to display at
> http://fineract.incubator.apache.org

Regular deployment of tools like Findbugs is a good indication that you take
this requirement seriously.

> *QU30: The project provides a well-documented channel to report security
> issues, along with a documented way of responding to them.*
>
> Currently we just link to: http://www.apache.org/security/ Are we able to
> do as other projects at http://www.apache.org/security/projects.html or is
> a private channel not something we can set up till we're out of
> incubation.  If we can move forwarde, I'd suggest we have a security page
> on our site, document and fix known vulnerabilities and then provide clear
> instruction on reporting vulnerabilities to a private channel like
> security@fineract.incubator..apache.org

This is less about security@fineract vs.  http://www.apache.org/security/
and more about the community being ready for when the first 0 day
hits either of those. Being ready is a combination of tribal knowledge,
wiki recommendations and a release policy that would allow you to patch
at a drop of a hat.

Thanks,
Roman.

Mime
View raw message