Libellus Potionis

Projects that follow the best practices below can voluntarily self-certify and show that they've achieved an Open Source Security Foundation (OpenSSF) best practices badge.

There is no set of practices that can guarantee that software will never have defects or vulnerabilities; even formal methods can fail if the specifications or assumptions are wrong. Nor is there any set of practices that can guarantee that a project will sustain a healthy and well-functioning development community. However, following best practices can help improve the results of projects. For example, some practices enable multi-person review before release, which can both help find otherwise hard-to-find technical vulnerabilities and help build trust and a desire for repeated interaction among developers from different companies. To earn a badge, all MUST and MUST NOT criteria must be met, all SHOULD criteria must be met OR be unmet with justification, and all SUGGESTED criteria must be met OR unmet (we want them considered at least). If you want to enter justification text as a generic comment, instead of being a rationale that the situation is acceptable, start the text block with '//' followed by a space. Feedback is welcome via the GitHub site as issues or pull requests There is also a mailing list for general discussion.

We gladly provide the information in several locales, however, if there is any conflict or inconsistency between the translations, the English version is the authoritative version.
If this is your project, please show your badge status on your project page! The badge status looks like this: Badge level for project 13480 is passing Here is how to embed it:
You can show your badge status by embedding this in your markdown file:
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/13480/badge)](https://www.bestpractices.dev/projects/13480)
or by embedding this in your HTML:
<a href="https://www.bestpractices.dev/projects/13480"><img src="https://www.bestpractices.dev/projects/13480/badge"></a>


These are the Gold level criteria. You can also view the Passing or Silver level criteria.

Baseline Series: Baseline Level 1 Baseline Level 2 Baseline Level 3

        

 Basics 2/5

  • General

    Note that other projects may use the same name.

    Libellus Potionis is a privacy-first, free, open-source, ad-free alcohol-consumption tracker that helps users monitor, pace, and manage their drinking habits entirely offline. It needs no invasive device permissions — no camera, microphone, or location access — and works completely without network connectivity.

    Key features

    • Intelligent logging: predefine custom beverages or use internationally common presets, and log drinks instantly or retroactively with precise timestamp corrections.
    • Concurrent limit tracking: set three simultaneous boundaries — a daily limit (grams of pure alcohol), a rolling 7-day weekly limit (grams), and a maximum number of drinking days per week — with visual progress bars in real time.
    • Blood-alcohol (BAC) estimation: enter your body weight for a live BAC approximation based on the established Widmark formula.
    • Addiction-counseling reports: generate a clear, well-organized two-page PDF report designed for consultations and counseling appointments.
    • Data portability: export your complete dataset as a standard CSV file for external processing (e.g. in LibreOffice Calc), or create secure JSON backups to migrate data between devices.
    • Granular adjustments: customize your "day start" time so late-night drinks count toward the correct evening, and define custom evaluation start dates for clean restarts.

    A comprehensive User's Guide is fully accessible in-app. The app is available on F-Droid.

    Please use SPDX license expression format; examples include "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", and "(BSD-2-Clause OR Ruby)". Do not include single quotes or double quotes.
    If there is more than one language, list them as comma-separated values (spaces optional) and sort them from most to least used. If there is a long list, please list at least the first three most common ones. If there is no language (e.g., this is a documentation-only or test-only project), use the single character "-". Please use a conventional capitalization for each language, e.g., "JavaScript".
    The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. It is used in a number of systems and databases when reporting vulnerabilities.

    Libellus Potionis is a privacy-first, offline, ad-free Android app for tracking, pacing, and managing alcohol consumption. It requests no network permission and no camera/microphone/location access; all data stays on the device in the app's private, sandboxed storage, encrypted at rest (AES-256-GCM via the Android Keystore), with an optional biometric lock. It is Free Software under GPL-3.0-or-later, developed openly on Codeberg and distributed through F-Droid. The project is deliberately maintained as a teaching-quality codebase: every source file carries a license header and KDoc, and a release gate (tools/release-check.sh) enforces documentation, version consistency, English-only source, and translation completeness. Quality is guarded by a broad automated test suite (JVM unit tests plus instrumented Room-migration, Compose-UI, and locale tests) and by Android Lint and Kotlin compiler warnings promoted to build-breaking errors.

  • Prerequisites


    The project MUST achieve a silver level badge. [achieve_silver]

  • Project oversight


    The project MUST have a "bus factor" of 2 or more. (URL required) [bus_factor]
    A "bus factor" (aka "truck factor") is the minimum number of project members that have to suddenly disappear from a project ("hit by a bus") before the project stalls due to lack of knowledgeable or competent personnel. The truck-factor tool can estimate this for projects on GitHub. For more information, see Assessing the Bus Factor of Git Repositories by Cosentino et al.

    Not met. The project currently has a single maintainer, so its bus factor is 1. Achieving a bus factor of 2 or more requires a second, significantly involved maintainer. This is tracked as an open item in docs/ROADMAP.md ("Working toward the OpenSSF gold badge").



    The project MUST have at least two unassociated significant contributors. (URL required) [contributors_unassociated]
    Contributors are associated if they are paid to work by the same organization (as an employee or contractor) and the organization stands to benefit from the project's results. Financial grants do not count as being from the same organization if they pass through other organizations (e.g., science grants paid to different organizations from a common government or NGO source do not cause contributors to be associated). Someone is a significant contributor if they have made non-trivial contributions to the project in the past year. Examples of good indicators of a significant contributor are: written at least 1,000 lines of code, contributed 50 commits, or contributed at least 20 pages of documentation.

    Not met. The project currently has a single significant contributor (the sole maintainer), so it does not have two unassociated significant contributors. This will be satisfied by bringing on a second, independent significant contributor; tracked in docs/ROADMAP.md ("Working toward the OpenSSF gold badge").


  • Other


    The project MUST include a license statement in each source file. This MAY be done by including the following inside a comment near the beginning of each file: SPDX-License-Identifier: [SPDX license expression for project]. [license_per_file]
    This MAY also be done by including a statement in natural language identifying the license. The project MAY also include a stable URL pointing to the license text, or the full license text. Note that the criterion license_location requires the project license be in a standard location. See this SPDX tutorial for more information about SPDX license expressions. Note the relationship with copyright_per_file, whose content would typically precede the license information.

    Met. The same header that provides the copyright statement in each hand-authored source file also provides a licence statement — the GNU GPL v3-or-later grant text — which is a fuller form than an SPDX-License-Identifier line. It is present in every Kotlin, Gradle KTS, Python, shell, ProGuard, XML (resources and manifest), version-catalog, and configuration source file. The excluded categories are identical to copyright_per_file: generated files, vendored third-party files, third-party fonts, and pure data/binary assets.


 Change Control 4/4

  • Public version-controlled source repository


    The project's source repository MUST use a common distributed version control software (e.g., git or mercurial). [repo_distributed]
    Git is not specifically required and projects can use centralized version control software (such as subversion) with justification.

    The project uses Git, the most widely used distributed version control system, hosted on Codeberg (Forgejo). Repository: https://codeberg.org/godisch/potillus



    The project MUST clearly identify small tasks that can be performed by new or casual contributors. (URL required) [small_tasks]
    This identification is typically done by marking selected issues in an issue tracker with one or more tags the project uses for the purpose, e.g., up-for-grabs, first-timers-only, "Small fix", microtask, or IdealFirstBug. These new tasks need not involve adding functionality; they can be improving documentation, adding test cases, or anything else that aids the project and helps the contributor understand more about the project.

    Met. Small tasks for new or casual contributors are identified in the tracker with the "good first issue" label and described in CONTRIBUTING.md ("Good first issues"), which highlights native-speaker translation review of the machine-generated locales, documentation, and test cases as good entry points. URL: https://codeberg.org/godisch/potillus/issues?labels=1948199



    The project MUST require two-factor authentication (2FA) for developers for changing a central repository or accessing sensitive data (such as private vulnerability reports). This 2FA mechanism MAY use mechanisms without cryptographic mechanisms such as SMS, though that is not recommended. [require_2FA]

    Met. Write (push) access to the canonical repository (hosted on Codeberg) requires two-factor authentication as a documented project policy: docs/GOVERNANCE.md ("Repository access and account security") states that any account with write access MUST have cryptographic 2FA enabled. Currently the sole maintainer is the only account with write access and has 2FA enabled; the policy binds any future account granted write access. Codeberg additionally blocks plain-password HTTP/S git operations once 2FA is enabled, so access requires a token or SSH key. The forge offers no per-project 2FA enforcement toggle, so the requirement is enforced by written policy. Reference: https://codeberg.org/godisch/potillus/src/branch/main/docs/GOVERNANCE.md



    The project's two-factor authentication (2FA) SHOULD use cryptographic mechanisms to prevent impersonation. Short Message Service (SMS) based 2FA, by itself, does NOT meet this criterion, since it is not encrypted. [secure_2FA]
    A 2FA mechanism that meets this criterion would be a Time-based One-Time Password (TOTP) application that automatically generates an authentication code that changes after a certain period of time. Note that GitHub supports TOTP.

    Met. The project's 2FA policy (docs/GOVERNANCE.md, "Repository access and account security") mandates a cryptographic method — a TOTP authenticator app or a hardware security key — and explicitly excludes SMS. The maintainer's Codeberg 2FA uses such a cryptographic method. Reference: https://codeberg.org/godisch/potillus/src/branch/main/docs/GOVERNANCE.md


 Quality 4/7

  • Coding standards


    The project MUST document its code review requirements, including how code review is conducted, what must be checked, and what is required to be acceptable. (URL required) [code_review_standards]
    See also two_person_review and contribution_requirements.

    CONTRIBUTING.md ("Code review requirements", Section 2) documents the project's code review process: how review is conducted (every change is reviewed before merge by the maintainer as reviewer and sole merger; the reviewer runs the build, the test suite, and tools/release-check.sh locally since there is no CI service yet), an explicit checklist of what must be checked (scope/privacy fit, architecture rules, coding and KDoc conventions, warnings-as-errors, mandatory tests, localization completeness, per-file licensing, DCO sign-off, and schema-freeze rules), and the acceptance criteria required for a change to be merged. URL: https://codeberg.org/godisch/potillus/src/branch/main/CONTRIBUTING.md



    The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion [two_person_review]

    The project currently has a single maintainer who authors and reviews all changes, so fewer than 50% of modifications are reviewed by a person other than the author. The review process and checklist are documented (CONTRIBUTING.md, "Code review requirements"); satisfying this criterion requires a second, independent reviewer. Tracked in docs/ROADMAP.md ("Working toward the OpenSSF gold badge").


  • Working build system


    The project MUST have a reproducible build. If no building occurs (e.g., scripting languages where the source code is used directly instead of being compiled), select "not applicable" (N/A). (URL required) [build_reproducible]
    A reproducible build means that multiple parties can independently redo the process of generating information from source files and get exactly the same bit-for-bit result. In some cases, this can be resolved by forcing some sort order. JavaScript developers may consider using npm shrinkwrap and webpack OccurrenceOrderPlugin. GCC and clang users may find the -frandom-seed option useful. The build environment (including the toolset) can often be defined for external parties by specifying the cryptographic hash of a specific container or virtual machine that they can use for rebuilding. The reproducible builds project has documentation on how to do this.

    The Android build is reproducible. F-Droid builds the app from source and verifies that the result is bit-for-bit identical to the maintainer-signed APK before publishing it (F-Droid's Reproducible Builds process). This is documented in SECURITY.md ("Verifying releases"), and the F-Droid build recipe (fdroid/de.godisch.potillus.yml) pins the build and the allowed APK signing key, so anyone can rebuild from a release tag and compare against the published APK. URL: https://codeberg.org/godisch/potillus/src/branch/main/SECURITY.md


  • Automated test suite


    A test suite MUST be invocable in a standard way for that language. (URL required) [test_invocation]
    For example, "make check", "mvn test", or "rake test" (Ruby).

    The test suite is invoked in the standard way for a Gradle/Android project: ./gradlew test runs the JVM unit tests and ./gradlew connectedCheck runs the instrumented tests on a device or emulator. This conventional invocation is documented in CONTRIBUTING.md (Section 5, "Testing strategy", and the change-submission checklist in Section 2). URL: https://codeberg.org/godisch/potillus/src/branch/main/CONTRIBUTING.md



    The project MUST implement continuous integration, where new or changed code is frequently integrated into a central code repository and automated tests are run on the result. (URL required) [test_continuous_integration]
    In most cases this means that each developer who works full-time on the project integrates at least daily.

    Not currently implemented. The project is maintained by a single developer who builds and runs the full test suite and release gate (tools/release-check.sh) locally before each release, but there is no central CI service running automated tests on every change. This criterion is SUGGESTED at passing and a MUST at gold; the planned remediation is a Woodpecker pipeline (.woodpecker.yml) on Codeberg that runs the JVM unit tests (and lint/ktlint) on each push and reports success or failure — the same work as the silver automated_integration_testing item. Tracked in docs/ROADMAP.md.



    The project MUST have FLOSS automated test suite(s) that provide at least 90% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. [test_statement_coverage90]

    The JVM unit-test suite reaches ~97% statement (line) coverage, measured with Kover over the unit-testable code. Android-runtime-bound code (Compose UI, Room database/DAOs, DataStore preferences, Keystore, PDF/WebView rendering, and MediaStore import/export) is excluded from this figure and verified instead by the instrumented suite (src/androidTest). A build-breaking 90% line floor is enforced by the koverVerify Gradle task in the release gate (make cover-check). Methodology: CONTRIBUTING.md §5; scope/enforcement: app/build.gradle.kts.



    The project MUST have FLOSS automated test suite(s) that provide at least 80% branch coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. [test_branch_coverage80]

    Branch coverage is ~80% (Kover, unit-testable scope), with a 75% regression floor enforced via koverVerify. The remaining branches lie in Android-/Compose-adjacent code (ViewModel StateFlow assembly, resource-bound error mapping); reaching the ≥80% gold threshold is a tracked roadmap goal.


 Security 4/5

  • Use basic good cryptographic practices

    Note that some software does not need to use cryptographic mechanisms. If your project produces software that (1) includes, activates, or enables encryption functionality, and (2) might be released from the United States (US) to outside the US or to a non-US-citizen, you may be legally required to take a few extra steps. Typically this just involves sending an email. For more information, see the encryption section of Understanding Open Source Technology & US Export Controls.

    The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A). [crypto_used_network]

    Not applicable. The application performs no network communication: it does not declare the INTERNET permission, works entirely offline, and transmits no data. There are therefore no network protocols whose security could be assessed.



    The software produced by the project MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). [crypto_tls12]

    Not applicable. The application does not use TLS because it performs no network communication at all (no INTERNET permission, offline-only). There is no TLS configuration or version to assess.


  • Secured delivery against man-in-the-middle (MITM) attacks


    The project website, repository (if accessible via the web), and download site (if separate) MUST include key hardening headers with nonpermissive values. (URL required) [hardened_site]
    Note that GitHub and GitLab are known to meet this. Sites such as https://securityheaders.com/ can quickly check this. The key hardening headers are: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Content-Type-Options (as "nosniff"), and X-Frame-Options. Fully static web sites with no ability to log in via the web pages could omit some hardening headers with less risk, but there's no reliable way to detect such sites, so we require these headers even if they are fully static sites.

    Not met. The criterion requires the repository and download sites to send four key hardening headers (CSP, HSTS, X-Content-Type-Options: nosniff, X-Frame-Options). The download site (F-Droid) sends all four. The repository host (Codeberg) sends strong HSTS (max-age two years, includeSubDomains, preload) and X-Frame-Options, but not CSP or X-Content-Type-Options. These headers are set by Codeberg, not by the project, and cannot be configured from the repository. Tracked in docs/ROADMAP.md; remediation is to request the missing headers from Codeberg or mirror on a compliant platform.


  • Other security issues


    The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary. [security_review]
    This MAY be done by the project members and/or an independent evaluation. This evaluation MAY be supported by static and dynamic analysis tools, but there also must be human review to identify problems (particularly in design) that tools cannot detect.

    A security review was performed in 2026 and is recorded in docs/ASSURANCE_CASE.md ("Security review record"). It takes into account the security requirements (SECURITY.md, "Security model") and the security boundary (the threat model and trust boundaries in the assurance case), combining that analysis with an Android-focused code/QA pass over the security-relevant areas (at-rest Keystore encryption, input and backup/import validation, CSV-injection neutralization, the permission surface and exported components, and the FLAG_SECURE / allowBackup / R8 hardening). No unresolved high-severity issues are known; residual risks are stated explicitly. URL: https://codeberg.org/godisch/potillus/src/branch/main/docs/ASSURANCE_CASE.md



    Hardening mechanisms MUST be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities. (URL required) [hardening]
    Hardening mechanisms may include HTTP headers like Content Security Policy (CSP), compiler flags to mitigate attacks (such as -fstack-protector), or compiler flags to eliminate undefined behavior. For our purposes least privilege is not considered a hardening mechanism (least privilege is important, but separate).

    Met. Release builds apply R8 code shrinking and obfuscation (isMinifyEnabled = true) with resource shrinking and the optimizing ProGuard configuration. The manifest sets android:allowBackup="false" to prevent backup-based data exfiltration, and the app applies WindowManager FLAG_SECURE by default from cold start to block screenshots, screen recording, and Recents-thumbnail exposure. The permission set is minimal (no network or telephony; only USE_BIOMETRIC) and only the launcher activity is exported. These complement the hardware-backed Keystore at-rest encryption and the warnings-as-errors/lint gate. URL: https://codeberg.org/godisch/potillus/src/branch/main/android/app/build.gradle.kts


 Analysis 1/2

  • Dynamic code analysis


    The project MUST apply at least one dynamic analysis tool to any proposed major production release of the software produced by the project before its release. [dynamic_analysis]
    A dynamic analysis tool examines the software by executing it with specific inputs. For example, the project MAY use a fuzzing tool (e.g., American Fuzzy Lop) or a web application scanner (e.g., OWASP ZAP or w3af). In some cases the OSS-Fuzz project may be willing to apply fuzz testing to your project. For purposes of this criterion the dynamic analysis tool needs to vary the inputs in some way to look for various kinds of problems or be an automated test suite with at least 80% branch coverage. The Wikipedia page on dynamic analysis and the OWASP page on fuzzing identify some dynamic analysis tools. The analysis tool(s) MAY be focused on looking for security vulnerabilities, but this is not required.

    No dedicated dynamic analysis tool (fuzzer, sanitizer, or scanner) is applied before releases, and branch coverage is not yet measured, so the "automated test suite with ≥80% branch coverage counts as dynamic analysis" allowance cannot yet be claimed. The instrumented tests do exercise the app on a device/emulator, but without a measured ≥80% branch-coverage figure this does not yet meet the criterion. Remediation is tied to the Kover branch-coverage work in docs/ROADMAP.md; alternatively a dedicated dynamic tool could be added.



    The project SHOULD include many run-time assertions in the software it produces and check those assertions during dynamic analysis. [dynamic_analysis_enable_assertions]
    This criterion does not suggest enabling assertions during production; that is entirely up to the project and its users to decide. This criterion's focus is instead to improve fault detection during dynamic analysis before deployment. Enabling assertions in production use is completely different from enabling assertions during dynamic analysis (such as testing). In some cases enabling assertions in production use is extremely unwise (especially in high-integrity components). There are many arguments against enabling assertions in production, e.g., libraries should not crash callers, their presence may cause rejection by app stores, and/or activating an assertion in production may expose private data such as private keys. Beware that in many Linux distributions NDEBUG is not defined, so C/C++ assert() will by default be enabled for production in those environments. It may be important to use a different assertion mechanism or defining NDEBUG for production in those environments.

    Not met (SHOULD). The criterion targets fault detection during dynamic analysis (testing), not production. The produced code contains a small number of always-on Kotlin preconditions (require/check/error) that are checked whenever the code runs, including under the test suite, but not "many". Remediation (tracked in docs/ROADMAP.md): add invariant assertions in the JVM-testable domain and data layers using Kotlin assert(), which Gradle's unit-test task runs with assertions enabled (-ea) by default, so they are checked during dynamic analysis while remaining disabled in ART release builds.



This data is available under the Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). This means that a Data Recipient may share the Data, with or without modifications, so long as the Data Recipient makes available the text of this agreement with the shared Data. Please credit Martin A. Godisch and the OpenSSF Best Practices badge contributors.

Project badge entry owned by: Martin A. Godisch.
Entry created on 2026-07-04 04:21:04 UTC, last updated on 2026-07-07 03:30:36 UTC. Last achieved passing badge on 2026-07-04 08:45:54 UTC.