Libellus Potionis

Projects that follow the best practices below can voluntarily self-certify and show that they've achieved an Open Source Security Foundation (OpenSSF) best practices badge.

There is no set of practices that can guarantee that software will never have defects or vulnerabilities; even formal methods can fail if the specifications or assumptions are wrong. Nor is there any set of practices that can guarantee that a project will sustain a healthy and well-functioning development community. However, following best practices can help improve the results of projects. For example, some practices enable multi-person review before release, which can both help find otherwise hard-to-find technical vulnerabilities and help build trust and a desire for repeated interaction among developers from different companies. To earn a badge, all MUST and MUST NOT criteria must be met, all SHOULD criteria must be met OR be unmet with justification, and all SUGGESTED criteria must be met OR unmet (we want them considered at least). If you want to enter justification text as a generic comment, instead of being a rationale that the situation is acceptable, start the text block with '//' followed by a space. Feedback is welcome via the GitHub site as issues or pull requests There is also a mailing list for general discussion.

We gladly provide the information in several locales, however, if there is any conflict or inconsistency between the translations, the English version is the authoritative version.
If this is your project, please show your baseline badge status on your project page! The baseline badge status looks like this: Baseline badge level for project 13480 is baseline-2 Here is how to embed the baseline badge:
You can show your baseline badge status by embedding this in your markdown file:
[![OpenSSF Baseline](https://www.bestpractices.dev/projects/13480/baseline)](https://www.bestpractices.dev/projects/13480)
or by embedding this in your HTML:
<a href="https://www.bestpractices.dev/projects/13480"><img src="https://www.bestpractices.dev/projects/13480/baseline"></a>


These are the Baseline Level 3 criteria. These are criteria version v2026.02.19.

Baseline Series: Baseline Level 1 Baseline Level 2 Baseline Level 3

        

 Basics

  • General

    Note that other projects may use the same name.

    Libellus Potionis is a privacy-first, free, open-source, ad-free alcohol-consumption tracker that helps users monitor, pace, and manage their drinking habits entirely offline. It needs no invasive device permissions — no camera, microphone, or location access — and works completely without network connectivity.

    Key features

    • Intelligent logging: predefine custom beverages or use internationally common presets, and log drinks instantly or retroactively with precise timestamp corrections.
    • Concurrent limit tracking: set three simultaneous boundaries — a daily limit (grams of pure alcohol), a rolling 7-day weekly limit (grams), and a maximum number of drinking days per week — with visual progress bars in real time.
    • Blood-alcohol (BAC) estimation: enter your body weight for a live BAC approximation based on the established Widmark formula.
    • Addiction-counseling reports: generate a clear, well-organized two-page PDF report designed for consultations and counseling appointments.
    • Data portability: export your complete dataset as a standard CSV file for external processing (e.g. in LibreOffice Calc), or create secure JSON backups to migrate data between devices.
    • Granular adjustments: customize your "day start" time so late-night drinks count toward the correct evening, and define custom evaluation start dates for clean restarts.

    A comprehensive User's Guide is fully accessible in-app. The app is available on F-Droid.

    Please use SPDX license expression format; examples include "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", and "(BSD-2-Clause OR Ruby)". Do not include single quotes or double quotes.
    If there is more than one language, list them as comma-separated values (spaces optional) and sort them from most to least used. If there is a long list, please list at least the first three most common ones. If there is no language (e.g., this is a documentation-only or test-only project), use the single character "-". Please use a conventional capitalization for each language, e.g., "JavaScript".
    The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. It is used in a number of systems and databases when reporting vulnerabilities.

    Libellus Potionis is a privacy-first, offline, ad-free Android app for tracking, pacing, and managing alcohol consumption. It requests no network permission and no camera/microphone/location access; all data stays on the device in the app's private, sandboxed storage, encrypted at rest (AES-256-GCM via the Android Keystore), with an optional biometric lock. It is Free Software under GPL-3.0-or-later, developed openly on Codeberg and distributed through F-Droid. The project is deliberately maintained as a teaching-quality codebase: every source file carries a license header and KDoc, and a release gate (tools/release-check.sh) enforces documentation, version consistency, English-only source, and translation completeness. Quality is guarded by a broad automated test suite (JVM unit tests plus instrumented Room-migration, Compose-UI, and locale tests) and by Android Lint and Kotlin compiler warnings promoted to build-breaking errors.

 Controls 18/21

  • Controls


    When a job is assigned permissions in a CI/CD pipeline, the source code or configuration MUST only assign the minimum privileges necessary for the corresponding activity. [OSPS-AC-04.02]
    Configure the project's CI/CD pipelines to assign the lowest available permissions to users and services by default, elevating permissions only when necessary for specific tasks. In some version control systems, this may be possible at the organizational or repository level. If not, set permissions at the top level of the pipeline.

    This control is conditional on the project operating a CI/CD pipeline in which jobs are assigned permissions, and the project operates none. No CI/CD system or pipeline is configured in the repository (no Woodpecker, Forgejo Actions, GitHub Actions, GitLab CI, or other automation), so there are no pipeline jobs that could be granted more than the minimum privileges; the precondition never occurs. Releases are built and published manually with Fastlane, run locally by the sole maintainer on a trusted checkout. Should a CI/CD pipeline be introduced later, it will be configured to assign the lowest available permissions by default and elevate only where a specific task requires it — tracked in the project roadmap, alongside the related OSPS-AC-04.01 and OSPS-BR-01.04.



    CI/CD pipelines which accept trusted collaborator input MUST sanitize and validate that input prior to use in the pipeline. [OSPS-BR-01.04]
    CI/CD pipelines should sanitize (quote, escape or exit on expected values) all collaborator inputs on explicit workflow executions. While collaborators are generally trusted, manual inputs to a workflow cannot be reviewed and could be abused by an account takeover or insider threat.

    This control is conditional on the project operating CI/CD pipelines that accept trusted-collaborator input, and the project operates no CI/CD pipelines at all. No CI/CD system or pipeline is configured in the repository (no Woodpecker, Forgejo Actions, GitHub Actions, GitLab CI, or other automation), so there is no pipeline — and in particular none accepting manual collaborator/workflow input — whose input could require sanitizing or validation; the precondition never occurs. Releases are built and published manually with Fastlane, run locally by the sole maintainer on a trusted checkout. Should a CI/CD pipeline be introduced later, any collaborator or workflow inputs it accepts will be sanitized and validated before use, consistent with the related OSPS-BR-01.01/OSPS-BR-01.03 and OSPS-AC-04.01/OSPS-AC-04.02 (tracked in the project roadmap).



    When an official release is created, all assets within that release MUST be clearly associated with the release identifier or another unique identifier for the asset. [OSPS-BR-02.02]
    Assign a unique version identifier to each software asset produced by the project, following a consistent naming convention or numbering scheme. Examples include SemVer, CalVer, or git commit id.

    Every user-facing release has a unique version identifier. The app carries a three-part versionName (MAJOR.MINOR.PATCH) and a strictly increasing integer versionCode, both defined in android/app/build.gradle.kts. CONTRIBUTING.md requires that the versionName, the top CHANGELOG.md entry, the README title, and the proguard-rules.pro header all carry the same version string and that versionCode increases by at least 1 each release; the tools/release-check.sh release gate enforces this consistency automatically. See https://codeberg.org/godisch/potillus/src/branch/main/CONTRIBUTING.md#7-versioning--release-checklist



    The project MUST define a policy for managing secrets and credentials used by the project. The policy should include guidelines for storing, accessing, and rotating secrets and credentials. [OSPS-BR-07.02]
    Document how secrets and credentials are managed and used within the project. This should include details on how secrets are stored (e.g., using a secrets management tool), how access is controlled, and how secrets are rotated or updated. Ensure that sensitive information is not hard-coded in the source code or stored in version control systems.

    SECURITY.md defines a "Secrets and credentials" policy — https://codeberg.org/godisch/potillus/src/branch/main/SECURITY.md#secrets-and-credentials — enumerating the secrets used (release signing keystore, Google Play upload credentials, and the maintainer's OpenPGP signing key) with guidelines for storing them (never hard-coded or committed; git-ignored with structure-only templates; environment-variable injection), accessing them (held solely by the single maintainer on trusted machines, not shared), and rotating them (Play credential/tokens rotated at will; OpenPGP key rotated by publishing a new key; the long-lived Android app-signing key rotated only on suspected compromise via the distribution channel's key-rotation process; any exposed secret revoked and replaced before the next release).



    When the project has made a release, the project documentation MUST contain instructions to verify the integrity and authenticity of the release assets. [OSPS-DO-03.01]
    Instructions in the project should contain information about the technology used, the commands to run, and the expected output. When possible, avoid storing this documentation in the same location as the build and release pipeline to avoid a single breach compromising both the software and the documentation for verifying the integrity of the software.

    Releases are cryptographically signed with the maintainer's own Android app-signing key via reproducible builds; the private key is held only by the maintainer and is never stored on Codeberg, F-Droid, or any other distribution site. SECURITY.md ("Verifying releases") documents how users obtain the public key and verify a release: the F-Droid client verifies the signature automatically and the project's F-Droid metadata pins the allowed signing key; users can also compare the APK signing certificate SHA-256 fingerprint (7506f17184b31a2d67621305d190a73e497806b39f7d64463ff5dbc0afd8317b) via apksigner verify --print-certs, or reproduce the build and compare. URL: https://codeberg.org/godisch/potillus/src/branch/main/SECURITY.md#verifying-releases



    When the project has made a release, the project documentation MUST contain instructions to verify the expected identity of the person or process authoring the software release. [OSPS-DO-03.02]
    The expected identity may be in the form of key IDs used to sign, issuer and identity from a sigstore certificate, or other similar forms. When possible, avoid storing this documentation in the same location as the build and release pipeline to avoid a single breach compromising both the software and the documentation for verifying the integrity of the software.

    Releases are cryptographically signed with the maintainer's own Android app-signing key via reproducible builds; the private key is held only by the maintainer and is never stored on Codeberg, F-Droid, or any other distribution site. SECURITY.md ("Verifying releases") documents how users obtain the public key and verify a release: the F-Droid client verifies the signature automatically and the project's F-Droid metadata pins the allowed signing key; users can also compare the APK signing certificate SHA-256 fingerprint (7506f17184b31a2d67621305d190a73e497806b39f7d64463ff5dbc0afd8317b) via apksigner verify --print-certs, or reproduce the build and compare. URL: https://codeberg.org/godisch/potillus/src/branch/main/SECURITY.md#verifying-releases



    When the project has made a release, the project documentation MUST include a descriptive statement about the scope and duration of support for each release. [OSPS-DO-04.01]
    In order to communicate the scope and duration of support for the project's released software assets, the project should have a SUPPORT.md file, a "Support" section in SECURITY.md, or other documentation explaining the support lifecycle, including the expected duration of support for each release, the types of support provided (e.g., bug fixes, security updates), and any relevant policies or procedures for obtaining support.

    SECURITY.md includes a "Support" section describing the scope and duration of support for each release — https://codeberg.org/godisch/potillus/src/branch/main/SECURITY.md#support . The project is a single-maintainer rolling release in which only the latest version is supported; support consists of best-effort bug fixes and security updates shipped in new releases via F-Droid, with no back-porting; each release is supported until the next supersedes it; and support is obtained through the Codeberg issue tracker (or the vulnerability-reporting process for security issues).



    When the project has made a release, the project documentation MUST provide a descriptive statement when releases or versions will no longer receive security updates. [OSPS-DO-05.01]
    In order to communicate the scope and duration of support for security fixes, the project should have a SUPPORT.md or other documentation explaining the project's policy for security updates.

    The "Support" section of SECURITY.md states when versions stop receiving security updates — https://codeberg.org/godisch/potillus/src/branch/main/SECURITY.md#support . A given version stops receiving security updates as soon as a newer release supersedes it, because security fixes are shipped in new releases rather than back-ported; if the project is discontinued this will be announced in the repository, after which no further security updates are provided.



    While active, the project documentation MUST have a policy that code collaborators are reviewed prior to granting escalated permissions to sensitive resources. [OSPS-GV-04.01]
    Publish an enforceable policy in the project documentation that requires code collaborators to be reviewed and approved before being granted escalated permissions to sensitive resources, such as merge approval or access to secrets. It is recommended that vetting includes establishing a justifiable lineage of identity such as confirming the contributor's association with a known trusted organization.

    docs/GOVERNANCE.md documents an enforceable policy that code collaborators are reviewed before being granted escalated permissions to sensitive resources — https://codeberg.org/godisch/potillus/src/branch/main/docs/GOVERNANCE.md#repository-access-and-account-security . Write/merge access to the canonical repository and access to release secrets or credentials are granted only after the maintainer has reviewed and approved the individual, considering their track record of contributions reviewed through the normal pull-request process, a justifiable lineage of identity, and the mandatory 2FA. Permissions are granted at the lowest level needed and escalated only as further need is demonstrated; until such a grant, all contributions go through pull requests merged only by the maintainer, so no contributor holds escalated permissions without this review.



    When the project has made a release, all compiled released software assets MUST be delivered with a software bill of materials. [OSPS-QA-02.02]
    It is recommended to auto-generate SBOMs at build time using a tool that has been vetted for accuracy. This enables users to ingest this data in a standardized approach alongside other projects in their environment.

    Every released version is delivered with a CycloneDX software bill of materials, one per platform. The Android build generates its SBOM alongside the release artifact — make release-android/make bundle run the cyclonedxDirectBom Gradle task, producing android/app/build/outputs/sbom/libellus-potionis-sbom.json, normalized to be byte-stable and staged as <id>_<code>android_sbom.json — and the iOS build generates an equivalent CycloneDX 1.6 SBOM from ios/PotillusKit/Package.resolved via tools/gen-ios-sbom.py, normalized by the same tools/sbom-normalize.py and staged as <id><code>_ios_sbom.json (make ios-sbom / make release-ios). Each published release on Codeberg is accompanied by the platform SBOM(s) as downloadable release assets: https://codeberg.org/godisch/potillus/releases . Attaching the SBOM is a documented step in the release checklist: https://codeberg.org/godisch/potillus/src/branch/main/CONTRIBUTING.md#7-versioning--release-checklist . Users can thus obtain a standardized, auto-generated SBOM for each release of either app.



    When the project has made a release comprising multiple source code repositories, all subprojects MUST enforce security requirements that are as strict or stricter than the primary codebase. [OSPS-QA-04.02]
    Any additional subproject code repositories produced by the project and compiled into a release must enforce security requirements as applicable to the status and intent of the respective codebase. In addition to following the corresponding OSPS Baseline requirements, this may include requiring a security review, ensuring that it is free of vulnerabilities, and ensuring that it is free of known security issues.

    This control applies only to a release comprising multiple source code repositories, and Libellus Potionis is a single-repository project. The entire application is built from one canonical repository (https://codeberg.org/godisch/potillus), with no submodules, subprojects, or additional source repositories compiled into the release, so there are no subprojects that could need to enforce security requirements as strict as the primary codebase; the precondition never occurs. This is consistent with the single-repository answer given for the related OSPS-QA-04.01.



    While active, project's documentation MUST clearly document when and how tests are run. [OSPS-QA-06.02]
    Add a section to the contributing documentation that explains how to run the tests locally and how to run the tests in the CI/CD pipeline. The documentation should explain what the tests are testing and how to interpret the results.

    The project ships a substantial automated test suite, released as FLOSS under GPL-3.0-or-later in the same repository: JVM unit tests in android/app/src/test/ (domain, data, l10n, util, and ViewModel layers, plus LocaleSyncTest) and instrumented tests in android/app/src/androidTest/ (Room migration validation, Compose UI components, on-device locale formatting), using FLOSS test frameworks (JUnit, AndroidX/Compose testing). How to run the tests is documented in CONTRIBUTING.md §5 "Testing strategy" (./gradlew :app:test for unit tests, ./gradlew :app:connectedAndroidTest for instrumented tests) and §7. See https://codeberg.org/godisch/potillus/src/branch/main/CONTRIBUTING.md#5-testing-strategy



    While active, the project's documentation MUST include a policy that all major changes to the software produced by the project should add or update tests of the functionality in an automated test suite. [OSPS-QA-06.03]
    Add a section to the contributing documentation that explains the policy for adding or updating tests. The policy should explain what constitutes a major change and what tests should be added or updated.

    The project has a formal written policy mandating tests for new functionality. CONTRIBUTING.md §5 ("Test policy (mandatory)") states that as major new functionality is added, automated tests covering it MUST be added to the project's automated test suite as part of the same change, and that a change introducing significant new behavior without accompanying tests will not be merged. This is reinforced by the domain-layer coverage-floor rules in the same section. URL: https://codeberg.org/godisch/potillus/src/branch/main/CONTRIBUTING.md#5-testing-strategy



    When a commit is made to the primary branch, the project's version control system MUST require at least one non-author human approval of the changes before merging. [OSPS-QA-07.01]
    Configure the project's version control system to require at least one non-author human approval of changes before merging into the release or primary branch. This can be achieved by requiring a pull request to be reviewed and approved by at least one other collaborator before it can be merged.

    The project currently has a single maintainer who authors and reviews all changes, so fewer than 50% of modifications are reviewed by a person other than the author. The review process and checklist are documented (CONTRIBUTING.md, "Code review requirements"); satisfying this criterion requires a second, independent reviewer. Tracked in docs/ROADMAP.md ("Working toward the OpenSSF gold badge").



    When the project has made a release, the project MUST perform a threat modeling and attack surface analysis to understand and protect against attacks on critical code paths, functions, and interactions within the system. [OSPS-SA-03.02]
    Threat modeling is an activity where the project looks at the codebase, associated processes and infrastructure, interfaces, key components and "thinks like a hacker" and brainstorms how the system be be broken or compromised. Each identified threat is listed out so the project can then think about how to proactively avoid or close off any gaps/vulnerabilities that could arise. Ensure this is updated for new features or breaking changes.

    The project provides a security assurance case in docs/ASSURANCE_CASE.md (linked from SECURITY.md). It states the security requirements, describes the threat model (assets, in-scope adversaries/attacks, and explicit out-of-scope residual risks), identifies the trust boundaries (app sandbox, hardware-backed Keystore, FLAG_SECURE screen boundary, device/biometric authentication, the export boundary, and the absence of a network boundary), argues that secure design principles were applied (least privilege, secure defaults, economy of mechanism, defense in depth, fail-safe), and maps common implementation weakness classes to their countermeasures (injection, insecure storage, cryptography, input validation, network exposure, memory safety, tampering, and upgrade data integrity). URL: https://codeberg.org/godisch/potillus/src/branch/main/docs/ASSURANCE_CASE.md [assurance_case]



    While active, any vulnerabilities in the software components not affecting the project MUST be accounted for in a VEX document, augmenting the vulnerability report with non-exploitability details. [OSPS-VM-04.02]
    Establish a VEX feed communicating the exploitability status of known vulnerabilities, including assessment details or any mitigations in place preventing vulnerable code from being executed.

    The project scans its dependencies with osv-scanner against the CycloneDX SBOM and triages findings — exploitable issues are fixed, and issues that do not affect this app are recorded as non-exploitable (SECURITY.md, "Dependency monitoring") — but this triage is not published as a VEX document. The project does not currently produce a VEX (Vulnerability Exploitability eXchange) feed communicating the exploitability status and non-exploitability justifications of known vulnerabilities in a standardized, machine-readable form, as this control requires.



    While active, the project documentation MUST include a policy that defines a threshold for remediation of SCA findings related to vulnerabilities and licenses. [OSPS-VM-05.01]
    Document a policy in the project that defines a threshold for remediation of SCA findings related to vulnerabilities and licenses. Include the process for identifying, prioritizing, and remediating these findings.

    The project applies a documented approach to remediating software-composition-analysis (SCA) findings for both vulnerabilities and licenses. Vulnerabilities: dependencies are scanned before each release with osv-scanner against the CycloneDX SBOM and triaged so that exploitable vulnerabilities are remediated (upgraded or mitigated) before release and non-exploitable ones are recorded — https://codeberg.org/godisch/potillus/src/branch/main/SECURITY.md#dependency-monitoring . Licenses: every third-party dependency is verified to be under a license compatible with the project's GPL-3.0-or-later distribution and documented as such, so a dependency with an incompatible license is not shipped — https://codeberg.org/godisch/potillus/src/branch/main/COPYING.md . Together these define the remediation threshold for SCA findings.



    While active, the project documentation MUST include a policy to address SCA violations prior to any release. [OSPS-VM-05.02]
    Document a policy in the project to address applicable Software Composition Analysis results before any release, and add status checks that verify compliance with that policy prior to release.

    The project periodically checks its external dependencies for known vulnerabilities. As documented in SECURITY.md ("Dependency monitoring") and enforced by the CONTRIBUTING.md §7 release checklist, dependencies are scanned before each release with osv-scanner (a FLOSS scanner querying the OSV database) against the CycloneDX SBOM the build generates. Reported issues are triaged: exploitable vulnerabilities are fixed by upgrading or mitigating the affected dependency; non-exploitable ones are recorded as such. URL: https://codeberg.org/godisch/potillus/src/branch/main/SECURITY.md#dependency-monitoring



    While active, all changes to the project's codebase MUST be automatically evaluated against a documented policy for malicious dependencies and known vulnerabilities in dependencies, then blocked in the event of violations, except when declared and suppressed as non-exploitable. [OSPS-VM-05.03]
    Create a status check in the project's version control system that runs a Software Composition Analysis tool on all changes to the codebase. Require that the status check passes before changes can be merged.

    This control requires all changes to be automatically evaluated against a documented policy for malicious and vulnerable dependencies and blocked on violation. The project scans dependencies with osv-scanner against the CycloneDX SBOM before each release and triages findings (SECURITY.md, "Dependency monitoring"), but that check is a manual pre-release step, not an automated per-change gate that blocks changes on violation. Without a CI pipeline enforcing it, changes are not automatically evaluated and blocked, so this control is not met. (Tracked in the project roadmap alongside the CI-based automated-blocking work.)



    While active, the project documentation MUST include a policy that defines a threshold for remediation of SAST findings. [OSPS-VM-06.01]
    Document a policy in the project that defines a threshold for remediation of Static Application Security Testing (SAST) findings. Include the process for identifying, prioritizing, and remediating these findings.

    Findings from static analysis cannot reach a release: Android Lint runs as a release gate with abortOnError = true and warningsAsErrors = true, so any reported issue breaks the build and must be fixed (or made an explicit, reviewable exception) before a release can be produced. Timely remediation is thus enforced by construction, and no exploitable medium-or-higher findings are currently outstanding. See https://codeberg.org/godisch/potillus/src/branch/main/android/app/build.gradle.kts



    While active, all changes to the project's codebase MUST be automatically evaluated against a documented policy for security weaknesses and blocked in the event of violations except when declared and suppressed as non-exploitable. [OSPS-VM-06.02]
    Create a status check in the project's version control system that runs a Static Application Security Testing (SAST) tool on all changes to the codebase. Require that the status check passes before changes can be merged.

    Android Lint, a FLOSS static analysis tool that goes well beyond compiler warnings and safe-language modes (it analyzes code, resources, the manifest, API usage, correctness, performance, and security across hundreds of rules), is applied to every release as a build gate: android/app/build.gradle.kts configures lint { abortOnError = true; warningsAsErrors = true } and the release process runs ./gradlew lintDebug, so a release cannot be produced while Lint reports any issue. See https://codeberg.org/godisch/potillus/src/branch/main/android/app/build.gradle.kts



This data is available under the Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). This means that a Data Recipient may share the Data, with or without modifications, so long as the Data Recipient makes available the text of this agreement with the shared Data. Please credit Martin A. Godisch and the OpenSSF Best Practices badge contributors.

Project badge entry owned by: Martin A. Godisch.
Entry created on 2026-07-04 04:21:04 UTC, last updated on 2026-07-14 19:16:17 UTC. Last achieved passing badge on 2026-07-04 08:45:54 UTC.