遵循以下最佳实践的项目将能够自愿的自我认证,并显示他们已经实现了核心基础设施计划(OpenSSF)徽章。 显示详细资料
[](https://www.bestpractices.dev/projects/1369)
<a href="https://www.bestpractices.dev/projects/1369"><img src="https://www.bestpractices.dev/projects/1369/badge"></a>
systemd System and Service Manager
There are multiple "owners" on github (https://github.com/orgs/systemd/people), each of which has pretty much full set of rights. We also use freedesktop.org, with multiple accounts there, and do not control any domains or keys directly.
The project has core maintainers from different companies, and also working as individuals: https://github.com/systemd/systemd/graphs/contributors
Every source file in the project uses the SPDX-License-Identifier header
Every source file and every document is tagged with a SPDX-License-Identifier line.
Repository on GitHub, which uses git. git is distributed.
We have a label that identifies trivial bugs that can be easily solved by casual contributors or bug reporters: https://github.com/systemd/systemd/issues?q=is%3Aopen+is%3Aissue+label%3Aplease-submit-as-pr
The Github organization is configured to require 2FA as a condition for being a member
Github's 2FA supports TOTP and Fido2 security keys
Coding style and best practices are documented in the repository: https://github.com/systemd/systemd/blob/main/docs/CODING_STYLE.md
All code is submitted through pull request, and every pull request is reviewed by at least one maintainer other than the pull request author
The project builds reproducibly as demonstrated by the reproducible builds CI: https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/systemd.html
ninja test invokes standard unit tests. https://mesonbuild.com/Unit-tests.html
ninja test
We have CI hooked up to github PRs on Github Actions, Semaphore, Ubuntu autopkgtests, and a custom setup to test Fedora rpms. Those tests are run on every PR and commit to the master branch. Example: https://github.com/systemd/systemd/actions
We don't implement protocol algorithms ourselves, but instead rely on well-established libraries like libmicrohttpd and programs like ssh.
libmicrohttpd supports that, so we do to.
The project is stored on Github https://github.com/systemd/systemd // X-Content-Type-Options was not set to "nosniff".
We rely on distros to provide reasonable compilation options. For example, in Fedora "-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection". Users are generally not expected to compile and install the project themselves. Example build showing the hardening options: https://buildd.debian.org/status/fetch.php?pkg=systemd&arch=amd64&ver=252.6-1&stamp=1677676180&raw=0
We use valgrind, the tests are automatically run under it. We also build with address-sanitizer in CI and run tests with that.
A quick grep shows 25000+ assertion statements.
后退