BIND 9

遵循以下最佳实践的项目将能够自愿的自我认证,并显示他们已经实现了核心基础设施计划(OpenSSF)徽章。

如果这是您的项目,请在您的项目页面上显示您的徽章状态!徽章状态如下所示: 项目299的徽章级别为passing 这里是如何嵌入它:

这些是黄金级别条款。您还可以查看通过白银级别条款。

        

 基本 3/5

  • 识别

    BIND is open source software that implements the Domain Name System (DNS) protocols for the Internet.

  • 先决条件


    不足以获得徽章。

    该项目必须拥有银级徽章。 [achieve_silver]

  • 项目监督


    足够获得徽章!

    项目必须具有2个或更多的“公交车因子”。 (需要网址) [bus_factor]

    https://gitlab.isc.org/isc-projects/bind9/graphs/master We have a team of active committers. The gitlab graph actually understates contributors because we have fewer authorized committers.


    未知的所需信息,不足以用于徽章。

    该项目必须至少有两个不相关的重要贡献者。 (需要网址) [contributors_unassociated]

  • 其他


    足够获得徽章!

    项目必须在每个源文件中包含许可证声明。这可以通过在每个文件开头附近的注释中加入以下内容来实现: SPDX-License-Identifier: [SPDX license expression for project][license_per_file]

    we have this header in each file: - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. -->

    and this at the top level of our repo https://gitlab.isc.org/isc-projects/bind9/-/blob/main/LICENSE

    and of course, it is also mentioned in the readme...


  • 公开的版本控制的源代码存储库


    足够获得徽章!

    必须使用通用的分布式版本控制软件(例如,git,mercurial)作为项目的源代码存储库。 [repo_distributed]

    We use a privately hosted instance of the open source Gitlab.


    足够获得徽章!

    该项目必须清楚地识别新的或临时贡献者可以执行的小型任务。 (需要网址) [small_tasks]

    We have a number of such items identified by the label "patches welcome" https://gitlab.isc.org/isc-projects/bind9/-/issues/?sort=created_date&state=opened&label_name%5B%5D=Patches%20Welcome&first_page_size=20


    足够获得徽章!

    项目必须要求开发人员使用双因素身份验证(2FA)来更改中央存储库或访问敏感数据(如私密漏洞报告)。这种2FA机制可以使用没有密码学机制的方案,如SMS(短消息),尽管不推荐。 [require_2FA]

    We require 2FA for developers, maintainers and owners. https://gitlab.isc.org/isc-projects/bind9/-/project_members


    足够获得徽章!

    项目的双因素身份认证(2FA)应该使用加密机制来防止仿冒。基于短消息服务(SMS)的2FA本身不符合此标准,因为它不被加密。 [secure_2FA]

    We use TOTP: https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html


  • 编码标准


    足够获得徽章!

    该项目必须记录其代码检视需求,包括代码检视是如何进行的,必须检查的内容以及哪些是可接纳的内容。 (需要网址) [code_review_standards]

    https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/dev/dev.md#reviews This is also explained and linked in the Contributing document https://gitlab.isc.org/isc-projects/bind9/-/blob/main/CONTRIBUTING.md

    Our code review process includes a list of things to check. In brief, the developer creates a branch for the work to be committed. When the work is ready, he/she creates a merge request marked with the label 'review' and unassigns themselves to the issue. Someone else on the team takes the issue and reviews the code, providing comments via Gitlab, and then they remove the review label and reassign back to the original author. The original author then addresses the comments, which could include explaining why they did something, or - most often - by modifying the code or documentation.


    足够获得徽章!

    该项目必须至少有50%的修改(作者之外的人提出的)在发布之前审查,以确定是否是一个有价值的修改,并且没有已知的问题,会反对其包含 [two_person_review]

    https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/dev/dev.md#reviews This is also explained and linked in the Contributing document https://gitlab.isc.org/isc-projects/bind9/-/blob/main/CONTRIBUTING.md

    Our code review process includes a list of things to check. In brief, the developer creates a branch for the work to be committed. When the work is ready, he/she creates a merge request marked with the label 'review' and unassigns themselves to the issue. Someone else on the team takes the issue and reviews the code, providing comments via Gitlab, and then they remove the review label and reassign back to the original author. The original author then addresses the comments, which could include explaining why they did something, or - most often - by modifying the code or documentation.


  • 可工作的构建系统


    足够获得徽章!

    该项目必须具有可重复构建。如果没有发生构建(例如,直接使用源代码而不是编译的脚本语言),请选择“不适用”(N/A)。 (需要网址) [build_reproducible]

    BIND is packaged in several operating systems that do provide reproducible builds (Debian, Arch Linux, SUSE, etc). https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/bind9.html


  • 自动测试套件


    足够获得徽章!

    测试套件必须以该语言的标准方式进行调用。 (需要网址) [test_invocation]

    https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/dev/dev.md#testing Our tests can be executed using "make check".


    足够获得徽章!

    该项目必须实施持续集成,将新的或更改的代码经常集成到中央代码库中,并对结果进行自动化测试。 (需要网址) [test_continuous_integration]

    We use continuous integration running in our Gitlab instance. https://gitlab.isc.org/isc-projects/bind9/-/pipelines


    未知的所需信息,不足以用于徽章。

    如果有至少一个FLOSS工具可以以所选语言度量此条款,该项目的FLOSS自动测试套件必须具有至少90%语句覆盖率。 [test_statement_coverage90]

    未知的所需信息,不足以用于徽章。

    如果有至少一个FLOSS工具可以以所选语言度量此条款,该项目的FLOSS自动测试套件必须具有至少80%分支覆盖率。 [test_branch_coverage80]

  • 使用基础的良好加密实践

    请注意,某些软件不需要使用加密机制。

    足够获得徽章!

    项目生成的软件必须支持所有网络通信的安全协议,如SSHv2或更高版本,TLS1.2或更高版本(HTTPS),IPsec,SFTP和SNMPv3。默认情况下,FTP,HTTP,Telnet,SSLv3或更早版本以及SSHv1等不安全协议必须被禁用,只有在用户专门配置时才启用。如果项目生成的软件不支持网络通信,请选择“不适用”(N/A)。 [crypto_used_network]

    We support several encrypted DNS protocols, including DNS over TLS (aka DOT).


    足够获得徽章!

    由项目生成的软件必须,如果支持或使用TLS,至少支持TLS版本1.2。请注意,TLS的前身称为SSL。如果软件不使用TLS,请选择“不适用”(N/A)。 [crypto_tls12]

    We support TLS. https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tls


  • 安全交付防御中间人(MITM)的攻击


    不足以获得徽章。

    项目网站,存储库(如果可通过网络访问)和下载站点(如果单独)必须包括具有非允许值的密钥加固头。 (需要网址) [hardened_site]

    X-Content-Type-Options was not set to "nosniff". // One or more of the required security hardening headers is missing.


  • 其他安全问题


    足够获得徽章!

    该项目必须在过去5年内进行安全审查。此审查必须考虑安全需求和安全边界。 [security_review]

    We had an external audit performed by x.41-DE in 2023: https://www.isc.org/blogs/2024-bind-audit/


    足够获得徽章!

    加固机制必须用于项目生产的软件,以便软件缺陷不太可能导致安全漏洞。 (需要网址) [hardening]

    we do enable hardening in C complier:

    https://gitlab.isc.org/isc-projects/bind9/-/blob/main/configure.ac?ref_type=heads#L143

    See https://www.redhat.com/en/blog/enhance-application-security-fortifysource for what this does.


  • 动态代码分析


    足够获得徽章!

    必须在发布之前,至少将一个动态分析工具应用于软件任何候选发布的主要生产版本。 [dynamic_analysis]

    we have implemented AFL fuzzing


    足够获得徽章!

    项目应该在其生成的软件中包含许多运行时断言,并在动态分析期间检查这些断言。 [dynamic_analysis_enable_assertions]

    It is often suggested that we have TOO MANY run-time asssertions....



This data is available under the Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). This means that a Data Recipient may share the Data, with or without modifications, so long as the Data Recipient makes available the text of this agreement with the shared Data. Please credit Vicky Risk and the OpenSSF Best Practices badge contributors.

项目徽章条目拥有者: Vicky Risk.
最后更新于 2016-08-15 17:41:15 UTC, 最后更新于 2025-02-12 17:43:44 UTC。 最后在2023-07-11 15:31:20 UTC丢失通过徽章。 最后在 2023-07-11 15:34:03 UTC 获得通过徽章。

后退