遵循以下最佳实践的项目将能够自愿的自我认证,并显示他们已经实现了核心基础设施计划(OpenSSF)徽章。 显示详细资料
[](https://www.bestpractices.dev/projects/9678)
<a href="https://www.bestpractices.dev/projects/9678"><img src="https://www.bestpractices.dev/projects/9678/badge"></a>
Erlang/OTP is a programming language and runtime system for building massively scalable soft real-time systems with requirements on high availability.
https://github.com/erlang/otp/blob/master/CONTRIBUTING.md
We have a Developer Certificate of Origin that contributors must accept. This link contains the text: https://github.com/erlang/otp/blob/master/CONTRIBUTING.md#license
it has also been automated when new contributors submit pull request, they must accept the DCO agreement.
There are ~20 core maintainers of Erlang/OTP, all have write access to pull requests, issues, etc https://github.com/erlang/otp/graphs/contributors
https://github.com/erlang/otp/graphs/contributors
https://github.com/erlang/otp/tree/master/system/doc
https://www.erlang.org/doc/apps/ssl/ssl_protocol.html https://www.erlang.org/doc/apps/ssl/ssl_distribution.html https://www.erlang.org/doc/apps/ssl/standards_compliance.html
Most of the Erlang/OTP applications/libraries have a getting started guide. Examples follow: - common_test: https://www.erlang.org/doc/apps/common_test/getting_started_chapter.html#introduction-for-newcomers - mnesia: https://www.erlang.org/doc/apps/mnesia/mnesia_chap2.html#content - inets server: https://www.erlang.org/doc/apps/inets/http_server.html#getting-started - observer: https://www.erlang.org/doc/apps/observer/observer_ug.html#getting-started - logger: https://www.erlang.org/doc/apps/kernel/logger_chapter.html#overview
Documentation is inlined with source code. Any changes to the code that affects a public functional change needs to update the documentation, otherwise the change is not merged.
we produce program libraries, and the instructions categorise this as N/A
Software meets this criterion simply by being internationalized
we do not store passwords
Erlang/OTP allows upgrading/downgrading running code via hot-code reloading https://www.erlang.org/doc/system/release_handling.html
https://github.com/erlang/otp/issues
https://github.com/erlang/otp/security
We do not use a formatter, but we try to enforce that everyone writes code in the same way as the code they change. Link to this format here: https://github.com/erlang/otp/blob/115761f90aa1cd8e3b79b710d3ded997f5993375/CONTRIBUTING.md?plain=1#L129
Compiling the project runs the linter
Flags can be passed as explained here https://github.com/erlang/otp/blob/master/HOWTO/DEVELOPMENT.md#types-and-flavors
Erlang/OTP uses standard conventions
Erlang/OTP use defaults but these can also be configured https://github.com/erlang/otp/blob/master/HOWTO/INSTALL.md#configuring
Installation scripts are provided here: https://github.com/erlang/otp/blob/master/HOWTO/INSTALL.md For binaries, they can be downloaded from our website: https://www.erlang.org/downloads#prebuilt
We use OSV in a cron job https://github.com/erlang/otp/blob/master/.github/workflows/osv-scanner-scheduled.yml
not applicable
Erlang/OTP does not use deprecated functions/API
all branches are checked against tests https://github.com/erlang/otp/actions/workflows/main.yaml
Erlang/OTP adds regression tests to the automated test suite Example 1: https://github.com/erlang/otp/blob/7bbae6d6818884e54982ea834e3c3e91676a65d1/lib/mnesia/test/mnesia_isolation_test.erl#L315 Example 2: https://github.com/erlang/otp/blob/7bbae6d6818884e54982ea834e3c3e91676a65d1/lib/stdlib/test/supervisor_SUITE.erl#L322
This is tricky to measure, since our cover tool reports on a per application basis. Most applications are well-covered, but it is tricky to fully measure... - compiler: 96% - public_key: 76% - ssl: 79% - dialyzer: 83%
cover
https://github.com/erlang/otp/blob/master/CONTRIBUTING.md#adding-a-new-feature
New Functionality: https://github.com/erlang/otp/blob/master/CONTRIBUTING.md#adding-a-new-feature Same as above.
https://github.com/erlang/otp/pull/8998/files#diff-1af533221666240413da1fd6af10daa048601cc69938135e4d1b9f7ebc22f14c
We use secure defaults. There is only one special case for ssh where we have a fallback strategy that uses non-strict KEX.
Yes, more detail documentation here https://www.erlang.org/doc/apps/ssl/ssl.html#t:sign_scheme/0
TLS1.2 docs: https://www.erlang.org/doc/apps/ssl/ssl_app.html For legacy reasons, we still have FTP and HTTP applications that cannot be removed.
TLS1.2 docs: https://www.erlang.org/doc/apps/ssl/ssl_app.html
we are working on this
working on it
We use property-based testing in the SSL/TLS app.
We follow guidelines for hardening C/C++ compilation flags: https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
Pull request: https://github.com/erlang/otp/pull/8998/files#diff-1af533221666240413da1fd6af10daa048601cc69938135e4d1b9f7ebc22f14c
OSV and dialyzer
we use address sanitizers as well as valgrind for the runtime, written in C/C++
后退