| 1 | ---
|
| 2 | layout: base
|
| 3 | title: "Open Source Checklist"
|
| 4 | ---
|
| 5 |
|
| 6 | # <span style="color:green;font-size:150%">✓</span> Open Source Check List
|
| 7 |
|
| 8 | Prior to releasing a project to GitHub.com, walk through these items and ensure they are addressed.
|
| 9 |
|
| 10 | - **Has PII been removed?**
|
| 11 | - Use [Clouseau](https://github.com/virtix/clouseau) for scanning source code.
|
| 12 | - For an Open Source Release, attach the Clouseau output.
|
| 13 | - If there are images, visually inspect each image to ensure there is no CFPB-specific information.
|
| 14 |
|
| 15 | - **Have security vulnerabilities been remediated?**
|
| 16 | - Use the [OWASP Top 10](https://www.owasp.org/index.php/Top_10_2013)
|
| 17 | - [National Vulnerability Database](http://nvd.nist.gov/)
|
| 18 | - [SANS Swat Checklist](http://www.securingthehuman.org/developer/swat)
|
| 19 |
|
| 20 | - **Are we including any other open source products? If so, is there any conflict with our public domain release?**
|
| 21 |
|
| 22 | - **Is our `TERMS.md` included?**
|
| 23 |
|
| 24 | - **Is a `CHANGELOG.md` present and does it contain structured, consistently formatted recent history?**
|
| 25 | - See <https://github.com/cfpb/qu> and <https://github.com/cfpb/hmda-explorer>
|
| 26 | - Some Inspiration: <http://keepachangelog.com/>
|
| 27 |
|
| 28 | - **Are instructions for contributing included (`CONTRIBUTING.md`)?**
|
| 29 |
|
| 30 | - **Are installation instructions clearly written in the `README` _and_ tested on a clean machine?**
|
| 31 |
|
| 32 | - **Are all dependencies described in the `README`, `requirements.txt`, and/or `buildout.cfg`?**
|
| 33 |
|
| 34 | - **Are the API docs generated?**
|
| 35 |
|
| 36 | - **Are there unit tests?**
|
| 37 |
|
| 38 | - **If appplicable and possible, is it set up in TravisCI?**
|
| 39 |
|
| 40 | - **Have multiple people reviewed the code?**
|
| 41 |
|
| 42 | - **Is there a screenshot in the `README`, if applicable?**
|
| 43 |
|
| 44 |
|
| 45 | ## Copy this version to paste into a GitHub issue with live checkboxes:
|
| 46 |
|
| 47 | ~~~
|
| 48 | - [ ] **Has PII been removed?**
|
| 49 | - Use [Clouseau](https://github.com/virtix/clouseau) for scanning source code.
|
| 50 | - If there are images, visually inspect each image to ensure there is no CFPB-specific information.
|
| 51 | - [ ] **Have security vulnerabilities been remediated?**
|
| 52 | - [ ] **Are we including any other open source products? If so, is there any conflict with our public domain release?**
|
| 53 | - [ ] **Is our `TERMS.md` included?**
|
| 54 | - [ ] **Is a `CHANGELOG.md` present and does it contain structured, consistently formatted recent history?**
|
| 55 | - [ ] **Are instructions for contributing included (`CONTRIBUTING.md`)?**
|
| 56 | - [ ] **Are installation instructions clearly written in the `README` _and_ tested on a clean machine?**
|
| 57 | - [ ] **Are all dependencies described in the `README`, `requirements.txt`, and/or `buildout.cfg`?**
|
| 58 | - [ ] **Are the API docs generated?**
|
| 59 | - [ ] **Are there unit tests?**
|
| 60 | - [ ] **If applicable and possible, is it set up in TravisCI?**
|
| 61 | - [ ] **Have multiple people reviewed the code?**
|
| 62 | - [ ] **Is there a screenshot in the `README`, if applicable?**
|
| 63 | ~~~
|
| 64 |
|
| 65 | ----
|
| 66 |
|
| 67 |
|
| 68 | ## Take a look at the following projects as good models to follow:
|
| 69 |
|
| 70 | - [https://github.com/cfpb/qu](https://github.com/cfpb/qu)
|
| 71 | - [https://github.com/cfpb/idea-box](https://github.com/cfpb/idea-box)
|
| 72 | - [https://github.com/cfpb/hmda-tool](https://github.com/cfpb/hmda-tools)
|
| 73 | - [https://github.com/cfpb/django-cache-tools](https://github.com/cfpb/django-cache-tools)
|