1 | ---
|
2 | layout: base
|
3 | title: "Open Source Checklist"
|
4 | ---
|
5 |
|
6 | # <span style="color:green;font-size:150%">✓</span> Open Source Check List
|
7 |
|
8 | Prior to releasing a project to GitHub.com, walk through these items and ensure they are addressed.
|
9 |
|
10 | - **Has PII been removed?**
|
11 | - Use [Clouseau](https://github.com/virtix/clouseau) for scanning source code.
|
12 | - For an Open Source Release, attach the Clouseau output.
|
13 | - If there are images, visually inspect each image to ensure there is no CFPB-specific information.
|
14 |
|
15 | - **Have security vulnerabilities been remediated?**
|
16 | - Use the [OWASP Top 10](https://www.owasp.org/index.php/Top_10_2013)
|
17 | - [National Vulnerability Database](http://nvd.nist.gov/)
|
18 | - [SANS Swat Checklist](http://www.securingthehuman.org/developer/swat)
|
19 |
|
20 | - **Are we including any other open source products? If so, is there any conflict with our public domain release?**
|
21 |
|
22 | - **Is our `TERMS.md` included?**
|
23 |
|
24 | - **Is a `CHANGELOG.md` present and does it contain structured, consistently formatted recent history?**
|
25 | - See <https://github.com/cfpb/qu> and <https://github.com/cfpb/hmda-explorer>
|
26 | - Some Inspiration: <http://keepachangelog.com/>
|
27 |
|
28 | - **Are instructions for contributing included (`CONTRIBUTING.md`)?**
|
29 |
|
30 | - **Are installation instructions clearly written in the `README` _and_ tested on a clean machine?**
|
31 |
|
32 | - **Are all dependencies described in the `README`, `requirements.txt`, and/or `buildout.cfg`?**
|
33 |
|
34 | - **Are the API docs generated?**
|
35 |
|
36 | - **Are there unit tests?**
|
37 |
|
38 | - **If appplicable and possible, is it set up in TravisCI?**
|
39 |
|
40 | - **Have multiple people reviewed the code?**
|
41 |
|
42 | - **Is there a screenshot in the `README`, if applicable?**
|
43 |
|
44 |
|
45 | ## Copy this version to paste into a GitHub issue with live checkboxes:
|
46 |
|
47 | ~~~
|
48 | - [ ] **Has PII been removed?**
|
49 | - Use [Clouseau](https://github.com/virtix/clouseau) for scanning source code.
|
50 | - If there are images, visually inspect each image to ensure there is no CFPB-specific information.
|
51 | - [ ] **Have security vulnerabilities been remediated?**
|
52 | - [ ] **Are we including any other open source products? If so, is there any conflict with our public domain release?**
|
53 | - [ ] **Is our `TERMS.md` included?**
|
54 | - [ ] **Is a `CHANGELOG.md` present and does it contain structured, consistently formatted recent history?**
|
55 | - [ ] **Are instructions for contributing included (`CONTRIBUTING.md`)?**
|
56 | - [ ] **Are installation instructions clearly written in the `README` _and_ tested on a clean machine?**
|
57 | - [ ] **Are all dependencies described in the `README`, `requirements.txt`, and/or `buildout.cfg`?**
|
58 | - [ ] **Are the API docs generated?**
|
59 | - [ ] **Are there unit tests?**
|
60 | - [ ] **If applicable and possible, is it set up in TravisCI?**
|
61 | - [ ] **Have multiple people reviewed the code?**
|
62 | - [ ] **Is there a screenshot in the `README`, if applicable?**
|
63 | ~~~
|
64 |
|
65 | ----
|
66 |
|
67 |
|
68 | ## Take a look at the following projects as good models to follow:
|
69 |
|
70 | - [https://github.com/cfpb/qu](https://github.com/cfpb/qu)
|
71 | - [https://github.com/cfpb/idea-box](https://github.com/cfpb/idea-box)
|
72 | - [https://github.com/cfpb/hmda-tool](https://github.com/cfpb/hmda-tools)
|
73 | - [https://github.com/cfpb/django-cache-tools](https://github.com/cfpb/django-cache-tools)
|