The OpenSSF Best Practices badge project is essentially in a "sustainment" mode. That doesn't mean the project is static, it just means that we've already achieved our "big" objectives. This is similar to the situation of the Linux kernel, which is not static either but has also achieved its original key goals.
In particular, we've met our original key objectives:
- created a set of tiered criteria (starting with 1 level),
- a website so people can fill in those criteria and receive a badge
- automation to help fill in some information
- internationalization
At this point, we are primarily driven by specific pull requests and issues, which have to be prioritized.
Since pull requests take much less time for us to process (in general), and represent a more significant investment of time by the proposer (so at least the proposer considers them important), they will tend to be much more likely to be accepted.
Issues marked as "next" are also considered higher priority.
The following are general goals in the 1-2 year horizon:
- Continue to let others know about the badging program
- Encourage projects to get & display a badge and/or pursue higher levels
- Add more automation for filling in projects
- Add more locales
- Update the criteria annually as more is learned
- Reduce monthly hosting costs (without hurting user experience)
The timeframe for many of these will depend on how much other people provide support for them (this is especially true for adding new locales).
Project participation and interface:
- CONTRIBUTING.md - How to contribute to this project
- INSTALL.md - How to install/quick start
- governance.md - How the project is governed
- roadmap.md - Overall direction of the project
- background.md - Background research
- api - Application Programming Interface (API), inc. data downloads
Criteria:
Development processes and security:
- requirements.md - Requirements (what's it supposed to do?)
- design.md - Architectural design information
- implementation.md - Implementation notes
- testing.md - Information on testing
- assurance-case.md - Why it's adequately secure (assurance case)