OpenSSF’s Scorecards is Going Just Great 🔥
While I’m happy that OpenSSF updated their blog post to remove all mentions of their scorecards, they forgot to mention why, apologize, or publicly acknowledge that they messed up.
Since they rushed their first blog post and spent so little time on it, I wanted to point out the changes and equally spend very little time on why their scorecard is actively harmful to projects that handle security well.
Today was a rare day off for me, and documenting the numerous red flags of OpenSSF’s Scorecards isn’t how I spent my Monday night, nor will I spend my Tuesday or any night on this.
Instead, check out the Scorecards for these three popular projects.
If you aren’t sure where to start, compare the “Pinned-Dependencies” and “Best-Practices” over the three projects. Then, look at the reference files and see if you agree.
🤷
Updates
This post by David Lord is worth a star.
