Linux kernel earns CII best practices gold badge

SAN FRANCISCO (June 12, 2020) — An open letter from David A. Wheeler, Director of Open Source Supply Chain Security at The Linux Foundation:

 

All: I want to formally congratulate the Linux kernel project for earning a gold badge!! You can see their details here:

 

https://bestpractices.coreinfrastructure.org/en/projects/34

 

The Linux kernel has been close for a while. The final one they completed was to add some HTTP hardening headers to key websites.

 

Of course, a gold badge doesn't mean that there are no vulnerabilities, or that it's impossible to improve their development processes. Perfection is rare in this life. But it *does* mean that they've implemented a large number of good practices to keep the project sustainable, to counter vulnerabilities from entering their software, and to address vulnerabilities when they are found. The Linux kernel project takes many steps to do this, and it's good to see.

 

The Linux kernel joins some of the few other gold applications, such as the Zephyr project, who have been at gold for a while. You can see the current gold holders here:

 

https://bestpractices.coreinfrastructure.org/en/projects?gteq=300

 

My thanks to Greg Kroah-Hartman, who spearheaded getting the badge "over the finish line." Thank you for your effort.

 

I hope that this result will help inspire other projects to pursue — and earn — a gold badge. Of course, the real goal isn't a badge — the real goal is to make our software much more secure. But I think it's clear that good practices can help make our software more secure, and we want to praise & encourage projects to have good practices.