OT: Peer review (was: making a Debian Live CD for managing GnuPG master key and smartcards)
lachlan at twopif.net
Wed Apr 27 03:35:19 CEST 2016
> Well, there's a little bit of a chicken-and-the-egg problem here. If
> new projects are told "don't evangelize here", how will they let users
> who might be interested in their project know it exists? Evangelization
> is important. I don't think we want to adopt a no-evangelization rule,
> but at the same time, we want to keep it within limits, too.
Yep, I think this is important. I'd also suggest that actively
attempting to lure potential contributors to a project from their own
mailing list is a bit of a no-no as well.
A topic that someone mentioned in this thread was peer-review. Is there
any venue out there for seeking third-party security review for
open-source code? I don't mean anything professional, but just
A few of my projects involve crypto or some other kind of security
functionality, and I feel a bit uncomfortable evangelising too much
without having had someone else go over them more thoroughly than
Coverity can. Here wouldn't be a good venue as they tend to range from
unrelated to competing (don't judge, I just need an MIT-licenced way to
check an OpenPGP signature), but given the amount of misguided security
code out there, it seems like somewhere more generally-oriented might be
Even restricting to GnuPG itself, obviously not every one-man-band using
GPG in a script can expect to come here and get a code audit.
More information about the Gnupg-users