Skip to content

📖 Improve text on Packaging #1035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 17, 2021
Merged

📖 Improve text on Packaging #1035

merged 2 commits into from
Sep 17, 2021

Conversation

david-a-wheeler
Copy link
Contributor

@david-a-wheeler david-a-wheeler commented Sep 16, 2021
edited
Loading

Make various improvements to the text on packaging.

  • The original text assumes that only software developers install software
    packages, which is absurd; end-users install software packages all
    the time.
  • The original text seemed to assume that there are only
    language-level packages, but system-level packages & containers
    are a thing :-). At least acknowledge them.
    Also, this doesn't make sense in some cases
    (e.g., software specific to one website that's updated through commits,
    or IoT software where there are no "packages" - you
    upload the entire image); that should be admitted.
  • Fix main text to stop using "you/your" to mean "project developer".
    There are at least two different readers: (1) developers of the project
    being measured and (2) potential users of the project being measured.
    Many users of scorecard will be case 2, they'll
    reading scorecard results to decide if they want to use the software
    being measured. So don't say "you" and assume that "you" means
    project developers. I left "you" meaning "project developers"
    inside remediation, under the assumption that this was remdediation
    text for project developers.
    To be fair, users of software can also sometimes
    take remediation steps; that might be worth adding as its own
    section if we text to add there (e.g., user_remediation).

I have intentionally not run make generate-docs as that would add other
irrelevant changes. Instead, after this PR is accepted there should be a
make generate-docs & a pull of that.

Signed-off-by: David A. Wheeler dwheeler@dwheeler.com

@david-a-wheeler
Improve text on Packaging
a50ddf6 
Make various improvements to the text on packaging.

* The original text assumes that only software developers install software
  packages, which is absurd; end-users install software packages all
  the time.
* The original text seemed to assume that there are only
  language-level packages, but system-level packages & containers
  are a thing :-). At least acknowledge them.
  Also, this doesn't make sense in some cases
  (e.g., software specific to one website that's updated through commits,
  or IoT software where there are no "packages" - you
  upload the entire image); that should be admitted.
* Fix main text to stop using "you/your" to mean "project developer".
  There are at least two *different* readers: (1) developers of the project
  being measured and (2) potential users of the project being measured.
  Many users of scorecard will be ossf#2, they'll
  reading scorecard results to decide if they want to use the software
  being measured. So don't say "you" and assume that "you" means
  project developers.  I left "you" meaning "project developers"
  inside remediation, under the assumption that this was remdediation
  text for project developers.
  To be fair, *users* of software can also sometimes
  take remediation steps; that might be worth adding as its own
  section if we text to add there (e.g., `user_remediation`).

I have intentionally not run `make generate-docs` as that would add other
irrelevant changes.  Instead, after this PR is accepted there should be a
`make generate-docs` & a pull of *that*.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
@david-a-wheeler david-a-wheeler changed the title Improve text on Packaging 📖 Improve text on Packaging Sep 16, 2021
@david-a-wheeler
Copy link
Contributor Author

license boilerplate check failed, I think that's a borken test not an actual problem.

@david-a-wheeler
Copy link
Contributor Author

@naveensrinivasan : Can you check on the "license boilerplate check"? It fails bizarrely with /bin/bash: protoc: command not found

@naveensrinivasan
Copy link
Member

@naveensrinivasan : Can you check on the "license boilerplate check"? It fails bizarrely with /bin/bash: protoc: command not found

I re-ran the check, it should hopefully fix it.

laurentsimon
laurentsimon approved these changes Sep 16, 2021
View reviewed changes
@david-a-wheeler
Add note about filing an issue
866cc1d 
Add note about filing an issue if scorecard fails to detect
the packaging mechanism, per review by @naveensrinivasan (thanks!).

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
@naveensrinivasan
Copy link
Member

@david-a-wheeler Is it good to be merged?

@david-a-wheeler
Copy link
Contributor Author

@naveensrinivasan : Yes, it's ready for merging! Go for it!

@naveensrinivasan naveensrinivasan merged commit bc5d7a8 into ossf:main Sep 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inferno-chromium inferno-chromium Awaiting requested review from inferno-chromium

1 more reviewer

@laurentsimon laurentsimon laurentsimon approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@david-a-wheeler @naveensrinivasan @laurentsimon