[Printing-architecture] LGTM - FREE security scan for open source software

[Printing-architecture] LGTM - FREE security scan for open source software

[Ira McDonald]

[-- Attachment #1: Type: text/plain, Size: 951 bytes --]

Hi,

As Mike Sweet reported, during today's PWG Virtual F2F meeting, the PWG
ippsample tools now use automated security scanning of updates by LGTM.

Mike has been favorably impressed by the competence and professionalism
of the LGTM staff (e.g., when reporting false positives).

I suggest that this is worth integrating into the CUPS Filters and GSoC
projects development processes as well.

https://lgtm.com/

WDYT?

Cheers,
- Ira

Ira McDonald (Musician / Software Architect)
Co-Chair - TCG Trusted Mobility Solutions WG
Co-Chair - TCG Metadata Access Protocol SG
Chair - Linux Foundation Open Printing WG
Secretary - IEEE-ISTO Printer Working Group
Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
IETF Designated Expert - IPP & Printer MIB
Blue Roof Music / High North Inc
http://sites.google.com/site/blueroofmusic
http://sites.google.com/site/highnorthinc
mailto: blueroofmusic@gmail.com
PO Box 221  Grand Marais, MI 49839  906-494-2434

[-- Attachment #2: Type: text/html, Size: 1950 bytes --]

Re: [Printing-architecture] LGTM - FREE security scan for open source software

[Till Kamppeter]

On 20/11/2019 21:41, Ira McDonald wrote:
> Hi,
> 
> As Mike Sweet reported, during today's PWG Virtual F2F meeting, the PWG
> ippsample tools now use automated security scanning of updates by LGTM.
> 
> Mike has been favorably impressed by the competence and professionalism
> of the LGTM staff (e.g., when reporting false positives).
> 
> I suggest that this is worth integrating into the CUPS Filters and GSoC
> projects development processes as well.
> 
> https://lgtm.com/
> 
> WDYT?

I have looked into it, too, and when doing investigations for the implementation 
of driverless IPP scanning I saw it in PWG's ippsample.

Also, all the OpenPrinting projects are on GitHub now, so I think we should 
start to use it.

Is it possible o create an organization account under lgtm, or organizations 
within an account, like in GitHub, where users can be added and removed? This 
way LGTM operation would not get hardwired to a single person.

    Till

Re: [Printing-architecture] LGTM - FREE security scan for open source software

[Ira McDonald]

[-- Attachment #1: Type: text/plain, Size: 1774 bytes --]

Hi Till,

I think LGTM is supposed to be wired to projects (i.e., open source
repositories)
rather than individuals.  Mike may know more about this?

Cheers,
- Ira

Ira McDonald (Musician / Software Architect)
Co-Chair - TCG Trusted Mobility Solutions WG
Co-Chair - TCG Metadata Access Protocol SG
Chair - Linux Foundation Open Printing WG
Secretary - IEEE-ISTO Printer Working Group
Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
IETF Designated Expert - IPP & Printer MIB
Blue Roof Music / High North Inc
http://sites.google.com/site/blueroofmusic
http://sites.google.com/site/highnorthinc
mailto: blueroofmusic@gmail.com
PO Box 221  Grand Marais, MI 49839  906-494-2434



On Fri, Nov 22, 2019 at 5:32 PM Till Kamppeter <till.kamppeter@gmail.com>
wrote:

> On 20/11/2019 21:41, Ira McDonald wrote:
> > Hi,
> >
> > As Mike Sweet reported, during today's PWG Virtual F2F meeting, the PWG
> > ippsample tools now use automated security scanning of updates by LGTM.
> >
> > Mike has been favorably impressed by the competence and professionalism
> > of the LGTM staff (e.g., when reporting false positives).
> >
> > I suggest that this is worth integrating into the CUPS Filters and GSoC
> > projects development processes as well.
> >
> > https://lgtm.com/
> >
> > WDYT?
>
> I have looked into it, too, and when doing investigations for the
> implementation
> of driverless IPP scanning I saw it in PWG's ippsample.
>
> Also, all the OpenPrinting projects are on GitHub now, so I think we
> should
> start to use it.
>
> Is it possible o create an organization account under lgtm, or
> organizations
> within an account, like in GitHub, where users can be added and removed?
> This
> way LGTM operation would not get hardwired to a single person.
>
>     Till
>
>
>

[-- Attachment #2: Type: text/html, Size: 3064 bytes --]

Re: [Printing-architecture] LGTM - FREE security scan for open source software

[Michael Sweet]

Till,

> On Nov 22, 2019, at 5:32 PM, Till Kamppeter <till.kamppeter@gmail.com> wrote:
> 
> On 20/11/2019 21:41, Ira McDonald wrote:
>> Hi,
>> As Mike Sweet reported, during today's PWG Virtual F2F meeting, the PWG
>> ippsample tools now use automated security scanning of updates by LGTM.
>> Mike has been favorably impressed by the competence and professionalism
>> of the LGTM staff (e.g., when reporting false positives).
>> I suggest that this is worth integrating into the CUPS Filters and GSoC
>> projects development processes as well.
>> https://lgtm.com/
>> WDYT?
> 
> I have looked into it, too, and when doing investigations for the implementation of driverless IPP scanning I saw it in PWG's ippsample.
> 
> Also, all the OpenPrinting projects are on GitHub now, so I think we should start to use it.
> 
> Is it possible o create an organization account under lgtm, or organizations within an account, like in GitHub, where users can be added and removed? This way LGTM operation would not get hardwired to a single person.

I believe LGTM is integrated with Github organizations, so anyone in the organization can monitor the results, and any admin can setup the LGTM app hookup (so that all pull requests, etc. are scanned).

________________________
Michael Sweet