This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Project Information:template OpenSign Server Project - Final Review - First Reviewer - D"
Line 87: | Line 87: | ||
* Moreover, the 'opensign-design' document could be completed. | * Moreover, the 'opensign-design' document could be completed. | ||
+ | '''Final Review''' | ||
+ | |||
+ | Extending the OSSJClient with code download and verification feature would provide a important added value for | ||
+ | a reasonnable work overhead. It could therefore be done in priority. | ||
+ | |||
+ | Please see other omments for further remarks. | ||
|- | |- | ||
Line 103: | Line 109: | ||
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status? | 1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status? | ||
| colspan="2" style="width:75%; background:#cccccc" align="left"| | | colspan="2" style="width:75%; background:#cccccc" align="left"| | ||
+ | None (validated in previous review). | ||
|- | |- | ||
| style="width:25%; background:#7B8ABD" align="center"| | | style="width:25%; background:#7B8ABD" align="center"| | ||
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status? | 2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status? | ||
| colspan="2" style="width:75%; background:#cccccc" align="left"| | | colspan="2" style="width:75%; background:#cccccc" align="left"| | ||
+ | * Add a common About Box or help menu in the tool itself | ||
+ | o (which lists name of tool, author, e-mail address of author, current version number and/or release date) | ||
+ | |||
+ | Help is provided. Informations related to the authors are not. | ||
|- | |- | ||
| style="width:25%; background:#7B8ABD" align="center"| | | style="width:25%; background:#7B8ABD" align="center"| | ||
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status? | 3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status? | ||
| colspan="2" style="width:75%; background:#cccccc" align="left"| | | colspan="2" style="width:75%; background:#cccccc" align="left"| | ||
+ | * Be reasonably easy to use | ||
+ | |||
+ | -> OK | ||
+ | |||
+ | * Include online documention built into tool (based on required user documentation) | ||
+ | |||
+ | -> should still be integrated. | ||
+ | |||
+ | * Include build scripts that facilitate building the application from source (Goal: One-click build) | ||
+ | |||
+ | -> Completeness to be checked. Currently build tools are dependent of development environment (maven for Java; these environments | ||
+ | should be specified). | ||
+ | |||
+ | * Publicly accessible bug tracking system established, ideally at the same place as the source code repository (e.g., at Google code, or Sourceforge) | ||
+ | |||
+ | -> TODO, as far as I know | ||
+ | |||
+ | * Be run through Fortify Software's open source review (if appropriate) and FindBugs. | ||
+ | |||
+ | -> TODO, or include reports | ||
+ | |||
+ | * C/C++ apps (if we have any) should consider being run through Coverity's open source review. Coverity also accepts submissions for open source Java applications. | ||
+ | |||
+ | -> TODO, or include reports | ||
+ | |||
+ | * When approved to be Release Quality: Update the link to it on: the OWASP Project page and update its project quality tag on its project page to be Release Quality. | ||
+ | |||
+ | '''Recommendations''': | ||
+ | |||
+ | * Conference style Powerpoint presentation that describes the use and status of the tool. (This could be used by others to discuss the tool at OWASP Chapter meetings, serve as easy to review offline documentation, etc.) | ||
+ | |||
+ | -> available | ||
+ | |||
+ | * UAT pass on functionality of the tool | ||
+ | |||
+ | -> TODO | ||
+ | |||
+ | * Developer documents any limitations | ||
+ | |||
+ | -> TODO | ||
+ | |||
|- | |- | ||
| style="width:25%; background:#7B8ABD" align="center"| | | style="width:25%; background:#7B8ABD" align="center"| | ||
4. Please do use the right hand side column to provide advice and make work suggestions. | 4. Please do use the right hand side column to provide advice and make work suggestions. | ||
| colspan="2" style="width:75%; background:#cccccc" align="left"| | | colspan="2" style="width:75%; background:#cccccc" align="left"| | ||
+ | * Documentation update could be done to adapt original design to current development status | ||
|} | |} |
Revision as of 14:29, 8 February 2009
Clik here to return to the previous page.
FINAL REVIEW | ||
---|---|---|
PART I | ||
Project Deliveries & Objectives |
||
QUESTIONS | ANSWERS | |
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please exemplify writing down those of them that haven't been realised. |
-> ok
-> code download and verification is not available in the OSSJClient. Verification of the certificate is therefore performed independently of the signed code (one step is missing in the process).
-> ok
-> available, but completeness of features should be validated
-> The demonstration could be more explicit related to the integration of the tools in the software deployment process. The role of entities (certificate, CSR) could be explained more precisely, so as to enable developpers with limited security knowledge to use the tool. For instance: integrate the documentation (opendsign-concept.doc ...) in the demo slides. Documentation in the code repository contains the original design doc rather than the current dev/use documentation. | |
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please quantify in terms of percentage. |
NOTE: the deliverables are tagged in the project definition as 'idealized result', and were since the beginning identified as an ambitious goal. The project delivers running tools and documentation, which do not fullfil these expectations, but provide developpers with usefull and simple to use tools. The percentage are relative to the original definition.
100 %
50%
90 %
70 % | |
3. Please do use the right hand side column to provide advice and make work suggestions. |
First comments:
for the server and the client (I have made some tests under linux, this seems not to be the case for the latter releases available on the project web page)
- how to compile everything (without needing to install libraries from the web) ? - how to run the server and clients (a global 'readme' file is missing).
Final Review Extending the OSSJClient with code download and verification feature would provide a important added value for a reasonnable work overhead. It could therefore be done in priority. Please see other omments for further remarks. | |
PART II | ||
Assessment Criteria |
||
QUESTIONS | ANSWERS | |
1. Having into consideration the OWASP Project Assessment Methodology which criteria, if any, haven’t been fulfilled in terms of Alpha Quality status? |
None (validated in previous review). | |
2. Having into consideration the OWASP Project Assessment Methodology which criteria, if any, haven’t been fulfilled in terms of Beta Quality status? |
* Add a common About Box or help menu in the tool itself o (which lists name of tool, author, e-mail address of author, current version number and/or release date) Help is provided. Informations related to the authors are not. | |
3. Having into consideration the OWASP Project Assessment Methodology which criteria, if any, haven’t been fulfilled in terms of Release Quality status? |
-> OK
-> should still be integrated.
-> Completeness to be checked. Currently build tools are dependent of development environment (maven for Java; these environments should be specified).
-> TODO, as far as I know
-> TODO, or include reports
-> TODO, or include reports
Recommendations:
-> available
-> TODO
-> TODO | |
4. Please do use the right hand side column to provide advice and make work suggestions. |
|