Geomys introduces a comprehensive Standard of Care for professional open source maintenance, covering security practices, dependency management, and reliability commitments. The standard addresses supply chain security through phishing-resistant authentication, CI/CD security hardening, transparency logging, and strict code review processes. Key practices include using passkeys/WebAuthn for critical accounts, avoiding automated dependency bumps in favor of govulncheck, implementing cache poisoning mitigations in GitHub Actions, and maintaining backwards compatibility. The standard applies to Go cryptography packages, Staticcheck, age, mkcert, and other Geomys-maintained projects, establishing professional maintenance commitments funded by retainer contracts but offered to the entire community.
Sort: