Changes between Version 2 and Version 3 of OpenITPReview/Criteria


Ignore:
Timestamp:
May 8, 2013 12:27:28 PM (6 years ago)
Author:
str4d
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • OpenITPReview/Criteria

    v2 v3  
    3030=== Threat Model ===
    3131|| '''Criterion''' || '''Our response''' || '''Do we fulfil this?''' ||
    32 || Does the tool have a threat model?|| Yes - http://www.i2p2.i2p/threatmodel || Yes ||
    33 || Does the tool have one or more clearly defined use contexts? || Maybe? || ? ||
    34 || Does the threat model follow a clearly established methodology? || ||  ||
    35 || Is the threat model formally specified? || Define "formal" ||  ||
     32|| Does the tool have a threat model?|| Yes - http://www.i2p2.i2p/how_threatmodel || Yes ||
     33|| Does the tool have one or more clearly defined use contexts? || Maybe? I2P is an anonymous overlay network, and has many potential use contexts. || ? ||
     34|| Does the threat model follow a clearly established methodology? || '''TODO: Needs research''' ||  ||
     35|| Is the threat model formally specified? || '''Define "formal"''' ||  ||
    3636
    3737=== User Experience ===
    3838|| '''Criterion''' || '''Our response''' || '''Do we fulfil this?''' ||
    3939|| Does the user experience compromise the secure use of the tool? ||  ||  ||
    40 || Has there been a professional designer involved in the tool development process? || ||  ||
    41 || Has there been user experience testing involved in the design process and if so, what? || || No ||
     40|| Has there been a professional designer involved in the tool development process? || Anonymous designers have donated their time and effort. No money has been paid towards improving the design of the I2P software UI. ||  ||
     41|| Has there been user experience testing involved in the design process and if so, what? || Sampling of the opinions of users on IRC (a very small percentage of the estimated userbase). || No ||
    4242|| Is their a style guide or set of design guidelines for the tool? ||  || No ||
    4343
     
    4545|| '''Criterion''' || '''Our response''' || '''Do we fulfil this?''' ||
    4646|| Is the tool documentation sufficient to guide the intended audience through using the tool properly? ||  ||  ||
    47 || Is the documentation into the same set of languages as the tool? ||  || ||
    48 || Is the documentation up to date, regularly maintained, and accurate? ||  || ||
     47|| Is the documentation into the same set of languages as the tool? ||  || No ||
     48|| Is the documentation up to date, regularly maintained, and accurate? || No, but the translation tagging of the website revamp will enable more accurate coverage. || No ||
    4949|| Does the documentation correctly describe the security caveats and use cases of the tool? ||  ||  ||
    5050|| Does the documentation make clear security claims, and are those claims supported by the tool? ||  ||  ||
     
    5353=== Audience and Adversary Definition ===
    5454|| '''Criterion''' || '''Our response''' || '''Do we fulfil this?''' ||
    55 || Is the tool actively designed with the needs of at-risk users in mind? ||  || ||
    56 || Does the project understand who their users are? || ||  ||
    57 || Does the project understand who their user's adversaries are? || ||  ||
    58 || Is the tool actively designed with their user's adversary's capabilities in mind? || ||  ||
    59 || Is the tool being used for contexts outside of those that it was designed for? || ||  ||
    60 || Was the tool designed with a realistic awareness of the needs of its intended user community? ||  || ||
     55|| Is the tool actively designed with the needs of at-risk users in mind? ||  || No? ||
     56|| Does the project understand who their users are? || Difficult (impossible?) to get these statistics. ||  ||
     57|| Does the project understand who their user's adversaries are? || See previous criterion. ||  ||
     58|| Is the tool actively designed with their user's adversary's capabilities in mind? || Maybe generally? ||  ||
     59|| Is the tool being used for contexts outside of those that it was designed for? || '''How could an anonymous overlay network be used other than to route traffic anonymously?''' ||  ||
     60|| Was the tool designed with a realistic awareness of the needs of its intended user community? || '''TODO: Check old meeting logs''' || ? ||
    6161
    6262=== Development Process Transparency ===
    6363|| '''Criterion''' || '''Our response''' || '''Do we fulfil this?''' ||
    6464|| Does the project plan development in public fora (such as a mailing list or IRC channel)? || Yes: IRC2P/#i2p-dev, http://zzz.i2p, http://lists.i2p2.i2p || Yes ||
    65 || Does the project have an accurate roadmap that is up to date and has a history of use? || || No ||
    66 || Does the project have a public bug tracker? Has the project used their bug tracker over time and kept it accurate? || Yes (though not always entirely current due to small developer base) || Yes ||
    67 || Does the project have a public source repository that is in use for mainline development? || Monotone - http://viewmtn.meeh.i2p/ || Yes ||
     65|| Does the project have an accurate roadmap that is up to date and has a history of use? || http://trac.i2p2.i2p/wiki/Roadmaps/1.0 would be the most up-to-date; http://www.i2p2.i2p/roadmap and http://www.i2p2.i2p/todo also exist. None of these have a recent history of use. || No ||
     66|| Does the project have a public bug tracker? Has the project used their bug tracker over time and kept it accurate? || Yes to both (though not always entirely current due to the small developer base). || Yes ||
     67|| Does the project have a public source repository that is in use for mainline development? || Monotone (see e.g. http://viewmtn.meeh.i2p/ ) || Yes ||
    6868|| Has the project added new developers or other volunteers over the life of the project? || Yes, though only a few long-term developers. || Yes ||
    6969
     
    7171|| '''Criterion''' || '''Our response''' || '''Do we fulfil this?''' ||
    7272|| Does the project have documented criteria for determining what is a security issue? || '''TODO: Check this''' ||  ||
    73 || Does the project have a documented process for classifying the impact of security vulnerability reports? ||  || ||
    74 || Does the project have a documented response process for security vulnerability reports? ||  || ||
    75 || What is the project history of responding to security incidents and is it documented? || ||  ||
    76 || Does the project have an internal responsible disclosure policy and is it used? ||  || ||
    77 || What timeline does the project have around responding to vulnerabilities? || ||  ||
     73|| Does the project have a documented process for classifying the impact of security vulnerability reports? || '''TODO: Define or set up''' || No ||
     74|| Does the project have a documented response process for security vulnerability reports? || '''TODO: Define or set up''' || No ||
     75|| What is the project history of responding to security incidents and is it documented? || '''TODO: Check history''' ||  ||
     76|| Does the project have an internal responsible disclosure policy and is it used? ||  || No ||
     77|| What timeline does the project have around responding to vulnerabilities? || As soon as possible? ||  ||
    7878
    7979=== Project License and IP Disposition ===
     
    9494|| Does the project have an active developer base? || Small, but active. ||  ||
    9595|| Does the project have a meaningful revenue or funding model sufficient to cover its costs in the long term? || Donations cover server costs and provide for bounties; many services are run by volunteers. ||  ||
    96 || Does the project have an accurate roadmap that is up to date and has a history of use? || See above. || ||
    97 || Does the project have a public bug tracker? Has the project used their bug tracker over time and kept it accurate? || See above. || ||
    98 || Does the project have a public source repository that is in use for mainline development? || See above. || Yes ||
    99 || Is the project documentation up to date in all the languages the project supports? || No, but the translation tagging of the website revamp will enable more accurate coverage. || No ||
     96|| Does the project have an accurate roadmap that is up to date and has a history of use? || See ''Development Process Transparency'' above. ||
     97|| Does the project have a public bug tracker? Has the project used their bug tracker over time and kept it accurate? || See ''Development Process Transparency'' above. ||
     98|| Does the project have a public source repository that is in use for mainline development? || See ''Development Process Transparency'' above. ||
     99|| Is the project documentation up to date in all the languages the project supports? || See ''Documentation'' above. ||
    100100|| Does the project have a test framework? || Both JUnit and !ScalaTest || Yes ||
    101101|| Does the project have significant regression testing coverage? || About 30% - see http://jenkins.killyourtv.i2p/job/cobertura/ || No ||
     
    108108|| Is this tool recommended by trainers or others in the field? || Unknown ||  ||
    109109|| How security-critical is the tool's functionality? || Being an anonymous network, other tools are dependent on its security. ||  ||
    110 || Is this project infrastructure that other tools depend on? || Yes, e.g. eepsites, torrent software || Yes ||
     110|| Is this project infrastructure that other tools depend on? || Yes, e.g. eepsites, torrent software, http://nightweb.net || Yes ||
    111111|| What does the project's growth curve look like? || Slow growth for the first 8 years, then large (exponential?) growth over the last few years. ||  ||
    112112|| Is this tool localized for significant at-risk populations? || We have translations for Arabic and Chinese (among others). ||  ||