<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.font
{mso-style-name:font;}
span.size
{mso-style-name:size;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:Consolas;
color:#1F497D;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:472531199;
mso-list-type:hybrid;
mso-list-template-ids:-1509279288 -1492629284 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Consolas;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'>Hello Caeley and David and welcome to the discussion,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'>Truly some good stuff here! With a mature SDLC and leveraging highly skilled volunteers, I think NTPsec is well on the way to its badge.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'>Being a Synopsys sales engineer (shill), I am pleased to see Coverity listed in the CII Best Practices criteria. While itself not being open source, the Coverity analysis service is freely available to FLOSS projects on our SCAN.COVERITY.COM site. Over 8,200 FLOSS projects are regularly receiving static analysis of quality and security issues - including two projects discussed here - NTPsec and GPSd.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'>In the Federal space, best practices and often contractual obligations require using at least two static analysis tools. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'>Potential complimentary tools might include cppcheck and clang analysis.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'>Additional testing may be of interest to projects based on, or implementing, networking protocols, again including NTPsec and GPSd.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'>Generational fuzz testing at the network layer ensures a robust implementation. NTPsec is currently fuzz tested using both Synopsys Defensics and Americian Fuzzy Lop (<a href="http://lcamtuf.coredump.cx/afl/">http://lcamtuf.coredump.cx/afl/</a>)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'>Mark, please let us know if there are any tasks leading to certification which may need to be assigned.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'>Best regards,<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'>Dan<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> devel [mailto:devel-bounces@ntpsec.org] <b>On Behalf Of </b>Mark Atwood<br><b>Sent:</b> Thursday, July 14, 2016 3:22 PM<br><b>To:</b> Looney, Caeley M (UNC) <clooney@ida.org><br><b>Cc:</b> Wheeler, David A <dwheeler@ida.org>; devel@ntpsec.org<br><b>Subject:</b> Re: CII Best Practices Badging Process - NTPsec<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-family:"Georgia",serif'>Hello Caeley and David,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'>Thank you for your offer to help the NTPsec Project improve our CII Badge score.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'>Yes, we would appreciate your help. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'>As you may know, the NTPsec Project's website is at <a href="http://ntpsec.org/">http://ntpsec.org/</a> and contains links to the project documentation, and links to our GitLab org account and git repos at <a href="https://gitlab.com/groups/NTPsec">https://gitlab.com/groups/NTPsec</a> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'>Please do check out the project, and let us know your suggestions at improving our score.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'>Also, do please keep CC <a href="mailto:devel@ntpsec.org">devel@ntpsec.org</a> on all emails about this, so we can maintain a public record and maintain full community participation.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'>..m<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'>-- <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'>Mark Atwood<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'>Project Manager pro tem, The NTPsec Project<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Georgia",serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>On Thu, Jul 14, 2016, at 12:36, Looney, Caeley M (UNC) wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p style='margin:0in;margin-bottom:.0001pt'><span class=size><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Good Afternoon!</span></span><o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span class=size><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span></span><o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span class=size><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>I work with David Wheeler at IDA on the CII Badging Process, and I noticed that NTPsec is making great progress towards getting its badge. I have been working to help other projects fill in their criteria and help further their progress status, and I’m reaching out to you to see if you’d like me to review your project and help fill in the application where necessary as well. Please let me know when you have the chance and I look forward to hearing back!</span></span><o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span class=size><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span></span><o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span class=size><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span></span><o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span class=size><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Thanks,</span></span><o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span class=size><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Caeley Looney</span></span><o:p></o:p></p></div></blockquote><div><p class=MsoNormal><span style='font-family:"Georgia",serif'> <o:p></o:p></span></p></div></div></body></html>