From 7c29dca673ec20b4178dbe5a4bef8d912884da11 Mon Sep 17 00:00:00 2001 From: "David A. Wheeler" Date: Thu, 25 Jun 2026 19:56:53 -0400 Subject: [PATCH] Update coreinfrastructure.org -> bestpractices.dev A while ago the production website moved from bestpractices.coreinfrastructure.org to www.bestpractices.dev. We automatically forward, but we really should be only giving the new URLs. This commit updates the live references across docs, the OpenAPI server URL, the Python client sample, and the README. We use the `www.bestpractices.dev` host (not the bare domain) because bare DNS domains complicate our Fastly CDN setup. The old "master" branch deployment no longer runs. The only pre-production running site is the staging branch deployment. Thus, load_self_json and the Fastly cache test now target staging.bestpractices.dev. This also adds a normalize_string rewrite in lib/tasks/default.rake so rake translation:sync converts stale old-domain references arriving via translation.io, mirroring the existing GitHub-organization rewrite. Deliberately preserve the old domain where it is historically accurate: - README's "previously was at" note about the former site. - The dated 2017-2018 TLS/header scan evidence in the assurance case, which was measured against the site as it existed then (under the old domain). - VCR cassettes (recorded HTTP responses with the old domain in frozen CSP headers). - config/machine_translations/pt-BR.yml (handled by the sync normalizer). Co-Authored-By: David A. Wheeler Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: David A. Wheeler --- README.md | 8 ++++---- best_practices.openapi.yaml | 2 +- docs/INSTALL.md | 4 ++-- docs/assurance-case.md | 6 +++--- docs/background.md | 4 ++-- docs/best_practices.py | 4 ++-- docs/case.ltac | 2 +- docs/case.md | 10 +++++----- docs/criteria-footer.markdown | 4 ++-- docs/criteria-header.markdown | 6 +++--- docs/criteria.md | 10 +++++----- docs/design.md | 4 ++-- docs/governance.md | 4 ++-- docs/implementation.md | 12 ++++++------ docs/other.md | 10 +++++----- docs/requirements.md | 4 ++-- docs/roadmap.md | 4 ++-- docs/scorecard-map.md | 6 +++--- docs/testing.md | 4 ++-- docs/vetting.md | 4 ++-- lib/tasks/default.rake | 13 +++++++++++-- script/fastly_test | 2 +- 22 files changed, 68 insertions(+), 59 deletions(-) diff --git a/README.md b/README.md index be8317d5a..8cdafd505 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@
- OpenSSF Best Practices  + OpenSSF Best Practices  OpenSSF Baseline  CircleCI Build Status  codecov  @@ -34,7 +34,7 @@ We support both our original "metal" badge criteria and the OpenSSF Baseline criteria. See the -*[OpenSSF Best Practices badge website](https://bestpractices.coreinfrastructure.org/)* if you want to try to actually get a badge. +*[OpenSSF Best Practices badge website](https://www.bestpractices.dev/)* if you want to try to actually get a badge. This is the development site for the criteria and badge application software that runs the website. @@ -55,8 +55,8 @@ the CII Best Practices badge. Interesting pages include: -* Badging **[Criteria for the passing level](https://bestpractices.coreinfrastructure.org/criteria/0)** -* **[Criteria for all badging levels](https://bestpractices.coreinfrastructure.org/criteria)** +* Badging **[Criteria for the passing level](https://www.bestpractices.dev/criteria/0)** +* **[Criteria for all badging levels](https://www.bestpractices.dev/criteria)** * Information on how to **[contribute](./CONTRIBUTING.md)** * Information on **[our own security, including how to report vulnerabilities in our badge application](./SECURITY.md)** * [Up-for-grabs](https://github.com/ossf/best-practices-badge/labels/up-for-grabs) diff --git a/best_practices.openapi.yaml b/best_practices.openapi.yaml index 10f40abfe..eb1e62d13 100644 --- a/best_practices.openapi.yaml +++ b/best_practices.openapi.yaml @@ -4,7 +4,7 @@ info: description: RESTful API for OpenSSF Best Practices badge website version: 1.0.0 servers: - - url: https://bestpractices.coreinfrastructure.org + - url: https://www.bestpractices.dev description: Main site paths: /{locale}/projects/{id}/{level}.{format}: diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 17cf223ef..2fed3ba3d 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -445,8 +445,8 @@ Project participation and interface: Criteria: -* [Criteria for passing badge](https://bestpractices.coreinfrastructure.org/criteria/0) -* [Criteria for all badge levels](https://bestpractices.coreinfrastructure.org/criteria) +* [Criteria for passing badge](https://www.bestpractices.dev/criteria/0) +* [Criteria for all badge levels](https://www.bestpractices.dev/criteria) Development processes and security: diff --git a/docs/assurance-case.md b/docs/assurance-case.md index 6a4636739..f3c36f9ac 100644 --- a/docs/assurance-case.md +++ b/docs/assurance-case.md @@ -3508,7 +3508,7 @@ This is evidence that the BadgeApp application is applying practices expected in a well-run FLOSS project. You can see the -[CII Best Practices Badge entry for the BadgeApp](https://bestpractices.coreinfrastructure.org/en/projects/1/0). +[CII Best Practices Badge entry for the BadgeApp](https://www.bestpractices.dev/en/projects/1/0). Note that we achieve a gold badge. ### Organizational Controls @@ -3840,8 +3840,8 @@ Project participation and interface: Criteria: -* [Criteria for passing badge](https://bestpractices.coreinfrastructure.org/criteria/0) -* [Criteria for all badge levels](https://bestpractices.coreinfrastructure.org/criteria) +* [Criteria for passing badge](https://www.bestpractices.dev/criteria/0) +* [Criteria for all badge levels](https://www.bestpractices.dev/criteria) Development processes and security: diff --git a/docs/background.md b/docs/background.md index 06b37dc6f..04dbe58ae 100644 --- a/docs/background.md +++ b/docs/background.md @@ -1761,8 +1761,8 @@ Project participation and interface: Criteria: -* [Criteria for passing badge](https://bestpractices.coreinfrastructure.org/criteria/0) -* [Criteria for all badge levels](https://bestpractices.coreinfrastructure.org/criteria) +* [Criteria for passing badge](https://www.bestpractices.dev/criteria/0) +* [Criteria for all badge levels](https://www.bestpractices.dev/criteria) Development processes and security: diff --git a/docs/best_practices.py b/docs/best_practices.py index dbe523a47..00b27ccfe 100644 --- a/docs/best_practices.py +++ b/docs/best_practices.py @@ -1,5 +1,5 @@ #!/usr/bin/python3 -# Download JSON data from bestpractices.coreinfrastructure.org and analyze it. +# Download JSON data from www.bestpractices.dev and analyze it. # Since the JSON data is paged, we simply download each page in turn. # This is written to be simple code; it loads the entire dataset into memory. @@ -19,7 +19,7 @@ cached_filename = 'projects.json' # This is the base URL for project data. -base_url = 'https://bestpractices.coreinfrastructure.org/' + cached_filename +base_url = 'https://www.bestpractices.dev/' + cached_filename # Retrieve paged JSON data def retrieve_data(): diff --git a/docs/case.ltac b/docs/case.ltac index 4bddbabe2..de1c0f9a3 100644 --- a/docs/case.ltac +++ b/docs/case.ltac @@ -121,7 +121,7 @@ - Claim Controls: Certifications & controls provide confidence in operating results - Claim CIIBadge: CII Best Practices Badge certification is obtained - - Evidence CIIBadgeEv: BadgeApp achieves gold CII Best Practices Badge (https://bestpractices.coreinfrastructure.org/en/projects/1) + - Evidence CIIBadgeEv: BadgeApp achieves gold CII Best Practices Badge (https://www.bestpractices.dev/en/projects/1) - Claim OWASPClaim: All of the most common important implementation vulnerability types (weaknesses) countered - Strategy OWASPStrat: OWASP top 10 represents a broad consensus of the most critical web application security flaws diff --git a/docs/case.md b/docs/case.md index 659bef06e..f15b25906 100644 --- a/docs/case.md +++ b/docs/case.md @@ -6849,7 +6849,7 @@ This is evidence that the BadgeApp application is applying practices expected in a well-run FLOSS project. You can see the -[CII Best Practices Badge entry for the BadgeApp](https://bestpractices.coreinfrastructure.org/en/projects/1/0). +[CII Best Practices Badge entry for the BadgeApp](https://www.bestpractices.dev/en/projects/1/0). Note that we achieve a gold badge. @@ -6861,10 +6861,10 @@ Referenced by: **[Package Controls](#package-controls)** Supports: **[Claim CIIBadge](#claim-ciibadge)** -External Reference: [https://bestpractices.coreinfrastructure.org/en/projects/1](https://bestpractices.coreinfrastructure.org/en/projects/1) +External Reference: [https://www.bestpractices.dev/en/projects/1](https://www.bestpractices.dev/en/projects/1) -BadgeApp achieves gold CII Best Practices Badge. See [https://bestpractices.coreinfrastructure.org/en/projects/1](https://bestpractices.coreinfrastructure.org/en/projects/1). +BadgeApp achieves gold CII Best Practices Badge. See [https://www.bestpractices.dev/en/projects/1](https://www.bestpractices.dev/en/projects/1). ### Organizational Controls @@ -7195,8 +7195,8 @@ Project participation and interface: Criteria: -* [Criteria for passing badge](https://bestpractices.coreinfrastructure.org/criteria/0) -* [Criteria for all badge levels](https://bestpractices.coreinfrastructure.org/criteria) +* [Criteria for passing badge](https://www.bestpractices.dev/criteria/0) +* [Criteria for all badge levels](https://www.bestpractices.dev/criteria) Development processes and security: diff --git a/docs/criteria-footer.markdown b/docs/criteria-footer.markdown index eca86c016..f2f2f38de 100644 --- a/docs/criteria-footer.markdown +++ b/docs/criteria-footer.markdown @@ -128,8 +128,8 @@ Project participation and interface: Criteria: -* [Criteria for passing badge](https://bestpractices.coreinfrastructure.org/criteria/0) -* [Criteria for all badge levels](https://bestpractices.coreinfrastructure.org/criteria) +* [Criteria for passing badge](https://www.bestpractices.dev/criteria/0) +* [Criteria for all badge levels](https://www.bestpractices.dev/criteria) Development processes and security: diff --git a/docs/criteria-header.markdown b/docs/criteria-header.markdown index 75ced7a3e..9b64474ae 100644 --- a/docs/criteria-header.markdown +++ b/docs/criteria-header.markdown @@ -11,11 +11,11 @@ We've recently moved the criteria information to the active website! There you can see the -passing +passing criteria, -all +all criteria, and the -criteria discussion. +criteria discussion. This change makes it easier to see the real criteria in any language, as well as hide or reveal the details and rationale. diff --git a/docs/criteria.md b/docs/criteria.md index 7d5282b51..1db8b36c9 100644 --- a/docs/criteria.md +++ b/docs/criteria.md @@ -11,11 +11,11 @@ We've recently moved the criteria information to the active website! There you can see the -passing +passing criteria, -all +all criteria, and the -criteria discussion. +criteria discussion. This change makes it easier to see the real criteria in any language, as well as hide or reveal the details and rationale. @@ -596,8 +596,8 @@ Project participation and interface: Criteria: -* [Criteria for passing badge](https://bestpractices.coreinfrastructure.org/criteria/0) -* [Criteria for all badge levels](https://bestpractices.coreinfrastructure.org/criteria) +* [Criteria for passing badge](https://www.bestpractices.dev/criteria/0) +* [Criteria for all badge levels](https://www.bestpractices.dev/criteria) Development processes and security: diff --git a/docs/design.md b/docs/design.md index 0c7fd5ab8..54a403294 100644 --- a/docs/design.md +++ b/docs/design.md @@ -494,8 +494,8 @@ Project participation and interface: Criteria: -* [Criteria for passing badge](https://bestpractices.coreinfrastructure.org/criteria/0) -* [Criteria for all badge levels](https://bestpractices.coreinfrastructure.org/criteria) +* [Criteria for passing badge](https://www.bestpractices.dev/criteria/0) +* [Criteria for all badge levels](https://www.bestpractices.dev/criteria) Development processes and security: diff --git a/docs/governance.md b/docs/governance.md index 53d7a07ed..35e359c2c 100644 --- a/docs/governance.md +++ b/docs/governance.md @@ -306,8 +306,8 @@ Project participation and interface: Criteria: -* [Criteria for passing badge](https://bestpractices.coreinfrastructure.org/criteria/0) -* [Criteria for all badge levels](https://bestpractices.coreinfrastructure.org/criteria) +* [Criteria for passing badge](https://www.bestpractices.dev/criteria/0) +* [Criteria for all badge levels](https://www.bestpractices.dev/criteria) Development processes and security: diff --git a/docs/implementation.md b/docs/implementation.md index 5e11e304b..fd226c751 100644 --- a/docs/implementation.md +++ b/docs/implementation.md @@ -482,12 +482,12 @@ See [security.md](./security.md) for more information. Users indicate the locale via the URL. The recommended form is at the beginning of that path, e.g., - + selects the locale "fr" (French) when displaying "/projects". This even works at the top page, e.g., -. +. It also supports the locale as a query parameter, e.g., - + ### Fixing locale data @@ -1407,7 +1407,7 @@ these keys from anywhere else: ## Project stats omission on 2017-02-28 The production site maintains a number of daily statistics and can -[display the statistics graphically](https://bestpractices.coreinfrastructure.org/project_stats), but it is +[display the statistics graphically](https://www.bestpractices.dev/project_stats), but it is missing a report for 2017-02-28. This was due to a multi-hour downtime in Amazon’s S3 web-based storage service, part of @@ -1595,8 +1595,8 @@ Project participation and interface: Criteria: -* [Criteria for passing badge](https://bestpractices.coreinfrastructure.org/criteria/0) -* [Criteria for all badge levels](https://bestpractices.coreinfrastructure.org/criteria) +* [Criteria for passing badge](https://www.bestpractices.dev/criteria/0) +* [Criteria for all badge levels](https://www.bestpractices.dev/criteria) Development processes and security: diff --git a/docs/other.md b/docs/other.md index 513157d8f..436cd5586 100644 --- a/docs/other.md +++ b/docs/other.md @@ -7,11 +7,11 @@ We've recently moved the criteria information to the active website! There you can see the -passing +passing criteria, -all +all criteria, and the -criteria discussion. +criteria discussion. This change makes it easier to see the real criteria in any language, as well as hide or reveal the details and rationale. @@ -1703,8 +1703,8 @@ Project participation and interface: Criteria: -* [Criteria for passing badge](https://bestpractices.coreinfrastructure.org/criteria/0) -* [Criteria for all badge levels](https://bestpractices.coreinfrastructure.org/criteria) +* [Criteria for passing badge](https://www.bestpractices.dev/criteria/0) +* [Criteria for all badge levels](https://www.bestpractices.dev/criteria) Development processes and security: diff --git a/docs/requirements.md b/docs/requirements.md index 8b3a8a4a7..091e958fe 100644 --- a/docs/requirements.md +++ b/docs/requirements.md @@ -140,8 +140,8 @@ Project participation and interface: Criteria: -* [Criteria for passing badge](https://bestpractices.coreinfrastructure.org/criteria/0) -* [Criteria for all badge levels](https://bestpractices.coreinfrastructure.org/criteria) +* [Criteria for passing badge](https://www.bestpractices.dev/criteria/0) +* [Criteria for all badge levels](https://www.bestpractices.dev/criteria) Development processes and security: diff --git a/docs/roadmap.md b/docs/roadmap.md index 8085151aa..89e4b403a 100644 --- a/docs/roadmap.md +++ b/docs/roadmap.md @@ -65,8 +65,8 @@ Project participation and interface: Criteria: -* [Criteria for passing badge](https://bestpractices.coreinfrastructure.org/criteria/0) -* [Criteria for all badge levels](https://bestpractices.coreinfrastructure.org/criteria) +* [Criteria for passing badge](https://www.bestpractices.dev/criteria/0) +* [Criteria for all badge levels](https://www.bestpractices.dev/criteria) Development processes and security: diff --git a/docs/scorecard-map.md b/docs/scorecard-map.md index b130cbd8e..ba73e9ea4 100644 --- a/docs/scorecard-map.md +++ b/docs/scorecard-map.md @@ -3,10 +3,10 @@ This is a map from the [OpenSSF Scorecard checks](https://github.com/ossf/scorecard/blob/main/docs/checks.md) to the -[OpenSSF Best Practices badge criteria](https://bestpractices.coreinfrastructure.org/en/criteria?details=true). +[OpenSSF Best Practices badge criteria](https://www.bestpractices.dev/en/criteria?details=true). Scorecard has 19 checks. -[The OpenSSF best practices criteria statistics](https://bestpractices.coreinfrastructure.org/en/criteria_stats) +[The OpenSSF best practices criteria statistics](https://www.bestpractices.dev/en/criteria_stats) has 67 criteria for passing, 48 new criteria for silver, and 14 new criteria for gold; adding 1 for the existence of the badge leaves 130 total criteria. Looking at the Scorecard checks, in sum: @@ -54,7 +54,7 @@ This maps to the OpenSSF best practices badge `test_continuous_integration`: ## CII-Best-Practices -> This check determines whether the project has earned an [OpenSSF (formerly CII) Best Practices Badge](https://bestpractices.coreinfrastructure.org/) at the passing, silver, or gold level. +> This check determines whether the project has earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev/) at the passing, silver, or gold level. > > The OpenSSF Best Practices badge indicates whether or not that the project uses a set of security-focused best development practices for open source software. The check uses the URL for the Git repo and the OpenSSF Best Practices badge API. diff --git a/docs/testing.md b/docs/testing.md index 4753bb7d9..8d36274b1 100644 --- a/docs/testing.md +++ b/docs/testing.md @@ -341,8 +341,8 @@ Project participation and interface: Criteria: -* [Criteria for passing badge](https://bestpractices.coreinfrastructure.org/criteria/0) -* [Criteria for all badge levels](https://bestpractices.coreinfrastructure.org/criteria) +* [Criteria for passing badge](https://www.bestpractices.dev/criteria/0) +* [Criteria for all badge levels](https://www.bestpractices.dev/criteria) Development processes and security: diff --git a/docs/vetting.md b/docs/vetting.md index 3afb94e92..92c6d583a 100644 --- a/docs/vetting.md +++ b/docs/vetting.md @@ -115,8 +115,8 @@ Project participation and interface: Criteria: -* [Criteria for passing badge](https://bestpractices.coreinfrastructure.org/criteria/0) -* [Criteria for all badge levels](https://bestpractices.coreinfrastructure.org/criteria) +* [Criteria for passing badge](https://www.bestpractices.dev/criteria/0) +* [Criteria for all badge levels](https://www.bestpractices.dev/criteria) Development processes and security: diff --git a/lib/tasks/default.rake b/lib/tasks/default.rake index df919fe09..368bfc8f1 100644 --- a/lib/tasks/default.rake +++ b/lib/tasks/default.rake @@ -290,7 +290,7 @@ desc 'Load current self.json' task :load_self_json do require 'json' require 'open-uri' - url = 'https://master.bestpractices.coreinfrastructure.org/projects/1.json' + url = 'https://staging.bestpractices.dev/projects/1.json' contents = URI.parse(url).open.read pretty_contents = JSON.pretty_generate(JSON.parse(contents)) File.write('docs/self.json', pretty_contents) @@ -452,7 +452,7 @@ namespace :fastly do desc 'Test Fastly Caching' task :test, [:site_name] do |_t, args| - args.with_defaults site_name: 'https://master.bestpractices.coreinfrastructure.org/projects/1/badge' + args.with_defaults site_name: 'https://staging.bestpractices.dev/projects/1/badge' puts 'Starting test of Fastly caching' verbose(false) do sh "script/fastly_test #{args.site_name}" @@ -592,6 +592,15 @@ def normalize_string(value, locale) value = value.gsub('github.com/coreinfrastructure/best-practices-badge', 'github.com/ossf/best-practices-badge') + # Forcibly substitute the old production domain with the current one. + # Our site moved from bestpractices.coreinfrastructure.org to + # www.bestpractices.dev (we use the www. host, not the bare domain, + # because bare DNS domains complicate our Fastly CDN setup). Like the + # GitHub-org rewrite above, this catches stale references that arrive + # via translation.io so we don't have to hand-edit translated strings. + value = value.gsub('bestpractices.coreinfrastructure.org', + 'www.bestpractices.dev') + return value if value.exclude?('<') # Google Translate generates html text that has predictable errors. diff --git a/script/fastly_test b/script/fastly_test index 8e3fe9af5..ebe1ae26d 100755 --- a/script/fastly_test +++ b/script/fastly_test @@ -1,6 +1,6 @@ #!/bin/sh -site_name=${1:-https://master.bestpractices.coreinfrastructure.org/projects/1/badge} +site_name=${1:-https://staging.bestpractices.dev/projects/1/badge} echo "Purging Fastly cache of badge for ${site_name}" curl -X PURGE "$site_name" || exit 1 echo