About the Foundation for Public Code

How we do audits in the open

This guide

Contents

  1. Principles
  2. Steps

This guide is intended to help codebase stewards start audits on a codebase.

Principles

As much as possible, audits should take place in the open and be done together with the community of the codebase.

Steps

  1. Get explicit approval to start an open audit by asking the maintainer. Consider communicating that audit is starting, preferrably by encouraging the maintainer to do it, and possibly on the blog as well.
  2. Create an issue in the repository for the codebase using the review template.
  3. Start auditing the codebase in collaboration with the community. Preferrably, this involves more than one key contributor from the community and more than one codebase steward working together.
  4. If the audit makes discoveries that can be addresses, create issues for those in the repository for the codebase, preferrably by encouraging the maintainer to do so.
  5. If many issues get created, ask to setup a Kanban in the repository for the audit with the columns Backlog, In progress, Done.