[OpenSSF] Complete OpenSSF Best Practices recommendations

[Zeitsperre]

Over the past year, we have been working towards the OpenSSF Best Practices certification for xclim (https://bestpractices.coreinfrastructure.org/en/projects/6041). We are currently hovering at 88% completion, as there are still a few things that are a bit labour-intensive that need to be addressed:

• Vulnerability Reporting Processes
  • The project MUST publish the process for reporting vulnerabilities on the project site. (URL required) Enact security policy #1604
  • If private vulnerability reports are supported, the project MUST include how to send the information in a way that is kept private. (URL required) Enact security policy #1604
  • The project's initial response time for any vulnerability report received in the last 6 months MUST be less than or equal to 14 days. (N/A)
• Warning Flags
  • The project MUST address warnings. (Completed)
  • It is SUGGESTED that projects be maximally strict with warnings in the software produced by the project, where practical. (Completed, This was already the case, but more extensively performed in Drop Python3.8, support Pandas v2.2, reduce Warnings #1565)
• Secure Development Knowledge
  • The project MUST have at least one primary developer who knows how to design secure software.
    • This requires someone (ideally two persons) following the suggested training https://training.linuxfoundation.org/training/developing-secure-software-lfd121/
      • I've completed this course as of December 2024. Valid for 2 years.
• Dynamic Code Analysis
  • It is SUGGESTED that the project use a configuration for at least some dynamic analysis (such as testing or fuzzing) which enables many assertions. In many cases, these assertions should not be enabled in production builds. (N/A, but there certainly are cases where this kind of testing could be useful)

I would be willing to follow the Developing Secure Software training and would welcome others to do so as well (unsure of costs). Addressing these final suggestions will grant us the OpenSSF(/FAIR) software certification.