Dr-wood
commented
1 year ago Replace Purpose with the following Scope statement to avoid confusion as per your suggestion.
1: Scope This document specifies the key requirements of a quality Open Source Software Security Assurance Program that establishes trust between organizations exchanging software solutions comprised of Open Source Software.
shanecoughlan
On entering the GitHub repo for the security specification, views will see a purpose statement as below:
Purpose Establishing trust in the Open Source from which Software Solutions are built https://github.com/OpenChain-Project/Security-Assurance-Specification
Meanwhile, in the specification itself, there is a scope statement:
1: Scope This document specifies the key requirements of a quality Open Source Software Security Assurance Program that establishes trust between organizations exchanging software solutions comprised of Open Source Software. https://github.com/OpenChain-Project/Security-Assurance-Specification/blob/main/Security-Assurance-Specification/2.0/en/openchain-security-specification-2.0.md
It is proposed that we align these two texts to ensure clarity. This proposal is based on off-list feedback received from a corporate entity in South Korea that flagged the potential for some confusion in people immediately understanding the reason for the specification existing.
The initially proposed alignment is to simply take the "Scope" language and replace the GitHub repo "Purpose" with a "Scope" section that duplicates this language.
However, there is a second proposal: it is possible to read "trust between organizations exchanging software solutions comprised of Open Source Software" as applicable to product / solution publication only rather than something also useful for the inbound / ingest phase of software from projects or other sources.
The second proposal is to consider adjusting the language in the specification from: This document specifies the key requirements of a quality Open Source Software Security Assurance Program that establishes trust between organizations exchanging software solutions comprised of Open Source Software. to This document specifies the key requirements of a quality Open Source Software Security Assurance Program that establishes trust between organizations using, developing or distributing software solutions comprised of Open Source Software.