The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.
Based on the conclusion of our Issue here https://github.com/ossf/s2c2f/issues/17#issuecomment-1736170808, we did not want to merge this PR. This PR was merged without our awareness. As a community we do not want the AUD-5 requirement added. We will work on creating a different requirement around leveraging OpenSSF Scorecard package scores, a 3rd party vetting service, and/or at least mitigated in other ways.
Reverts ossf/s2c2f#20
Based on the conclusion of our Issue here https://github.com/ossf/s2c2f/issues/17#issuecomment-1736170808, we did not want to merge this PR. This PR was merged without our awareness. As a community we do not want the AUD-5 requirement added. We will work on creating a different requirement around leveraging OpenSSF Scorecard package scores, a 3rd party vetting service, and/or at least mitigated in other ways.