Like every other organization, when a vulnerability gets disclosed OpenSSF needs to figure out what the impact on its projects is. However, we currently don't have a good answer to the question: "does any OpenSSF project depend on package X?"
Given our mission we ought to do better and be a role model. To that end we need to develop a system and a policy to enforce it so that we can come up with the answer to this type of question very quickly if not immediately.
Like every other organization, when a vulnerability gets disclosed OpenSSF needs to figure out what the impact on its projects is. However, we currently don't have a good answer to the question: "does any OpenSSF project depend on package X?" Given our mission we ought to do better and be a role model. To that end we need to develop a system and a policy to enforce it so that we can come up with the answer to this type of question very quickly if not immediately.