lehors
commented
2 months ago @sevansdell beat me to it with #306 and #307
Closed lehors closed 2 months ago
lehors
commented
2 months ago @sevansdell beat me to it with #306 and #307
Like every other organization, when a vulnerability gets disclosed OpenSSF needs to figure out what the impact on its projects is. However, we currently don't have a good answer to the question: "does any OpenSSF project depend on package X?" Given our mission we ought to do better and be a role model. To that end we need to develop a system and a policy to enforce it so that we can come up with the answer to this type of question very quickly if not immediately.