Suggestions for OSCM

[joshuagl]

While reviewing the OSCM in #4 I made various suggestions which @jonmuk requested I file a separate PR for. This is the requested PR.

Each change is as a separate git commit for easier review and cherry-picking. I propose we:

• replace "judgements" with "evaluations" d31fbca9d0b71a26931a3981b66f947d758c8227
• mention that component selection itself carries risk fb0747cb4bdb473ec61656c8745e22d538530606
• add a recommendation to use in-support versions of components 8b4bca6ffe6606791295695273b8cb709978f29f
• add a call to engage with upstream 7ed1dfff5a5f31e90f1625dc84871c05d6d28834

[joshuagl]

I pushed an additional commit to include suggestions from @thiswayman, thanks!

[joshuagl]

What are next steps for this, should there be a vote during a WG meeting or is it sufficient for the chair to approve/merge? cc @jonmuk