steiza
commented
5 months ago Thank you everyone for your incredible feedback! The diversity of perspectives from different package repositories has made it clear there isn't a single linear path that makes sense for everyone. And yet I think this makes a map of security capabilities even more valuable as a way to share learnings, and for each ecosystem to consider what parts make sense for them. This document has improved considerably in the past two months, so again, thank you for your feedback.
We're going to cut a v0.1 release of this document today. While it feels great to hit that milestone, there's additional feedback on this pull request that we didn't get to and we need to still follow up on. I don't know exactly what that process will look like, but right now I think the most likely option is we'll open up a v0.2 pull request soon, to address feedback raised here as well as wider public feedback we get from the release of v0.1.
For https://github.com/ossf/wg-securing-software-repos/issues/16
A security maturity model for package repositories, for assessing current capabilities and roadmapping future improvements.