Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create 2024-Q3-BEST-WG.md #359
Create 2024-Q3-BEST-WG.md #359
Changes from all commits
fa9e206
96ddb2f
e4a6b8f
9af4c09
f2998f1
f4407f4
ee7507b
55c4f43
35634a2
d8f5d8b
01e3ae0
c79c501
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Inside the OpenSSF, I feel like people generally understand that Scorecard is a framework for maintainers to walk them through improving their secure software development practices - sort of a gamified maturity model, if you will.
Outside the OpenSSF, we've seen a fair amount of confusion as to if the Scorecard scores should be used by consumers of open source software as a way to boil down risk assessment into a single number, the most recent example of this being https://openssf.slack.com/archives/C019M98JSHK/p1720098402786119.
I think the OpenSSF is aligned on that Scorecard is meant for maintainers and not consumers. Have we thought about how we might adjust our messaging to prevent this confusion in the future? I'm specifically thinking of places like https://github.com/ossf/scorecard and https://securityscorecards.dev/, but I'm open to other suggestions!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Counter point: I've seen enterprises seek to understand scorecard/scores as a way to automate risk when they consume OSS, and create mechanisms to automate OSS ingestion. The Metrics API SIG (under the former Metrics and Metadata WG) was creating an API where enterprises could pull Scorecard and other data into their processes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Relevant scorecard issue: ossf/scorecard#4219
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Err... The README starts with: