Hi! +1
The sequence must be: measure -> think -> act. Not: act (in panic) -> think (oh, that ist not the correct way, or even worse: oh, this is the way the attacker wants us to go.) measure (we have a weakness) Best regards Christoph Am 04.04.24 um 20:11 schrieb Leon Fauster via devel:
One approach that would be at least bring some light into "weak" (non technical layer) components (albeit not sure how feasible it is), could be: - Checking the resources of a packaged project. Resources in terms of man or firm power that backup the project - Contribution activity of people - General activity of the project - Transparency of the workflow / tools and that for all projects that the distribution includes. Why? This would allow to plan internal review activities (or processes) more effectively. They would be directed to the "weak" components with higher priority (recurrent, actions). Like the current process for checking the license (SPDX) of a project, it could also collect such metrics right away.
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue