On Wed, 9 Mar 2022, Christian Schmitz wrote:
Maybe you should create a support timeline for all dependencies.
e.g. a library curl depends on is supported for 2 years after they make a
release, then it gets deprecated and removed after latest 5 years or so.
I think maybe there are many more factors involved that makes it hard to make
the requirements in an easy list like that. Like for example maybe a
compression library doesn't have the same expectations or development patterns
as a TLS library. Maybe a dependency just doesn't have any bugs left to fix.
I once thought it would be great if we could say that all our recommended
dependences scored high in the "OpenSSF Best Practices Badge Program" [1] and
then that could've been a way to view dependencies, but I've given up or at
least postponed my hope of using that as a "filter".
[1] = https://bestpractices.coreinfrastructure.org/en
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://curl.se/support.html
--
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
