On Wed, 9 Mar 2022, Christian Schmitz wrote:

Maybe you should create a support timeline for all dependencies.

e.g. a library curl depends on is supported for 2 years after they make a release, then it gets deprecated and removed after latest 5 years or so.

I think maybe there are many more factors involved that makes it hard to make the requirements in an easy list like that. Like for example maybe a compression library doesn't have the same expectations or development patterns as a TLS library. Maybe a dependency just doesn't have any bugs left to fix.

I once thought it would be great if we could say that all our recommended dependences scored high in the "OpenSSF Best Practices Badge Program" [1] and then that could've been a way to view dependencies, but I've given up or at least postponed my hope of using that as a "filter".

[1] = https://bestpractices.coreinfrastructure.org/en

--

 / daniel.haxx.se
 | Commercial curl support up to 24x7 is available!
 | Private help, bug fixes, support, ports, new features
 | https://curl.se/support.html
--
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Reply via email to