On Sun, 31 Mar 2024 at 17:06, Dirk-Willem van Gulik <[email protected]> wrote: > > Just to capture a suggestion that Andrew Purtell made during the > cve-2024-3094 triage: > > > What would make sense, if we are tossing ideas around as asides, is > > providing PMCs and devs resources that help identify problematic > > dependencies. A Snyk subscription. Or a Sonatype offering. The GitHub > > integration already provides notification of problematic dependencies via > > GitHub's Dependabot. > > Which I think are good suggestions and worth following up on. > > > And then perhaps consider as a factor in Whimsey's community health metric > > how many unaddressed security issues exist in a project's code bases.
Whimsy is not involved in the community health metrics. AIUI they are generated by Reporter, possibly with help from Kibble. > > Which I like as it is more positive than the current security@ feedback > options that are all late (with warnings quite private unless you track the > (public) board minutes) and of the draconian type. This would be a more > positive & early feedback cycle. > > Thanks, > > Dw > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
