On Sun, Mar 31, 2024 at 11:06 AM Dirk-Willem van Gulik <[email protected]> wrote:
> Just to capture a suggestion that Andrew Purtell made during the > cve-2024-3094 triage: > > > What would make sense, if we are tossing ideas around as asides, is > providing PMCs and devs resources that help identify problematic > dependencies. A Snyk subscription. Or a Sonatype offering. The GitHub > integration already provides notification of problematic dependencies via > GitHub's Dependabot. > > +1. I think there's an existing relationship with Sonatype around Maven already, and I know they were working extensively on integrating several projects with Lift before that was sunset. Perhaps they could be asked to offer an in-kind donation? We should research what the replacement (Sonatype Develop) offers. > Which I think are good suggestions and worth following up on. > > > And then perhaps consider as a factor in Whimsey's community health > metric how many unaddressed security issues exist in a project's code > bases. > > > Which I like as it is more positive than the current security@ feedback > options that are all late (with warnings quite private unless you track the > (public) board minutes) and of the draconian type. This would be a more > positive & early feedback cycle. > > Thanks, > > Dw > >
