On Mon, Apr 1, 2024 at 12:06 AM Dirk-Willem van Gulik <[email protected]> wrote: > > Just to capture a suggestion that Andrew Purtell made during the > cve-2024-3094 triage: > > > What would make sense, if we are tossing ideas around as asides, is > > providing PMCs and devs resources that help identify problematic > > dependencies. A Snyk subscription. Or a Sonatype offering. The GitHub > > integration already provides notification of problematic dependencies via > > GitHub's Dependabot.
+1 to leverage the security tool to help us identify the security issue without adding burden to the developer. > > Which I think are good suggestions and worth following up on. > > > And then perhaps consider as a factor in Whimsey's community health metric > > how many unaddressed security issues exist in a project's code bases. > > > Which I like as it is more positive than the current security@ feedback > options that are all late (with warnings quite private unless you track the > (public) board minutes) and of the draconian type. This would be a more > positive & early feedback cycle. > > Thanks, > > Dw > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
