Cost-benefit analysis #2627
Comments
I don't think it does. If anything
I've been trying to figure that out too: systemd/systemd#25205 (comment) and got some sort of cease and desist in the process. |
To be fair I'm actually subscribed to a bunch of SBOM-related issues (mostly to figure out how far "consumers" are willing to go to shift their responsibilities to upstream projects) and I've just seen a comment where the idea of generating SBOMs upstream was questioned in terms of the usability implications for maintainers so it seems my comment wasn't entirely accurate and those questions are actually raised sometimes. I don't know where that conversation will go but that's good to know that it's discussed at least. |
|
Stale issue message - this issue will be closed in 7 days |
|
This issue is stale because it has been open for 60 days with no activity. |
NumPy recently recieved a PR numpy/numpy#23131 to add various checks and changes, based on a step-security-bot. The recommendations here were used as reasons to add the requested checks and changes. Do you have any connection to that service?
Does the ossf do a cost-benefit analysis of the suggestions? Maybe along side the recommendations you could state what the expected maintainer burden might be. I find the static analysis tools particularly costly. Especially in a world of volunteer contributors, asking them to service automated scans and third-party tools can become quite burdensome.
The text was updated successfully, but these errors were encountered: