documentation_security: N/A should be an option

Question

documentation_security: N/A should be an option

ljharb opened this issue a year ago · 4 comments

This metric says:

The project MUST document what the user can and cannot expect in terms of security from the software produced by the project

Many projects produce no software at all, so for these projects, it should be N/A - but that's not an option.

Answer 1 · 2023-07-20T15:35:56.000Z

Hmm... you're right!! Okay, we'll have to fix that. Thanks for letting us know.

Answer 2 · 2023-07-20T16:27:54.000Z

I will add that I found the words "project produce software" very confusing - to me, the project IS software, and it only PRODUCES software if it's generating code. However, I've started to suspect that the way this is intended is that the project is conceptual, and the software it "produces" is whatever's released?

Answer 3 · 2023-07-20T17:45:03.000Z

The intent was to be clear. The "software produced by the project" is whatever software the project produces. The ideas is that a software being produced is a thing; the project is the group of people, processes, etc., that produce the software. Does that help?

Answer 4 · 2023-07-20T17:48:25.000Z

Yes, I think that clarifies the intent - I'd misunderstood it because to me, the project is the software, not the people.