Create Supplemental Material for deeper dives and clarification

Question

adriandiglio opened this issue a year ago · 2 comments

Definition of Supplemental Material: A 1-2 page write up to provide clarification on certain scenarios.

Example list of initial Supplemental Guides:

How S2C2F applies to C/C++ OSS
How OSS consumers SHOULD use metadata (i.e. OSS Scorecard) to make their own risk-based policies for consumption
How S2C2F applies to Linux rpm/deb packages
How to securely configure package source files for ENF-1
Elaborate on validating provenance (AUD-1), to include validating SLSA provenance

Answer 1 · 2023-07-13T19:56:29.000Z

Another supplemental guide example that came up was one about branch protections and approvals

Answer 2 · 2024-04-09T09:08:08.000Z

It would be great to see some supplemental guidance around AUD-5 / Validate the author of your OSS.