John Speed Meyers

Thanks, @wagoodman.

@fredgan , I've been considering building and analyzing a dataset of POPULAR oss packages and measuring SOME aspects (2-person review and evidence of provenance and SBOM) of their SLSA levels....

I'd support the idea that it's "all dependencies, including transitive dependencies" and have the language make that clear. But there's room for differing views.

@06kellyjac, the OpenSSF Integrity working group meeting on June 22, 2022 at noon ET will discuss this task. Myself and others have formulated a proposal along the lines of what...

Thought I would add this dataset of all publicly known software supply chain compromises that I and others have been maintaining: https://github.com/IQTLabs/software-supply-chain-compromises Perhaps this dataset should be moved to the...

@david-a-wheeler, thank you for the response. That sounds like a reasonable plan to me, though I have a modest amendment to propose. Adding @inferno-chromium, @MarkLodato, @trishankatdatadog, and @dlorenc if they...

@bureado, I second your points and proposal. Let me know if, when, and how you think others (to include myself) can be of assistance.

@inferno-chromium and @trishankatdatadog, I do have cycles for this project. If @bureado is willing to co-lead it with me, I am glad to pitch in! @bureado, do you have time...

I like ossf/oss-compromises but am willing to consider others. What do the rest of you prefer? Thank you, @inferno-chromium for keeping this moving.

@bureado, perhaps you and I (and any interested parties) should synchronously meet and discuss data structure options?