Review marked-up review from Melba Lopez

[david-a-wheeler]

On 2023-06-06 Melba Lopez walked through a number of comments on the S2C2 document. See the WG meeting notes for the discussion we had then. We need to walk through the rest of the comments & then decide what to do about them. I'll be attaching the PDF she shared via Slack.

[david-a-wheeler]

Here is the PDF document with Melba's comments: Secure_Supply_Chain_Consumption_Framework_(S2C2F).pdf

[jasminewang0]

PR #25 addresses the following:

• Page 7: Overlap with SLSA - addressed in Appendix (and refer to #14)
• Page 7: Branch protections/checks - this is now an idea for a supplemental guide in #24
• Page 8: Cloud agnostic - removed Azure reference
• Page 9: EOL - added EOL reference
• Page 10: Define "trusted sources" - removed to become "organization-defined approved sources"
• Page 13: Maintainers to tag EOL - this guide focuses on consumption, not on the maintainers, so this suggestion is out of scope.
• Page 13: Aspirational definition - clarified that it is aspirational as it is difficult to implement at scale.
• Page 13: "Do not occur" vs. "may not occur" - changed to "may not occur"

The following issues are outstanding:

• Page 4: JFrog Artifactory suggestion
• Page 10: Internal repo/mirror of OSS contradiction
• Page 13: SCIWG holistic 3 levels
• Page 13: Verbiage to lead into SLSA