s2c2f icon indicating copy to clipboard operation
s2c2f copied to clipboard

Published 20 hours ago verified publisher icon ossf

Create Supplemental Material for deeper dives and clarification

Open adriandiglio opened this issue 1 year ago • 2 comments

Definition of Supplemental Material: A 1-2 page write up to provide clarification on certain scenarios.

Example list of initial Supplemental Guides:

  • How S2C2F applies to C/C++ OSS
  • How OSS consumers SHOULD use metadata (i.e. OSS Scorecard) to make their own risk-based policies for consumption
  • How S2C2F applies to Linux rpm/deb packages
  • How to securely configure package source files for ENF-1
  • Elaborate on validating provenance (AUD-1), to include validating SLSA provenance

adriandiglio avatar Jun 23 '23 23:06 adriandiglio

Another supplemental guide example that came up was one about branch protections and approvals

jasminewang0 avatar Jul 13 '23 19:07 jasminewang0

It would be great to see some supplemental guidance around AUD-5 / Validate the author of your OSS.

joshuagl avatar Apr 09 '24 09:04 joshuagl