security-baseline icon indicating copy to clipboard operation
security-baseline copied to clipboard
verified publisher icon ossf

Define "maintainer" in the Baseline's lexicon

Open trumant opened this issue 10 months ago • 3 comments

Overview

grep "maintainer" baseline/*.yaml --context=5

baseline/OSPS-DO.yaml-title: Documentation
baseline/OSPS-DO.yaml-description: |
baseline/OSPS-DO.yaml-  Documentation focuses on the information
baseline/OSPS-DO.yaml:  provided to users, contributors, and maintainers
baseline/OSPS-DO.yaml-  of the project. These controls help ensure that
baseline/OSPS-DO.yaml-  the project's documentation is comprehensive,
baseline/OSPS-DO.yaml-  accurate, and up-to-date, enabling users to
baseline/OSPS-DO.yaml-  understand the project's features and functionality, maintenance, support,
baseline/OSPS-DO.yaml-  security and release practices.
--
baseline/OSPS-DO.yaml-  - id: OSPS-DO-05
baseline/OSPS-DO.yaml-    title: |
baseline/OSPS-DO.yaml-      The project documentation MUST provide a descriptive statement when
baseline/OSPS-DO.yaml-      releases or versions will no longer receive security updates.
baseline/OSPS-DO.yaml-    objective: |
baseline/OSPS-DO.yaml:      Communicating when the project maintainers will no longer fix defects or
baseline/OSPS-DO.yaml-      security vulnerabilities is crucial for downstream consumers to find
baseline/OSPS-DO.yaml-      alternative solutions or alternative means of support for the project.
baseline/OSPS-DO.yaml-    mappings:
baseline/OSPS-DO.yaml-      - reference-id: CRA
baseline/OSPS-DO.yaml-        identifiers:
--
baseline/OSPS-GV.yaml-        applicability:
baseline/OSPS-GV.yaml-          - Maturity Level 2
baseline/OSPS-GV.yaml-          - Maturity Level 3
baseline/OSPS-GV.yaml-        recommendation: |
baseline/OSPS-GV.yaml-          Document project participants and their roles through such artifacts
baseline/OSPS-GV.yaml:          as members.md, governance.md, maintainers.md, or similar file within
baseline/OSPS-GV.yaml-          the source code repository of the project.
baseline/OSPS-GV.yaml-          This may be as simple as including names or account handles in a list
baseline/OSPS-GV.yaml:          of maintainers, or more complex depending on the project's governance.
baseline/OSPS-GV.yaml-      - id: OSPS-GV-01.02
baseline/OSPS-GV.yaml-        text: |
baseline/OSPS-GV.yaml-          While active, the project documentation MUST include descriptions of
baseline/OSPS-GV.yaml-          the roles and responsibilities for members of the project.
baseline/OSPS-GV.yaml-        applicability:
baseline/OSPS-GV.yaml-          - Maturity Level 2
baseline/OSPS-GV.yaml-          - Maturity Level 3
baseline/OSPS-GV.yaml-        recommendation: |
baseline/OSPS-GV.yaml-          Document project participants and their roles through such artifacts
baseline/OSPS-GV.yaml:          as members.md, governance.md, maintainers.md, or similar file within
baseline/OSPS-GV.yaml-          the source code repository of the project.
baseline/OSPS-GV.yaml-
baseline/OSPS-GV.yaml-  - id: OSPS-GV-02
baseline/OSPS-GV.yaml-    title: |
baseline/OSPS-GV.yaml-      The project MUST have one or more mechanisms for public discussions
--
baseline/OSPS-GV.yaml-          - Maturity Level 2
baseline/OSPS-GV.yaml-          - Maturity Level 3
baseline/OSPS-GV.yaml-        recommendation: |
baseline/OSPS-GV.yaml-          Create a CONTRIBUTING.md or CONTRIBUTING/ directory to outline the
baseline/OSPS-GV.yaml-          contribution process including the steps for submitting changes, and
baseline/OSPS-GV.yaml:          engaging with the project maintainers.
baseline/OSPS-GV.yaml-      - id: OSPS-GV-03.02
baseline/OSPS-GV.yaml-        text: |
baseline/OSPS-GV.yaml-          While active, the project documentation MUST include a guide for code
baseline/OSPS-GV.yaml-          contributors that includes requirements for acceptable contributions.
baseline/OSPS-GV.yaml-        applicability:
--
baseline/OSPS-SA.yaml-
baseline/OSPS-SA.yaml-  - id: OSPS-SA-03
baseline/OSPS-SA.yaml-    title: |
baseline/OSPS-SA.yaml-      The project MUST assess the security posture of all software assets.
baseline/OSPS-SA.yaml-    objective: |
baseline/OSPS-SA.yaml:      Provide project maintainers an understanding of how the software can be
baseline/OSPS-SA.yaml-      misused or broken allows them to plan mitigations to close off the potential
baseline/OSPS-SA.yaml-      of those threats from occurring.
baseline/OSPS-SA.yaml-    mappings:
baseline/OSPS-SA.yaml-      - reference-id: BPB
baseline/OSPS-SA.yaml-        identifiers:
--
baseline/lexicon.yaml-- term: OpenEoX
baseline/lexicon.yaml-  definition: |
baseline/lexicon.yaml-    An initiative aimed at standardizing the way
baseline/lexicon.yaml-    End-of-Life and End-of-Support information is 
baseline/lexicon.yaml-    exchanged within the software and hardware industries.
baseline/lexicon.yaml:    Covering both vendors and open-source maintainers,
baseline/lexicon.yaml-    OpenEoX strives to provide a transparent, efficient, 
baseline/lexicon.yaml-    and unified approach to managing product lifecycles.
baseline/lexicon.yaml-  references:
baseline/lexicon.yaml-    - https://openeox.org/
baseline/lexicon.yaml-- term: Exploitable Vulnerabilities
--
baseline/lexicon.yaml-    acting as an equivalent to the primary
baseline/lexicon.yaml-    branch.
baseline/lexicon.yaml-- term: Private Vulnerability Reporting
baseline/lexicon.yaml-  definition: |
baseline/lexicon.yaml-    The process of privately reporting a
baseline/lexicon.yaml:    vulnerability to the project maintainers or
baseline/lexicon.yaml-    security team before disclosing it publicly.
baseline/lexicon.yaml-    This allows the project to address the issue
baseline/lexicon.yaml-    before it becomes widely known.
baseline/lexicon.yaml-  synonyms:
baseline/lexicon.yaml-    - Private Vulnerability Disclosure
--
baseline/lexicon.yaml-  definition: |
baseline/lexicon.yaml-    The act of identifying and documenting
baseline/lexicon.yaml-    exploitable vulnerabilities in released
baseline/lexicon.yaml-    software assets. This may include privately
baseline/lexicon.yaml-    or openly reporting vulnerabilities to
baseline/lexicon.yaml:    maintainers, security teams, or the public,
baseline/lexicon.yaml-    as well as tracking the resolution of these
baseline/lexicon.yaml-    vulnerabilities.
baseline/lexicon.yaml-  synonyms:
baseline/lexicon.yaml-    - Coordinated Vulnerability Disclosure
baseline/lexicon.yaml-  references:

We define Contributor and Collaborator and User, but not Maintainer

trumant avatar May 13 '25 16:05 trumant