"When the project has made a release" is confusing

Open ericcornelissen opened this issue 1 month ago • 1 comments

Does it mean "if there has ever been a release do X" or "for every release do X"? For some controls the former makes sense (e.g. OSPS-SA-03.02) while for other controls the latter makes sense (e.g. OSPS-QA-02.02) to me.

If it's the former, what's the point? Why would I follow this checklist for a project that will never be released? If the release hasn't happened yet, of course I won't do release-related tasks until there is a release.

This problem is very similar to https://github.com/ossf/security-baseline/issues/398

Nov 16 '25 23:11 ericcornelissen

Thanks for raising this point! I agree that we're probably conflating two related-but-different cases.

Nov 17 '25 15:11 funnelfiasco