Consider using functional tagging to identify projects critical to trust

[bureado]

Taking an inspiration from https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/critical-software-definition-explanatory and https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/critical-software-definition-faqs#Ref_FAQ3, could we use the techniques from #41 to identify additional projects that operate on the network or run with privileges, at least on Linux systems?

Examples from debtags include: https://debtags.debian.org/reports/facets/security (n=900) and https://debtags.debian.org/reports/taginfo/works-with::network-traffic (n=100) as well as https://debtags.debian.org/reports/taginfo/admin::user-management (n=100) and https://debtags.debian.org/reports/taginfo/admin::virtualization (n=400)

Another approach involves using privilege definitions. Using package manifests and full paths merged with, e.g.:

https://gitlab.com/apparmor/apparmor-profiles/-/tree/master/ubuntu/20.04 https://github.com/netblue30/firejail/tree/master/etc