Salve J. Nilsen

> > With that said, those stats are useful! Can we integrate these somehow? (e.g. convert it to JSON and visualize it somehow in the UI?) If the code producing...

> > Oh nice! Is this documented somewhere? > > https://www.pm.org/faq/hosting.html#social Right. Thanks. This isn't reflected in [the DTD](https://github.com/perlorg/www.pm.org/blob/master/perl_mongers.dtd), though. Also, after letting this sink in for a moment, "social...

Just for adding some clarity; The SBOMs (Software Bill of Materials) are meant for keeping track of metadata related to different aspects of a software product, component or project. Think...

> This is something that needs doing. For example, we don't have a canonical source for the Camelia image or favicon. Yeah, a core assets library would be the right...

FSFE's [reuse](https://reuse.software/) specification [version 3.3](https://reuse.software/spec-3.3/#covered-and-ignored-files) talks about `.reuse` and `LICENSES`. Maybe too narrow naming for what's suitable for metadata in general, no?

Would it make sense to revive this ticket, in light of https://www.getsafety.com/blog-posts/shai-hulud-npm-attack and https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised ? I'd love to see github produce SBOMs describing what actions where used during a run,...

I think a `COMPLIANCE.md` file *can* be made useful, assuming we're crystal clear about a couple of things. 1. Complete clarity on who is the intended audience of the message...

Seems I made a mistake in the merge; Apologies!

This needs also a "success" severity.

> @sjn re: > > > This needs also a "success" severity. > > IMHO success is the default state, do you think we need this explicitly? Yes, because sometimes...