Hi! +1 The sequence must be: measure -> think -> act. Not: act (in panic) -> think (oh, that ist not the correct way, or even worse: oh, this is the way the attacker wants us to go.) measure (we have a weakness) Best regards Christoph Am 04.04.24 um 20:11 schrieb Leon Fauster via devel:
One approach that would be at least bring some light into "weak" (non technical layer) components (albeit not sure how feasible it is), could be: - Checking the resources of a packaged project. Resources in terms of man or firm power that backup the project - Contribution activity of people - General activity of the project - Transparency of the workflow / tools and that for all projects that the distribution includes. Why? This would allow to plan internal review activities (or processes) more effectively. They would be directed to the "weak" components with higher priority (recurrent, actions). Like the current process for checking the license (SPDX) of a project, it could also collect such metrics right away.
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
