The OpenSSF is supposedly an important organization of experts, but I only know two things about them: the scorecard that has been unhelpful for Flask for years, and the terrible post about xz. Here's what overworked maintainers actually need from a group of security experts: direct long term contribution, to teach and improve a project's security. Don't just show us a big list of extra work, directly contribute to help us fulfill the list. #OpenSource#OpenSSF
@davidism but the xz debacle has shown us it's hard to vet people that want to help. Even just offering to help adds more work to the current maintainer.
If it's a trusted group that would probably make it easier but still.
Add comment