Sweetshark, 1 month ago

@webmink @EU_Commission That sounds close to what https://slsa.dev aims for, but with specific focus on EU/CRA?

luis_in_brief, 1 month ago

@Sweetshark @webmink SLSA was designed from a blank-ish slate (“what would good secure software look like”); this will presumably be designed to meet the specific requirements of the CRA, which have similar goals in theory but probably will end up very different in practice.

(One could also note that SLSA has had ~ zero uptake in practice, because it was designed internally to Google and so is impracticable for most open source projects to implement; one hopes that this will be better.)

Sweetshark, 1 month ago

@luis_in_brief @webmink One thing well done about SLSA is that is has levels, and the lower ones are reasonably easy to archive. Thus it easier to convince TPTB to invest "just a little" to start moving in the right direction.

Recommend to consider something similar.

luis_in_brief, 1 month ago

@Sweetshark @webmink I don't have my written analysis handy, and it's been a couple of years, but last I looked it was essentially impossible for solo maintainers (i.e., the median maintainer) to achieve even the lowest level. Which may be in some sense accurate, but isn't very useful.

We did similar research on Scorecards that we published here; it was doable but a lot of rough edges in documentation and implementation for many solo maintainers: https://blog.tidelift.com/new-data-showing-the-impact-of-paying-maintainers-to-improve-open-source-security