Re: [open-regulatory-compliance] Open Source Steward: Role description

[Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx>]

On 12 Jun 2024, at 16:41, Moser Sarah RDL DISDS3 via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Maybe I am bit too deeply focused on details, but are there any initiatives to agree on and define the role of an Open Source Steward?

It would definitely help the industry to find the right people or to develop them.

That would be most useful - and get to the core of the mater; vulnerability handling and risk based triage. CVEs and solid/stable identifiers for CPEs; dealing with EOL’s; dealing with retired packages and reports against these; dealing with things like version numbers & what happens when you need to burn a release/never release it, and so on. A lot of practical work to be done.

All things we do today; often with solid risk/impact/etc driven approaches. But not well documented or described.

Dw