Considerations for projects that dont fit modern repo management practices

[TheFoxAtWork]

In Risk Management, we occasionally need to apply tailored controls or compensating mechanisms that achieve or partially meet the desired outcome. This could be the result of technical limitations, design, or other factors that impact or block security outcomes.

In the course of this group's work, should we consider development of guidance for adopters where projects, by design or technical limitation, cannot provide metadata to align with the metric? Should we guide projects on compensating mechanisms that offset risk their project may present to potential adopters?

[eddie-knight]

@TheFoxAtWork do you think we've managed this in the latest progress?

[TheFoxAtWork]

Yes i believe we have and this can be closed. It may be worthwhile to add this to a "principles in continued development of the baselines". This would allows us to establish update guidance and capture fundamental points that allowed us to craft the baselines into what they've become. Similar to how we have guidance for updating whitepapers in CNCF, declaring the intent, reasoning, and elements not in scope with why.

[trumant]

@funnelfiasco - looks like this can be closed based on the last update from @TheFoxAtWork