security-insights-spec icon indicating copy to clipboard operation
security-insights-spec copied to clipboard
verified publisher icon ossf

Two fields named `security-policy`

Open funnelfiasco opened this issue 1 year ago • 2 comments

I happened to notice that the specification has two fields named security-policy: vulnerability.security-policy and documentation.security-policy. The template uses different example entries for each, so it's not clear if this is intended to be the same thing or not.

Since there's namespacing, it's not the worst thing to happen, but it can cause confusion when being glanced at by a human.

I spoke privately to @eddie-knight and he said the vulnerability entry should just be policy.

funnelfiasco avatar Apr 07 '25 19:04 funnelfiasco

Yes, I agree that this is an oversight.

@jmeridth I believe this should be considered a fix (not breaking / major), in spite of the fact that it will require a breaking change to the structs in si-tooling. Thoughts?

eddie-knight avatar Apr 07 '25 20:04 eddie-knight

@eddie-knight I trust your instinct. My stance is usually, if breaking, it should be major to notify downstream. If we are downstream...then we are aware.

jmeridth avatar Apr 11 '25 05:04 jmeridth