Last year I worked with DOAP maintainers on some new security related fields. My plan was to get ASF projects to publish useful metadata around where to get security policies, contacts, and lists of errata in their DOAP files. I think this is useful for vendors who use Apache projects in their products, projects being used as dependencies to others, as well as all the security industry that have their own incomplete databases. It also means we could make pages like https://apache.org/security/projects.html automated.
The more I looked into it however the more RDF seemed like something no one else really cares about anymore. And while adding a "security contact" to the projects DOAP files that have a dedicated address is easy, we'd also have to get every other projects DOAP file updated with the default. Outside of Apache some folks are recommending the use of security.txt (mostly website reporting) or security.md files (github mostly) but neither are what I'm looking for and this is an area we can lead by example. So before investing too more time into this, I wanted to find out if there's been any real attempt or plan or investigation to replace the DOAP files within ASF with something else. I see the scripts get fixed from time to time when they break, and new projects are still encouraged to make them, and the PR folks have liked the ability to create lists of projects that specify certain keywords, but I've not found any discussion about them in general. Any pointers appreciated, or contact with people also interested in project metadata! Regards, Mark ASF Security
