Discussion: New check: dependency good practices

[laurentsimon]

Go team mentioned that they would be interested in Scorecard surfacing information about dependencies https://pkg.go.dev/about#best-practices: tagged version, stable version, etc

Since we typically have a hard time linking a source repo to a package, this is something which is hard for scorecard in general. Another difficulty is that Scorecard looks a a commit, and not all commits correspond to a package / tag.

In cases where we have a strong link between the repo and the package - do-able in Go for many packages - we could maybe surface how many of the past N releases were stable. This would be useful for consumers to know.

Note that all this could be added to the Packaging check, instead of creating a new one.

[laurentsimon]

Note that a link for PiPy packages will become available once OIDC integration is complete #688 (comment)

Such an integration is also under way for Dart packages

[laurentsimon]

Code pointers:
Has go.mod file: github.com/golang/pkgsite/blob/8996ff632abee854aef1b764ca0501f262f8f523/internal/fetch/fetch.go#L100
Redistributable license: https://github.com/golang/pkgsite/blob/a3a009e12ea183c9e6e1abd028f5e091c9fb2601/internal/fetch/package.go#L221
Tagged and stable versions: https://github.com/golang/pkgsite/blob/f4542b7b0481da19db091c78b565f88c87ceb2ef/internal/frontend/main.go#L196-L197

[diogoteles08]

PiPy already implemented the OIDC integration. The issue #2761 is closely related to this issue, and talks specifically about recognizing the OIDC integration on Scorecard

[github-actions]

Stale issue message - this issue will be closed in 7 days

[github-actions]

This issue is stale because it has been open for 60 days with no activity.