Add SecureChain for Open Source documentation section#536
Open
sboldyreva wants to merge 9 commits into
Open
Conversation
Adds a new top-level docs section for SecureChain: landing page, JavaScript/Lodash setup guide, repository management page, ecosystem grid component, sidebar entry, and home card. JavaScript ships first; other ecosystems are scaffolded but commented out. https://claude.ai/code/session_01EV89C7mnQRZJAa2D9SDbFH
aknol-tuxcare
left a comment
aknol-tuxcare
left a comment
There was a problem hiding this comment.
Reviewed in full. Overall the structure is right and the per-product Lodash page is in good shape. Two themes I'd push back on before this ships publicly:
- Marketing overclaims that don't match what SecureChain actually delivers. "malware-free" appears in two prominent places (component H2 and the home-page card). We deliver verified, signed, rebuilt artifacts — we don't make a guarantee of malware absence, and that wording will create legal/support exposure. Tighten to "verified, signed" / "verified, signed, rebuilt" to match the per-product intro line on the Lodash page (which I think is the right phrasing).
- Ecosystem list runs ahead of commitments. The home-page card and the component preview both list six ecosystems including Rust. Today only JavaScript ships, Python is on hold, Java is in pipeline, and there is no Rust commitment. Listing Rust in customer-facing copy creates an expectation we can't keep. Trim to JS at launch and a clear roadmap (Python/Java/Go/PHP) that we can actually defend.
A few smaller items in line comments — terminology fix on SBOM/VEX (VEX isn't an SBOM format), CVSS v3.1 vs v4.0, the SLA placeholder, npm _auth vs _authToken, the npm cache clean --force recommendation in the upgrade guide, and one Vue antipattern in the new component.
Also replying to Sofia's earlier question ("are coverage and support policy standard same as ELS?") — the README does copy ELS-for-Libraries verbatim for incident response, support duration, and technical support. That's fine if it's intentional, but I'd state it explicitly in the README rather than have customers diff two pages.
- Drop "malware-free" from component hero and home card; not a claim we make - Drop Rust from ecosystem stub (not on the roadmap) and rephrase card copy to reflect JavaScript at launch with the rest on the roadmap - Drop CVSS version pin so the page tracks v3.1/v4.0 as adopted - Remove "being finalized" SLA warning to avoid shipping it publicly - Correct SBOM bullet: SPDX/CycloneDX for SBOMs, CycloneDX VEX as a separate accompanying document with exploitability status https://claude.ai/code/session_01EV89C7mnQRZJAa2D9SDbFH
- Replace SecureChainTechnology with SecureChainEcosystemSelector (mirrors ELSOSSelector grid style) - Drop lodash- and managing-securechain-specific pages in favor of a generic JavaScript page that covers connecting to Nexus and installing a package; defers specific package list to Nexus
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a new top-level docs section for SecureChain: landing page, JavaScript/Lodash setup guide (a placeholder example), repository management page, ecosystem grid component, sidebar entry, and home card.