From 7b60b7ce77dec57f0c46bd06382e6fe9467dae63 Mon Sep 17 00:00:00 2001
From: Zach Steindler <steiza@github.com>
Date: Thu, 8 Feb 2024 11:05:27 -0500
Subject: [PATCH 1/2] Start v0.2 of Principles for Package Repository Security

Signed-off-by: Zach Steindler <steiza@github.com>
---
 docs/principles-for-package-repository-security.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/principles-for-package-repository-security.md b/docs/principles-for-package-repository-security.md
index 5f1f650..b7567a8 100644
--- a/docs/principles-for-package-repository-security.md
+++ b/docs/principles-for-package-repository-security.md
@@ -13,6 +13,8 @@ We include the below taxonomy because not all security advice applies to all pac
 
 The roadmap of security capabilities can then be used by package repositories to assess gaps, put together fundable improvement lists ([like Python Packaging WG](https://github.com/psf/fundable-packaging-improvements/blob/master/FUNDABLES.md)), or write specific grant proposals that reference this guidance.
 
+This is v0.2 of this document.
+
 ## Taxonomy of Package Repositories
 
 Security capabilities will differ based on the services that the package repository offers. For instance, if the package repository has user accounts, it will need to enforce authentication securely. In this section, we lay out the various relevant aspects of package repositories.

From 5388a2c89dd8cf52f2fac261c82d9c376af9505f Mon Sep 17 00:00:00 2001
From: Zach Steindler <steiza@github.com>
Date: Sun, 14 Apr 2024 08:00:59 -0400
Subject: [PATCH 2/2] Add framing section to help contributors understand scope

Signed-off-by: Zach Steindler <steiza@github.com>
---
 docs/principles-for-package-repository-security.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/principles-for-package-repository-security.md b/docs/principles-for-package-repository-security.md
index b7567a8..0783f56 100644
--- a/docs/principles-for-package-repository-security.md
+++ b/docs/principles-for-package-repository-security.md
@@ -15,6 +15,16 @@ The roadmap of security capabilities can then be used by package repositories to
 
 This is v0.2 of this document.
 
+### Framing
+
+For a security capability to be listed, it should:
+
+- Be successfully deployed in at least one ecosystem. We encourage individual package repositories to explore ideas, but we want to see results from production before recommending it broadly.
+
+- Not be something already widely deployed (like "use HTTPS"). This document is to help package repositories assess gaps and plan roadmaps, and as such is forward-looking.
+
+- Be a security capability and not a prescribed implementation. Specifics of implementations can change quickly, but the capability they enable is much longer-lived.
+
 ## Taxonomy of Package Repositories
 
 Security capabilities will differ based on the services that the package repository offers. For instance, if the package repository has user accounts, it will need to enforce authentication securely. In this section, we lay out the various relevant aspects of package repositories.