If a contrib project has not opted into SA coverage the following message is displayed on the project's page:
Use at your own risk! It may have publicly disclosed vulnerabilities.
This is an incorrect statement for most projects that have not opted into the coverage because it does not distinguish between "has not opted in yet" from "opted out".
Add another option to the SA opt-in field on project pages that indicates the project was specifically opted out of the policy.
Update the message shown on project pages to distinguish between "has not opted in yet" and "opted out".
Update projects that are known to have opted out to the new status, to provide an appropriate status on the project page.
Agree on the changes.
Implement them.
Add another option to the SA opt-in field on project pages that indicates the project was specifically opted out of the policy.
A different message would be shown on a project page if it has not opted into SA coverage yet yet.
A message would be shown on a project page if it has been opted out of coverage.
n/a
n/a
Active
1.0
User interface
If we make changes here I would also like to encourage that we begin supporting those projects that have their own security team infrastructure separate from the DST.
Examples are those modules where D.O. is just a mirror, or where a project has opted out of DST coverage because the DST would not honor the maintainers request that one of their releases be considered a security vulnerability.