"Due Diligence" in CRA one-pager

I am concerned by item 8 in the [CRA Stewards One-Pager](https://policy.openssf.org/CRA/stewards-one-pager.html):

> Perform due diligence on software components used by the project before publication. Consider the [Concise Guide for Evaluating Open Source Software](https://best.openssf.org/Concise-Guide-for-Evaluating-Open-Source-Software.html) and the [Open Source Project Security Baseline](https://baseline.openssf.org/versions/2025-02-25).

Where does the requirement to perform due diligence come from? I can't find anything in Article 24 of the CRA which suggests this is a requirement.

Performing due diligence is good, and should be encouraged, but I don't think this checklist is the right place for it unless it is a direct requirement of the CRA.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

"Due Diligence" in CRA one-pager #92

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

"Due Diligence" in CRA one-pager #92

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions