CRA compliance: lifecycle management

[mrybczyn]

The CRA requires a complete security lifecycle of a project. The specification concentrates on the period when the product is already present. Possible additions:

• state that this process applies on the whole lifecycle (monitoring for vulnerabilities at the development time, accepting reports for alpha/beta/rc)
• describe how we handle EOLs

[dirkx]

And 3) how we announce/advertise EOLs (as currently the CVE system is not used for marking a package as `dead').

[rjb4standards]

Our SCRM risk assessment process tracks two risk factors, Commercial Status and Support Status when determining a trust score.
Commercial Status is used to indicate Retired, EOL, status.
Support Status is used to indicate level of support provided, i.e. community in the case of some open source projects.

This XML schema contains the enumerated vales for both Commercial and Support Status: