Change core-maintainers to also allow for an optional affiliation for maintainers?

[mlieberman85]

OSSF TAC requirements for projects require some number of maintainers from multiple affiliations depending on lifecycle stage, e.g. at least 2 maintainers with different affiliations for sandbox. Right now a lot of this information is duplicated across multiple documentation, e.g. OWNERS, MAINTAINERS and other files. Security insights can help here if it becomes the canonical file for that information or containers a pointer to where that information lives.

[luigigubello]

Hi @mlieberman85 and thanks for this issue! I think this can be a good improvement for SECURITY-INSIGHTS schema 1.1. At the moment, SECURITY INSIGHTS consumers can only add maintainers or owners directly in the specification, but sometimes projects already have this information in other files (e.g. CODEOWNERS for GitHub repos, which is a standard source of trust for GitHub projects because often integrated into the CI/CD, or the Project Leads in every Eclipse project page). We could support also URLs for this value in the next release, so if there is already a trusted source for maintainers the organization can reuse it. This should have two good effects:

• It could help organizations to not duplicate files, but just link to the correct one.
• It could help to enforce SECURITY INSIGHTS the trusted source for this kind of info.

What do you think?