I know this has been discussed before but not regarding security insurance. Following this discussion I have a proposition:
How about a Github organization that all theme repositories join that want to be listed on the overview of the themes. With fixed “harsh” rules like the following:
- activity within a certain timeframe (some months)
- issues are answered and solved within a certain timeframe (some weeks)
- security monitoring is enabled for all repositories
- automatic security fixes (if possible) is enabled for all repositories
- security fixes are quickly applied (some days)
- QA users/moderators receive access to the repos, owner stays the original owner/team
- depending on availability tools like Codacy can run on these repos whenever something is committed or pulled.
It is possible to synchronize the repository with an original repository (as secondary origin) or move the original repository into the organization. So the whole “I don’t want to give away my repository” argument might be obsolete with that.
The cons are plenty, I understand. The requirement of having to answer peoples enquiries about security issues or quality issues might weight against them?