Know, Prevent, Fix: A framework for vulnerabilities in open source
opensource.googleblog.comThere are some mundane, and totally fine goals in here.
But midway through, there is some really broad and overreaching concepts.
When the goal is "No Unilateral Changes to Critical Software", this implies that there is "one" way to run an open source community. I'm not saying its a bad idea, its just that its weird for Google to "mandate" it just because a project is popular and therefore critical.
And then there is the big one, "Authentication for Participants in Critical Software" -- ie, you can't be anonymous to contribute to an open source project.