OpenSSF Scorecard for bagit repo?

[peterk]

Thank you for developing bagit! Would it be possible to help users determine the security of the bagit repo by looking into some of the practices in the openssf scorecard recommendations?

[acdha]

I guess my first question would be what benefit users would have for this. Nobody has asked for it and it's unclear to me that a project with no dependencies outside of the Python standard library would be a high priority for supply-chain monitoring.

[peterk]

Bagit is included in other build chains. Knowing that bagit follows some of the OpenSSF practices would make it easier to trust the project. I understand if it feels cumbersome to implement all of the practices but it would help me and others mitigate risk if some of the practices were implemented.