Consider adding sqlite, libpng, zlib, libjpeg, libarchive, zstd, openssh and busybox

[bureado]

I couldn't find any of these keywords in the "Critical Projects" sheet of the current spreadsheet, my apologies if I missed any.

• SQLite has a longstanding claim to being the most widely deployed database and to being one of the most widely deployed components of any kind (they helpfully list libpng, zlib and libjpeg)
• zstd and libarchive (which includes bsdtar, I believe) due to their centrality when it comes to the underlying archive manipulation of package managers and transports
• I also couldn't find OpenSSH and would suggest that it is, not least by virtue of ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen git/git#1041
• busybox is a commonly found component not only in embedded but also in container images that can easily be overlooked

My rationale for suggesting this includes popularity and footprint across different scenarios (from embedded and mobile to legacy applications) as well as the centrality of these components in performing actions critical to trust.

[emaste]

These all seem to me to be "obvious" candidates for inclusion. libarchive should also be a candidate based on previous vulnerabilities/exploits, see e.g. https://www.cvedetails.com/product/26168/Libarchive-Libarchive.html?vendor_id=12872, https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/01/update-now-microsoft-patches-97-bugs-including-6-zero-days-and-a-wormable-one/, etc.

[Amir-Montazery]

These projects have been added to the candidates set for consideration. Voting, discussion, and feedback is open until 3/23/2023 for more suggestions. Thank you!
link: https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit#gid=991730401