Taking Open Source Criticality Seriously
Written by Sue Gee   
Wednesday, 16 December 2020

Google, as part of Open Source Security Foundation, has released a new, open source, project that measures the criticality of open source projects. This is the first step on an undertaking to ensure that projects that are heavily relied on get the resources they need.


This initiative was recently announced on the Google Open Source blog by Abhishek Arya, Kim Lewandowski, Dan Lorenc and Julia Ferraioli, some of whom are members of the Securing Critical Projects working group, the maintainers of the Criticality Score projects, and include current contributors.

The motivation for the project, which is illustrated by this iconic xkcd cartoon, is that while nowadays organizations overwhelmingly rely on open source projects, many of the projects struggle for the time, resources and attention required to maintain them.


 More cartoon fun at a webcomic of romance,sarcasm, math, and language

As stated both in the blog and in the README of the Securing Critical Projects repo on Github, this is a resource allocation problem and the need is to connect critical projects with the organizations that can provide them with support.

The Criticality Score project, in beta on GitHub, has three goals:

  1. Generate a criticality score for every open source project.

  2. Create a list of critical projects that the open source community depends on.

  3. Use this data to proactively improve the security posture of these critical projects.

The score itself define the influence and importance of a project and is a number between 0 (least-critical) and 1 most critical. The algorithm, devised by Rob Pike, is: criticality algorithm

The parameters it uses include Number of project contributors who make commits - with a weight of 2 and commit frequency/comment frequency - weights of 1. The length of time the project was created in months (with a threshold of 10 years) also has a weight of 1 while time since the project was last updated, again in months and with the same threshold is weighted -1. See the projects README.md for the complete list and for the code to run it.

All that is required to produce a project's Criticalilty Score is the name of its repo.

Criticalility Scores have already been calculated and there are thirty-two projects with scores higher than 0.85:

Project Language Score
kubernetes Go 0.98612
tensorflow C++ 0.96908
git C 0.94481
DefinitelyTyped JavaScript 0.93610
raspberrypi/linux C 0.93586
torvalds/linux C 0.92262
php-src C 0.91919
ceph C++ 0.91843
react-native JavaScript 0.90628
pytorch C++ 0.89936
elasticsearch Java 0.88230
ant-design JavaScript 0.87916
go Go 0.87914
Home-assistant-core Python 0.87389
ansible Python 0.87153
bitcoin C++ 0.87025
bootstrap JavaScript 0.86774
gradle Java 0.86751
grafana JavaScript 0.86619
kibana JavaScript 0.86578
electron C++ 0.86350
openssl C 0.86335
pandas Python 0.86331
servo Rust 0.86201
numpy Python 0.85804
angular JavaScript 0.85609
scikit-learn Python 0.85604
cpython Python 0.85363
airflow Python 0.85267
flink Java 0.85227
cockroach Go 0.85041
buildbot Python 0.85028


Kubernetes comes top, closely followed by Tensorflow and Git. In 4th place we have DefinitelyTyped, then 5th and 6th there are two versions of Linux, with Raspberry Pi's version slightly ahead of the original Linux kernel.

As this is an open source project, it can be forked to add parameters of change their weightings. What matters is that we know which projects are the most critical, steps can be taken by the Open Source Security Foundation to assure their future.


More Information

Finding Critical Open Source Projects

Related Articles

Open Source Contributors - Payment and Other Motivation

The State Of Secure Software Development - Three OpenSSF Courses

Open Source Is Not Growing Anymore

Promoting Open Source Software

What Attracts Devs To Open Source


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.



Insights From AI Index 2024 Report

Published this week, the latest Stanford HAI AI Index report tracks worldwide trends in AI. A mix of its new research and findings from many other sources, it provides a wide ranging look at how  [ ... ]

Conference Times Ahead

Following a well-established pattern both Google's and Microsoft's Developer Conferences will take place in May while Apple follows on in June. Here are the dates plus what to expect.

More News

raspberry pi books



or email your comment to: comments@i-programmer.info


Last Updated ( Friday, 26 February 2021 )