|Taking Open Source Criticality Seriously|
|Written by Sue Gee|
|Wednesday, 16 December 2020|
Google, as part of Open Source Security Foundation has released a new, open source, projected that measures the criticality of open source projects. This is the first step on an undertaking to ensure that projects that are heavily relied on get the resources they need.
This initiative was recently announced on the Google Open Source blog by Abhishek Arya, Kim Lewandowski, Dan Lorenc and Julia Ferraioli, some of whom members of the Securing Critical Projects working group, the maintainers of the Criticality Score projects and include current contributors.
The motivation for the project, which is illustrated by this iconic xkcd cartoon, is that while nowadays organizations overwhelmingly rely on open source projects, many of the projects struggle for the time, resources and attention required to maintain them.
More cartoon fun at a webcomic of romance,sarcasm, math, and language
As stated both in the blog and in the README of the Securing Critical Projects repo on Github, this is a resource allocation problem and the need is to connect critical projects with the organizations that can provide them with support.
The Criticality Score project, in beta on GitHub, has three goals:
The score itself define the influence and importance of a project and is a number between 0 (least-critical) and 1 most critical. The algorithm, devised by Rob Pike, is:
The parameters it uses include Number of project contributors who make commits - with a weight of 2 and commit frequency/comment frequency - weights of 1. The length of time the project was created in months (with a threshold of 10 years) also has a weight of 1 while time since the project was last updated, again in months and with the same threshold is weighted -1. See the projects README.md for the complete list and for the code to run it.
All that is required to produce a project's Criticalilty Score is the name of its repo.
Criticalility Scores have already been calculated and there are thirty-two projects with scores higher than 0.85:
Kubernetes comes top, closely followed by Tensorflow and Git. In 4th place we have DefinitelyTyped, then 5th and 6th there are two versions of Linux, with Raspberry Pi's version slightly ahead of the original Linux kernel.
As this is an open source project, it can be forked to add parameters of change their weightings. What matters is that we know which projects are the most critical, steps can be taken by the Open Source Security Foundation to assure their future.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Wednesday, 16 December 2020 )|