Finding Critical Open Source Projects
Criticality of an open source project is difficult to define; what might be a critical dependency for one consumer of open source software may be entirely absent for another. However, arriving at a shared understanding and framework allows us to have productive conversations about our dependencies. Simply put, we define criticality to be the influence and importance of a project.
In order for OpenSSF to fund these critical open source projects, they need to be identified first. For this purpose, we are releasing a new project – “Criticality Score” under the OpenSSF. Criticality score indicates a project’s criticality (a number between 0 and 1) and is derived from various project usage metrics in a fully automated way. Our initial evaluation metrics include a project’s age, number of individual contributors and organizations involved, user involvement (in terms of new issue requests and updates), and a rough estimate of its dependencies using commit mentions. We also provide a way to add your own metric(s). For example, you can add internal project usage data to re-adjust a project’s criticality score for individualized prioritization needs.
Identifying these critical projects is only the first step in making security improvements. OpenSSF is also exploring ways to provide maintainers of these projects with the resources they need. If you’re a maintainer of a critical software package and are interested in getting help, funding, or infrastructure to run your project, reach out to the OpenSSF’s Securing Critical Projects working group here.
By Abhishek Arya, Kim Lewandowski, Dan Lorenc and Julia Ferraioli – Google Open Source
Related Google News:
- Introducing Model Search: An Open Source Platform for Finding Optimal ML Models February 19, 2021
- A new resource for coordinated vulnerability disclosure in open source projects February 17, 2021
- Databricks on Google Cloud: an open integrated platform for data, analytics and machine learning February 17, 2021
- Mitigating Memory Safety Issues in Open Source Software February 17, 2021
- The 2021 Season of Docs application for organizations is open! February 9, 2021
- Launching OSV - Better vulnerability triage for open source February 5, 2021
- Know, Prevent, Fix: A framework for shifting the discussion around vulnerabilities in open source February 3, 2021
- Applications are now open for the second cohort of the Google for Startups Accelerator Canada February 2, 2021