Google, as part of Open Source Security Foundation, has released a new, open source, project that measures the criticality of open source projects. This is the first step on an undertaking to ensure that projects that are heavily relied on get the resources they need.

This initiative was recently announced on the Google Open Source blog by Abhishek Arya, Kim Lewandowski, Dan Lorenc and Julia Ferraioli, some of whom are members of the Securing Critical Projects working group, the maintainers of the Criticality Score projects, and include current contributors.

The motivation for the project, which is illustrated by this iconic xkcd cartoon, is that while nowadays organizations overwhelmingly rely on open source projects, many of the projects struggle for the time, resources and attention required to maintain them.

 More cartoon fun at a webcomic of romance,sarcasm, math, and language

As stated both in the blog and in the README of the Securing Critical Projects repo on Github, this is a resource allocation problem and the need is to connect critical projects with the organizations that can provide them with support.

The Criticality Score project, in beta on GitHub, has three goals:

1. Generate a criticality score for every open source project.

2. Create a list of critical projects that the open source community depends on.

3. Use this data to proactively improve the security posture of these critical projects.

The score itself define the influence and importance of a project and is a number between 0 (least-critical) and 1 most critical. The algorithm, devised by Rob Pike, is:

The parameters it uses include Number of project contributors who make commits - with a weight of 2 and commit frequency/comment frequency - weights of 1. The length of time the project was created in months (with a threshold of 10 years) also has a weight of 1 while time since the project was last updated, again in months and with the same threshold is weighted -1. See the projects README.md for the complete list and for the code to run it.

All that is required to produce a project's Criticalilty Score is the name of its repo.

Criticalility Scores have already been calculated and there are thirty-two projects with scores higher than 0.85:

Kubernetes comes top, closely followed by Tensorflow and Git. In 4th place we have DefinitelyTyped, then 5th and 6th there are two versions of Linux, with Raspberry Pi's version slightly ahead of the original Linux kernel.

As this is an open source project, it can be forked to add parameters of change their weightings. What matters is that we know which projects are the most critical, steps can be taken by the Open Source Security Foundation to assure their future.

More Information

Finding Critical Open Source Projects

Related Articles

Open Source Contributors - Payment and Other Motivation

The State Of Secure Software Development - Three OpenSSF Courses

Open Source Is Not Growing Anymore

Promoting Open Source Software

What Attracts Devs To Open Source

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info