Census II Lists Critical Application Libraries |
Written by Sue Gee |
Thursday, 03 March 2022 |
The Linux Foundation has announced the publication of "Census II of Free and Open Source Software - Application Libraries" which identifies more than one thousand of the most widely deployed open source application libraries found from scans of commercial and enterprise applications. The rationale is that this information can be used to decide which open source packages, components and projects warrant proactive operations and security support. The original Census Project ("Census I") was conducted in 2015 to identify which software packages in the Debian Linux distribution were the most critical to a Linux server's operation and security. According to the Linux Foundation: The goal of the current study (Census II) is to pick up where Census I left off and to identify and measure which open source software is most widely deployed within applications developed by private and public organizations. Brian Behlendorf, executive director of Open Source Software Foundation (OpenSSF), a partner in the Census II project explained: "Understanding what FOSS packages are the most widely used in society allows us to proactively engage the critical projects that warrant operations and security support. Census II provides the foundational detail we need to support the world's most critical and valuable infrastructure." Census II was initiated in 2018 when the Linux Foundation partnered with the Laboratory for Innovation Science at Harvard University (LISH), with the goal of identifying and measuring which open source software is most widely deployed within applications by private and public organizations. To obtain as full as possible a picture of FOSS usage it analyzed usage data based on scans of software codebases at thousands of companies with the intention of discovering which FOSS packages are heavily depended on by private companies. By way of results Census II includes eight lists of the 500 most used FOSS packages. These include different slices of the data including versioned/version-agnostic, npm/non-npm package manager, and direct/direct and indirect package calls.
For example, the top 10 version-agnostic packages available on the npm package manager that were called directly ranked by usage are:
In its conclusion the report states:
Far from being the final word on critical FOSS projects, this census effort represents the beginning of a larger dialogue on how to identify vital packages and ensure they receive adequate resources and support.
The study also identified five high-level findings important to the future health and security of FOSS:
Given the distributed nature of FOSS, only through data sharing, coordination, and investment will the value of this critical component of the digital economy be preserved for generations to come.
More InformationCensus II of Free and Open Source Software — Application Libraries (pdf) Related ArticlesNew Initiative For Taking Open Source Software Security Seriously Taking Open Source Criticality Seriously Open Source Insights Into The Software Supply Chain The State Of Secure Software Development - Three OpenSSF Courses
To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.
Comments
or email your comment to: comments@i-programmer.info
|
Last Updated ( Thursday, 03 March 2022 ) |