Finding Critical Open Source Projects

137 点作者 QuantumWasp超过 4 年前

18 条评论

Buetol超过 4 年前

Top 10:- Python: salt, core (<a href="https://github.com/home-assistant/core" rel="nofollow">https://github.com/home-assistant/core</a>), pandas, scikit-learn, numpy, airflow, erpnext, matplotlib, pytest & pip- Rust: servo, cargo, rust-clippy, tokio, rust-analyzer, tock, tikv, alacritty, libc & substrate- JS: node, react-native, react, gatsby, three.js, bootstrap, material-ui, odoo, next.js & Rocket.Chat- Java: elasticsearch, flink, spring-boot, hadoop, netty, jenkins, beam, bazel, alluxio & pmd- C++: tensorflow, ceph, pytorch, bitcoin, electron, Marlin, Cataclysm-DDA, llvm-project, rocksdb & QGIS- C: git, linux, linux, php-src, openssl, systemd, curl, u-boot, qemu & mbed-os

评论 #25383467 未加载

评论 #25383504 未加载

评论 #25384716 未加载

评论 #25383452 未加载

评论 #25384981 未加载

评论 #25385710 未加载

评论 #25384071 未加载

评论 #25384221 未加载

hn_throwaway_99超过 4 年前

As others have mentioned, while this may seem like a good idea, the results are often bizarre, and it's not hard to see why - the metrics and algorithm are here: <a href="https://github.com/ossf/criticality_score#criticality-score" rel="nofollow">https://github.com/ossf/criticality_score#criticality-score</a>.That algorithm seems unnecessarily complicated and includes somewhat dubious metrics when, in my mind, the only thing that really "counts" when it comes to "criticality" are "how many other things use/depend on me", and there are much easier ways to determine this:1. For languages with a common package repo, how many other packages depend on me? With NPM, for example, it's pretty easy to figure out how many other packages depend on a given package.2. For "top level" projects, look at downloads.My guess is just looking at either (or both) of those metrics would give you better results.

评论 #25386180 未加载

评论 #25385795 未加载

评论 #25383286 未加载

评论 #25382791 未加载

评论 #25397435 未加载

sien超过 4 年前

List of the top 200 is at :<a href="https://commondatastorage.googleapis.com/ossf-criticality-score/index.html" rel="nofollow">https://commondatastorage.googleapis.com/ossf-criticality-sc...</a>(from the repo)So gnucash is #15 . At #75 is gcc .This seems like a great idea, but perhaps some refinements are needed.

评论 #25383292 未加载

评论 #25384674 未加载

评论 #25386138 未加载

评论 #25383006 未加载

cryptica超过 4 年前

There are some issues with the criticality score (<a href="https://github.com/ossf/criticality_score" rel="nofollow">https://github.com/ossf/criticality_score</a>).For example, it counts the number of issues as determining criticality. If there is any kind of money attached to this score (now or in the future), obviously this is going to encourage people to introduce more bugs into their projects.

Svetlitski超过 4 年前

Sounds interesting in theory, but the results are somewhat bizarre. For example, their published list of the top 200 "most critical" open-source C projects includes Urbit and Stellar, and includes micropython but does not include CPython.

评论 #25382922 未加载

评论 #25382657 未加载

defanor超过 4 年前

I like this idea, which pops up here and there occasionally, but this particular "criticality score" appears to measure popularity, rather than criticality. For one, it doesn't take into account whether there are common alternatives to a given project/package. Of course data like that is hard to gather automatically and from GitHub, but possibly that's just not a great source, and/or could be combined with others -- such as operating systems' repositories, which would contain information not just about alternatives, but also about packages required to run a minimal system, and to build it.

rwmj超过 4 年前

It's nice that they're automating this even though the results seem currently a bit random. Fedora has a concept of Critical Path packages (<a href="https://fedoraproject.org/wiki/Critical_path_package" rel="nofollow">https://fedoraproject.org/wiki/Critical_path_package</a>). The concept is related to various activities, eg. a package is critical if is is needed when installing a graphical desktop. But as far as I know packages are picked manually and therefore we probably miss packages or over/underestimate criticality.

评论 #25399675 未加载

commoner超过 4 年前

The link is to the home page of the Google Open Source Blog, and not this specific blog post. It should be updated to:<a href="https://opensource.googleblog.com/2020/12/finding-critical-open-source-projects.html" rel="nofollow">https://opensource.googleblog.com/2020/12/finding-critical-o...</a>

gojomo超过 4 年前

Neither the blog post nor project README directly mentions whether the 0.0 to 1.0 score goes from most-critical to least, or least-critical to more.It appears 1.0 is most-critical, if you dig into ranking lists.

评论 #25383028 未加载

vlovich123超过 4 年前

Have you heard of the WWII bullet holes problem that Wald solved? This project seems to fall into the trap that Wald’s colleagues fell into. The more popular a project the more critical it becomes when that’s not actually the case. You want to know where the bullet holes you don’t see are because that’s the thing that’s going to take you out. All the bullet holes you’re seeing and surviving are not great but survivable.Critical to me means “what’s the thing I have to pay attention to or I’ll suffer consequences”. Having a dependency on a non-popular crate is definitely an increasing score of criticality for that dependency. I may have misread but the fatal error in the metric to me is that popularity of a project increases its criticality when it should decrease. A popular project with lots of contributors means it has lots of stake holders already and a way to successfully manage that. What you want is the small independent projects that popular projects depend on. In other words, what’s the smallest, hardest to notice malicious change I can make in the supply chain of software development to enact the most disruptive change?

评论 #25388658 未加载

评论 #25389007 未加载

cycloptic超过 4 年前

Lots of things to check out here, and it's limited only to projects that are on github, but unsurprisingly it looks like the top 5 are:- Node (0.984)- Tensorflow (0.969)- Git (0.945)- Linux (0.936)- PHP (0.919)

评论 #25382830 未加载

eh78ssxv2f超过 4 年前

I don't understand how gnucash is more critical than Arduino, wine or nginx. Is gnucash very widely used?

评论 #25382974 未加载

评论 #25384286 未加载

krzyk超过 4 年前

Strange list, PMD so high, quarkus also, but e.g. jackson is lower then those both.elasticsearch at the top? flink? It is first time I hear about it and I work in Java shops for quite some time.

评论 #25383630 未加载

fsflover超过 4 年前

See also: <a href="https://www.fsf.org/campaigns/priority-projects" rel="nofollow">https://www.fsf.org/campaigns/priority-projects</a>.

tkhoven超过 4 年前

This url links to the top-level blog - for the specific post indicated by the title it needs to be <a href="https://opensource.googleblog.com/2020/12/finding-critical-open-source-projects.html" rel="nofollow">https://opensource.googleblog.com/2020/12/finding-critical-o...</a>

sova超过 4 年前

Very interesting and I hope this leads to actual recompense/compensation for people "thanklessly maintaining" OSS. Not sure how it possibly fits into Google's newfound profit-at-all-costs motive, but the gesture is an important first step towards some semblance of justice.

评论 #25382486 未加载

harpiaharpyja超过 4 年前

Seems like a good direction. My main hope is that if metrics like these become more accepted and/or important, that they find a way to avoid running afoul of Goodhart's law.

lkcl超过 4 年前

btw, just one thing, having seen this slashdot comment: <a href="https://news.slashdot.org/comments.pl?sid=17816088&cid=60823564" rel="nofollow">https://news.slashdot.org/comments.pl?sid=17816088&cid=60823...</a>what i strongly recommend that google do - instead of doing this work which is, as you've probably noticed from the comments, well-meaning but highly likely to be biased - is:<pre><code> *make a large donation to NLnet* </code></pre> don't tell them what to do with the money: leave that up to them. NLnet is extremely good at ensuring that money is used effectively, by requiring that they come up with a project plan involving milestones. they do not just "dump money at the developer", which has a known high historically-backed probability of causing more harm than good: they require the milestones to be completed, 100%, before the money is paid.note, here: they do not use algorithms to assess a project: they use people. they also assess the proposal against the usefulness of achieving key objectives.