Trying to determine what the Linux Foundation is doing to identify "critical" system packages I found this page:
https://insights.linuxfoundation.org/ Discover the world's most critical open source projects So what are they? Top 30 Open Source Projects https://insights.linuxfoundation.org/collection/details/top-open-source-projects A curated list of the most essential open source projects based on the OpenSSF Criticality Score, representing foundational infrastructure and frameworks relied upon globally across industries. Note: although it says "Top 30" actually there are 46 projects listed. There is little overlap between this list and the Debian base system and essential packages which naturally rank high in the popularity contest (popcon) list. Many projects in the "Top 30 Open Source Projects" list rank low in Debian popcon or don't appear at all, while Debian's base system and essential packages don't appear in the Linux Foundation's list. Here I examine two examples: Second in Linux Foundation's "Top 30 Open Source Projects" list is Flutter. Flutter https://flutter.dev/ Flutter is powered by the dart language. If flutter is critical, dart should be at least equally so but it does not appear in the "Top 30" list. Debian does not provide a package for dart. It seems a package named "dart" is available from an outside source: it appears low in the popcon list. This .deb package may be for the Dynamic Animation and Robotics Toolkit which has no relation with the dart language. DART (Dynamic Animation and Robotics Toolkit) https://dartsim.github.io/ Eighth in the "Top 30" list is Godot Engine. Godot Engine https://godotengine.org/ja/ Godot Engine is a game engine with editor. It makes developing 2D and 3D games easy. The godot3 package is provided by Debian. It ranks low in popcon. The Linux Foundation considers a game engine "most essential" and "relied upon globally across industries." We can see that the "critical projects" list is poorly focused. It doesn't serve its stated purpose and as such gets little attention. --- So how did Linux Foundation produce the list? The criticality ranking is produced by an algorithm provided by the Open Source Security Foundation (OpenSSF), which is affiliated with the Linux Foundation. The OpenSSF site has a page explaining the formula: Understanding and Applying the OpenSSF Criticality Score in Open Source Projects https://openssf.org/blog/2023/07/28/understanding-and-applying-the-openssf-criticality-score-in-open-source-projects/ The algorithm has three variables, a[i], S[i], and T[i]. a[i] is the weight of the i'th signal, S[i] is the value of the i'th signal, and T[i] is the threshold of the i'th signal. The person running the algorithm arbitrarily selects the input factors (or "signals"). The weight a[i] is an arbitrary scalar. As such this model gives the person in charge much room for tampering. For example should someone desire to produce a list with Emacs ranking high, he could do so by making "number of supported human languages" "age of project" "percentage of code written in Lisp" input factors and assigning large weights to them. The input factors and weights used by the Linux Foundation are not published. I haven't found a complete list of projects surveyed. Neither have I seen criticality scores in the "Top 30" list or elsewhere. My guess is that the Linux Foundation needed to produce a criticality ranking with Linux kernel ranking high, and tweaked around with S[i] and a[i] to get the desired outcome. I have seen that kind of tweaking with multiple regression analysis. --- Wikipedia provides a compilation of free software directories: List of free software project directories https://en.wikipedia.org/wiki/List_of_free_software_project_directories Linux Foundation is not mentioned in this article. Akira Urushibata _______________________________________________ libreplanet-discuss mailing list [email protected] https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
