Trying to determine what the Linux Foundation is doing to identify
"critical" system packages I found this page:

https://insights.linuxfoundation.org/

  Discover the world's most critical open source projects

So what are they?

Top 30 Open Source Projects
https://insights.linuxfoundation.org/collection/details/top-open-source-projects

  A curated list of the most essential open source projects based on the
  OpenSSF Criticality Score, representing foundational infrastructure
  and frameworks relied upon globally across industries.

Note: although it says "Top 30" actually there are 46 projects listed.

There is little overlap between this list and the Debian base system
and essential packages which naturally rank high in the popularity
contest (popcon) list.  Many projects in the "Top 30 Open Source
Projects" list rank low in Debian popcon or don't appear at all, while
Debian's base system and essential packages don't appear in the Linux
Foundation's list.
 
Here I examine two examples:

Second in Linux Foundation's "Top 30 Open Source Projects" list is
Flutter.

  Flutter
  https://flutter.dev/

Flutter is powered by the dart language.  If flutter is critical, dart
should be at least equally so but it does not appear in the "Top 30"
list.

Debian does not provide a package for dart.  It seems a package named
"dart" is available from an outside source: it appears low in the
popcon list.  This .deb package may be for the Dynamic Animation and
Robotics Toolkit which has no relation with the dart language.

  DART (Dynamic Animation and Robotics Toolkit)
  https://dartsim.github.io/

Eighth in the "Top 30" list is Godot Engine.

  Godot Engine
  https://godotengine.org/ja/

Godot Engine is a game engine with editor.  It makes developing 2D and
3D games easy.  The godot3 package is provided by Debian.  It ranks low
in popcon.

The Linux Foundation considers a game engine "most essential" and
"relied upon globally across industries."

We can see that the "critical projects" list is poorly focused.  It
doesn't serve its stated purpose and as such gets little attention.

---

So how did Linux Foundation produce the list?

The criticality ranking is produced by an algorithm provided by the
Open Source Security Foundation (OpenSSF), which is affiliated with
the Linux Foundation.  The OpenSSF site has a page explaining the
formula:

Understanding and Applying the OpenSSF Criticality Score in Open
Source Projects
https://openssf.org/blog/2023/07/28/understanding-and-applying-the-openssf-criticality-score-in-open-source-projects/

  The algorithm has three variables, a[i], S[i], and T[i].
  a[i] is the weight of the i'th signal, S[i] is the value of
  the i'th signal, and T[i] is the threshold of the i'th signal.

The person running the algorithm arbitrarily selects the input factors
(or "signals").  The weight a[i] is an arbitrary scalar.  As such this
model gives the person in charge much room for tampering.

For example should someone desire to produce a list with Emacs ranking
high, he could do so by making "number of supported human languages"
"age of project" "percentage of code written in Lisp" input factors
and assigning large weights to them.

The input factors and weights used by the Linux Foundation are not
published.  I haven't found a complete list of projects surveyed.
Neither have I seen criticality scores in the "Top 30" list or
elsewhere.

My guess is that the Linux Foundation needed to produce a criticality
ranking with Linux kernel ranking high, and tweaked around with S[i]
and a[i] to get the desired outcome.  I have seen that kind of
tweaking with multiple regression analysis.

---

Wikipedia provides a compilation of free software directories:

List of free software project directories
https://en.wikipedia.org/wiki/List_of_free_software_project_directories

Linux Foundation is not mentioned in this article.


Akira Urushibata

_______________________________________________
libreplanet-discuss mailing list
[email protected]
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Reply via email to