Revisiting the 2015 Open Source Census
7 hours ago
- #software sustainability
- #open source security
- #risk assessment
- In 2015, the Linux Foundation's Core Infrastructure Initiative published a census of open source projects to identify risky ones, ranking 428 projects by a risk index.
- xz-utils was ranked low (row 254, risk index 6), despite a reviewer noting its critical importance and potential danger, showing limitations in the scoring model.
- The risk index formula emphasized factors like no recent contributors, past CVEs, and use of C, but missed issues like maintainer burnout or outsider involvement.
- Top-ranked projects like libexpat, unzip, and rsync accurately predicted vulnerabilities, leading to funding and maintenance improvements for some.
- Key infrastructure tools like sudo and polkit were excluded from the census due to input set assembly, missing major vulnerabilities like CVE-2021-3156 and CVE-2021-4034.
- Metrics like contributor count, while useful, can be misleading—e.g., misrepresenting a project with one burnt-out maintainer and an attacker as healthy.
- Health dashboards often rely on incomplete data, as seen with curl's download counts, highlighting the risk of using narrow metrics for broad decisions.