Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use Debian/other distro dependent count data for C/C++ projects #139

Open
oliverchang opened this issue Jun 28, 2022 · 1 comment
Open

Comments

@oliverchang
Copy link
Contributor

For Debian, we could potentially extract this information from package indexes. This could be a useful proxy for C/C++ projects.

e.g. from https://snapshot.debian.org/archive/debian/20220627T213404Z/dists/bullseye/main/binary-amd64/Packages.xz and https://snapshot.debian.org/archive/debian/20220627T213404Z/dists/bullseye/main/source/Sources.xz

@mudongliang
Copy link

We have implemented this idea in our own repository to choose the most "critical" open source projects.

We have open sourced our repository - https://github.com/HUSTSeclab/criticality_score. There are some differences between ours and ossf/criticality_score.

  • Distribution Dependents: Collects data from various Linux distributions (e.g. Debian, Arch, Nix, Gentoo) and corresponding package managers to evaluate the dependency of open-source software synthetically.
  • Support for All Git Repositories: Use metrics collected from offline repository. Therefore, it can analyze repositories from any Git platform, other than GitHub. Even it could extend to other source code version control systems.
  • Customized Metrics Collection: Gathers a wider and customized metrics from Git repositories and package managers. BTW, this can lose some specific metrics in Github or code hosting platform.
  • No Dependency on Google Cloud or BigQuery: ossf/criticality_score depends on Google Cloud service, making it hard to migrate to other platforms. This project runs independently of specific cloud services, ensuring ease of deployment. BTW, we use the public API of deps.dev.
  • Easy Deployment: Runs a script, and the system will be easily setup with Docker.
  • Provides Additional Information: Provides extra insights, such as relationships between projects and dependencies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants