OpenSSL Cryticality Score

Nicola Tuveri nic.tuv at gmail.com
Sun Dec 13 10:31:28 UTC 2020


As an update on the issue of some fields being not entirely accurate.

I am forwarding a message on behalf of @inferno-chromium, the
maintainer of the https://github.com/ossf/criticality_score project
that followed up on the [Github issue] I opened about this.

> Thanks for notifying us of the issue with incorrect project creation
> date issue, we do plan to look into it and see feasibility of picking
> the first commit date for accuracy. In case of openssl, it would have
> little to no-impact on criticality score, as other factors clearly
> indicate it is a super-critical project. These include things like
> users dependent on openssl library, number of project contributors and
> user activity in terms of issues filed, updated.


[Github issue]: https://github.com/ossf/criticality_score/issues/14

On Fri, Dec 11, 2020 at 11:54 AM Nicola Tuveri <nic.tuv at gmail.com> wrote:
>
> On Fri, Dec 11, 2020 at 11:23 AM Matt Caswell <matt at openssl.org> wrote:
> >
> >
> > Actually according to the spreadsheet we are 5th (not 6th) - line 1 in
> > the sheet is the title row. Linux takes 2 of the top spots, with git and
> > php taking the other spots ahead of OpenSSL.
>
>
> Good, it's good that the double review process catches my off-by-one
> errors also on the mailing list ;)
>
> >
> >
> > Not sure I understand the "Releases (last yr)" column which says we did
> > 41 releases - that's a number I can't reconcile with the actual number
> > of releases we did.
> >
>
> https://github.com/ossf/criticality_score/blob/59e449d5598de4f27a83070297e5779a4a3407b2/criticality_score/run.py#L96-L114
>
> It seems to be an estimate based on the number of tags, as we don't do
> github releases:
>
> ```
> RELEASE_LOOKBACK_DAYS=365
> (total_tags / days_since_creation) * RELEASE_LOOKBACK_DAYS
> ```
>
> This is definitely skewed by considering the project 95 months old
> (2887 days) instead of ~264 months (8026 days).
>
>
> Nicola


More information about the openssl-project mailing list