Background for bus factor item in OpenSSF Best Practices levels?

[bartlettroscoe]

Hello,

I noticed that bus factor is not even suggested until the SILVER level and not required until the GOLD level (see here). Why is a bus factor > 1 not even recommended for a PASSING badge? Are there a lot of important open-source packages that only have a bus factor of 1 and we don't want to exclude them from getting a PASSING badge?

[david-a-wheeler]

That's because a vast number of OSS projects are single-person projects. We want single-person projects to take steps to produce secure results, as well as the rarer multi-person projects.

The best data currently available suggests that the majority of OSS projects are single-person projects. E.g.:

• https://anchore.com/blog/open-source-is-bigger-than-you-imagine/
• https://github.com/ossf/tac/issues/101

It'd be good for more projects to be multi-person projects. But even well-run projects don't always get more contributors.

[david-a-wheeler]

There's also the problem that getting more people onto a project is generally completely outside a project's control. You can change your process, and you can change your code, but you often can't force other people to work on a project.

[bartlettroscoe]

@david-a-wheeler, thanks for the info!