search

fossified / podcast

a podcast in English where we talk all things Free and Open Source
https://fossified.com
Apache License 2.0
58 stars 2 forks source link

Evaluating an Open Source project and code #27

Open oej opened 1 year ago

oej commented 1 year ago

In the huge "Software dependency chain" discussion there is a lot of talk about evaluating Open Source projects. OpenSSF has developed scorecards and work on this. What kind of competence is needed by the "users"?

Also, scorecards seems to include "active development" - is that really a good metric for all software? Stability could be a good thing.

bagder commented 1 year ago

Does anyone actually use those scorecard things?

Personally I would like to see more projects fill in https://bestpractices.coreinfrastructure.org/en

oej commented 1 year ago

That is a good start of the discussion - how do we recommend evaluation being done? What metrics apply? If the metrics are bad ("only a single developer coding when drunk after work on Friday evenings") then what do you do? Fork the project, add resources or abandon? There will be many proposals here and I think it's an important discussion.

hesa commented 1 year ago

Stability is good, I guess, when a project is feature complete. Not good when halfway through an implementation of a spec.

Some variables need a bit of context.

/Captain Obvious

Private: I feel a bit at unease when hearing score cards. Sounds a bit like 80's project management stuff (still taught at Gothenburg University, Sweden, last time I checked).

nordominus commented 1 year ago

That is a good start of the discussion - how do we recommend evaluation being done? What metrics apply? If the metrics are bad ("only a single developer coding when drunk after work on Friday evenings") then what do you do? Fork the project, add resources or abandon? There will be many proposals here and I think it's an important discussion.

All good questions and not easy to answer imho. CHAOSS for example comes with a large amount of metrics (https://chaoss.community/kb-metrics-and-metrics-models/) that can be used. Finding the sweet set of those metrics isn't easy and at the end as you wrote - What do you do in case the metrics for a projects are "bad"?

Another example: An open source project an be in sort of finished development state. Means no bugs, not (Security) issues and so on exists. Technically the metrics will point out no commits/contributions over a longer period. No new releases etc. But still this open source component is heavily used. This scenario can be found within golang, node.js and others for example.

bagder commented 1 year ago

An open source project an be in sort of finished development state

It requires a person with domain knowledge to be able to assess that. In my little corner of internet transfer software, the idea that something would ever be "finished" is just a pipe dream as the entire world and surrounding is constantly moving. There, not having changed anything in a long time simply implies that it isn't good enough. I would guess most areas actually work like this, but the exact definition of what "a long time" is may vary.

oej commented 1 year ago

See, this is a good topic for a discussion. In one corner the automatic scorecards saying that "this project is not worthy" and in the other the unpaid developer saying "it did everything it should ten years ago and still does. No changes needed."

bagder commented 1 year ago

reminder: vote on your favorite topic proposals with :+1: to help us figure out what subjects people think are interesting