search

ossf / criticality_score

Gives criticality score for an open source project
Apache License 2.0
1.31k stars 116 forks source link

README: No `configure` script found. No `requirements`listed. Hints for new users are broken. User experience for this project: Bad #530

Open winspool opened 5 months ago

winspool commented 5 months ago

I arrived here from oss-fuzz. From the project description, criticality_score looks simple, but for a new user, it's crap.

Hint: My system does not have many unused tools installed, and I never used go or docker before and neither is installed.

Result Details
OK Cloning the project works as usual
FAIL There is no configure script
TRY A Makefile is present, so I expect, that a simple make works
FAIL make just outputs a help message
FAIL The Makefile has no all target, or at least a target named criticality_score
TRY I tried to build the project with the help of the README.md file
FAIL There is no section Requirements or Dependencies
TRY Without Dependencies, everything should work out of the box:
I tried again with the Usage section in the README
TRY go install github.com/ossf/criticality_score/cmd/criticality_score@latest
FAIL go / golang not installed.
A `configure' script could check that and print a useful message
OK Installing golang with the package manager works (needs 220MB)
TRY go install github.com/ossf/criticality_score/cmd/criticality_score@latest
FAIL go downloads 64 dependency projects, but nothing changed in the cloned project.
Nothing was build in the current directory (the cloned repository)
OK I have a github token, and can export it
TRY gcloud auth login --update-adc
FAIL gcloud is not installed and cannot be installed from the package manager
FAIL Where does gcloud come from?
A configure script could check for gcloud and print a message
TRY criticality_score -gcp-project-id=[your projectID] https://github.com/kubernetes/kubernetes
FAIL criticality_score was not build
FAIL The command requires a projectID, but there is no info,
what is needed here and where i can get this ID

Too many failures: I stopped here.

When a project ignores "autotools" (and C or C++) and decides to uses something different, the replacement must be as simple as "autotools" (together with C or C++), and the replacement must always work.

Unfortunately, this project is not simple and it does not work at all.

nullmastermind commented 5 months ago

I think this project only serves the owner organization and requires a lot of configuration to work.