github-actions[bot]
commented
3 months ago This issue has been marked stale because it has been open for 60 days with no activity.
Open joubin opened 6 months ago
github-actions[bot]
commented
3 months ago This issue has been marked stale because it has been open for 60 days with no activity.
Is your feature request related to a problem? Please describe. Not a problem, pure enhancement request
Describe the solution you'd like
In assessing the security and trustworthiness of open-source libraries, two additional metrics should be considered: the diversity of contributors and the age of their GitHub accounts. This approach could offer early indicators of potential security risks, as seen in scenarios like CVE-2024-3094. While not foolproof—given the possibility of using older accounts for malicious purposes—these metrics serve as valuable signals. Specifically, libraries with contributions from newer accounts or from individuals with limited cross-project involvement could be flagged for closer scrutiny. Conversely, libraries benefiting from longstanding contributors with extensive cross-project activity should be deemed more reliable. This system recognizes the potential for false positives but aims to enhance overall security postures by identifying unusual contribution patterns indicative of risks.
Describe alternatives you've considered
I cannot think of an alternative, but hope to use this issue as a thread to conduct the conversation around this
Additional context
Good visual for understanding the issue Clear writeup