sesheta
commented
1 year ago @mayaCostantini: This issue is currently awaiting triage.
If a refinement session determines this is a relevant issue, it will accept the issue by applying the
triage/accepted label and provide further guidance.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
mayaCostantini
goern
Problem statement
As a Python Developer, I would like to have concise information about the quality of my software stack and all its transitive dependencies, so that I get some absolute metrics such as:
Which would be aggregated and compared to metrics for packages present in Thoth's database to provide a global quality metric for a given software stack, eventually given a specific criteria (maintenance, code quality...), in the form of a percentage or score (A, B, C...).
We consider the metrics derived from direct and transitive dependencies to be of the same importance, so there will not be any difference in the weight given to information carried by the two types of dependencies.
Proposal description
Taking the example of OSSF Scorecards, we already aggregate this information in prescriptions which are used directly by the adviser. However, the aggregation logic present in
prescriptions-refresh-jobonly updates prescriptions for packages already present in the repository. We could either aggregate Scorecards data for more packages using the OSSF BigQuery dataset or have our own tool that computes Scorecards metrics on a new package release, which could be integrated directly intopackage-update-jobfor instance. This would most likely consist in a simple script querying the GitHub API and computing the metrics on the project's last release commit.package-update-jobor on a regular scheduleFor example, if a software stack is in the 95th percentile of packages with the best development practices (CI/CD, testing...), score it as "A" for this category. Compute a global score from the different category scores.
Additional context
Actionable items If implemented, those improvements will most likely be a way for maintainers of a project to show that they use a trusted software stacks to their users. AFAICS, this would not provide any actionable feedback to developers about their dependencies.
Acceptance Criteria
To define.