aboodman
commented
5 years ago Rough thoughts:
They should definitely count. Linux should be a dependency of almost every company.
But it also seems like you could be fairly clever about how you discover dependencies. Like, discovering client bindings could indicate a dependency on the corresponding service.
Of course this gets complex because maybe you depend on the service through a commercial service provider, in which case I don't think it's dependencies should count.
Definitely an open issue.
There are lots of OSS deps that companies will have which aren't obviously discoverable by crawling the source. Things like operating systems, things run as a service, etc. Do they count?