Comments (8)
I think having at least two maintainers is more important than having two contributors.
from scorecard.
I just fail to see what this has to do with cybersecurity specifically.
Picking a company name entirely randomly - If I compare a Microsoft-sponsored and highly-funded project on Github, to another random project that is built by 4 or 5 individuals in their free time with no involvement from any organization, why would one assume the second project is more secure? I am not saying it would not be, maybe it is, but there is really no actual information to go by either way.
I just don't see what this has to do with cybersecurity at all.
from scorecard.
It is about trust, would you not put trust in this order when uptaking a new dependency.
random developer project < project maintained by one org < project maintained/contributed by 2+ orgs.
Also, we are open to your ideas. Given a developer account XYZ, how can you say this developer can be trusted, any thoughts there, maybe that can be a better check than this.
from scorecard.
IMHO this is not an indicator of trust either way.
Again back to my previous example... why should I trust [random open source developed by 2 or 3 people I don't know], vs [project with a dozen contributors sponsored by giant major well-known org] ?
Again I am NOT saying single-sourced projects by large orgs like Google/Microsoft/etc are more trustworthy, but they certainly aren't LESS trustworthy. I just don't see what the number of organizations has to do with this. I believe we are mixing up the concepts of open source governance, with trust & cybersecurity. Governance is vital! But it doesn't really have anything to do with trust IMHO. There are lots of well-governed projects in LF, that likely have poor cybersecurity, and there are lots of single-source projects that likely have excellent cybersecurity. I doubt there would be any kind of positive correlation here at all.
from scorecard.
@htuch suggestion:
"""
Basically, we want to know that there are >= 2 contributors who are responsible for a large fraction of the PRs. It's not sufficient to just know that there are more than 1 committers, I basically look back through GH contributor stats or history to ensure that there is at least 1 other contributor who is doing a reasonable amount, e.g. > 10%, of commits.
"""
from scorecard.
I think our concern (based on experience) can be articulated as having a bus factor of 1 leaves you at heightened risk when it comes to decisions around vulnerability disclosure process and execution. E.g. let's say there is a zero day and the solo maintainer has gone AWOL, what can be done? I think there is a strong relationship between effective governance and effective security policy implementation.
There's definitely room to debate how this "bus factor > 1" or "project governance meets a litmus test" policy can be implemented, and this thread brings up a number of good points and counterexamples. I'd just be weary about being completely agnostic to the number and structure of contributors/maintainers.
from scorecard.
The risk is more than just vulnerability disclosure process and execution. It could be as simple as you choosing a dependency that ends up abandoned. Then you end up needing to upgrade to a newer version of a language/runtime/framework/whatever, and realise you can't because an individual OSS maintainer has burnt out and hasn't continued maintaining it.
But the issue was raised around the wording "Does the project have contributors from at least two different organizations?".
So are we talking about a maintainer bus factor, or an organisation bus factor?
from scorecard.
@coderpatros Agree, that's my point. This check is not checking maintainers, it is checking organizations. Bus factor isn't what's being evaluated. A repo from [large company] with 20 maintainers and 100 contributors gets a lower score than a repo with 2 hobbiest maintainers / contributors. To me it makes no sense from a security perspective. Odds of the repo getting abandoned (or having pretty much any kind of security issue) are far higher with the latter.
EDIT: Actually the code currently doesn't account for "null" companies either. So unaffiliated individuals don't even count for the check (IE this check will only pass if at least two "companies" are sponsoring a project... volunteer or unaffiliated projects will never pass it....) The more I look at this check the more I disagree with how it works.
from scorecard.
Related Issues (20)
- BUG: URI "no file associated with this alert" in SARIF now invalid in github/codeql-action HOT 2
- 📜 GitLab Integration Check Validations HOT 1
- Feature: re-visit the need for multiple RunScorecard function HOT 2
- Feature: retrieve local branch on local / git repo
- BUG: Vulnerabilities check "Failed to resolve version"
- BUG: Pinned-Dependencies fails for jobs with complex matrix-defined OS
- BUG: Security-Policy throws a warning if target repo's org has an empty .github repo
- Feature: structured results visualization
- Allowing users to integrate external checks via blank-imports HOT 3
- GitLab: Validate CII-Best-Practices
- GitLab: Validate Code Review check
- GitLab: Validate Fuzzing check
- GitLab: Validate Contributors check
- GitLab: Validate License check HOT 1
- Feature: add tests to probe format results HOT 1
- Branch-Protection: Review/remove scoring based on Tiers
- BUG: dependabot detected in a project without dependabot HOT 1
- Feature: Consider go vet a SAST tool HOT 1
- Sudden e2e test failures in 2 tests HOT 1
- Should `security-events: read` be considered a dangerous permission? HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scorecard.