Question RE value of Contributors Check about scorecard HOT 8 CLOSED

I think having at least two maintainers is more important than having two contributors.

from scorecard.

I just fail to see what this has to do with cybersecurity specifically.

Picking a company name entirely randomly - If I compare a Microsoft-sponsored and highly-funded project on Github, to another random project that is built by 4 or 5 individuals in their free time with no involvement from any organization, why would one assume the second project is more secure? I am not saying it would not be, maybe it is, but there is really no actual information to go by either way.

I just don't see what this has to do with cybersecurity at all.

from scorecard.

It is about trust, would you not put trust in this order when uptaking a new dependency.
random developer project < project maintained by one org < project maintained/contributed by 2+ orgs.

Also, we are open to your ideas. Given a developer account XYZ, how can you say this developer can be trusted, any thoughts there, maybe that can be a better check than this.

from scorecard.

IMHO this is not an indicator of trust either way.

Again back to my previous example... why should I trust [random open source developed by 2 or 3 people I don't know], vs [project with a dozen contributors sponsored by giant major well-known org] ?

Again I am NOT saying single-sourced projects by large orgs like Google/Microsoft/etc are more trustworthy, but they certainly aren't LESS trustworthy. I just don't see what the number of organizations has to do with this. I believe we are mixing up the concepts of open source governance, with trust & cybersecurity. Governance is vital! But it doesn't really have anything to do with trust IMHO. There are lots of well-governed projects in LF, that likely have poor cybersecurity, and there are lots of single-source projects that likely have excellent cybersecurity. I doubt there would be any kind of positive correlation here at all.

from scorecard.

@htuch suggestion:

"""
Basically, we want to know that there are >= 2 contributors who are responsible for a large fraction of the PRs. It's not sufficient to just know that there are more than 1 committers, I basically look back through GH contributor stats or history to ensure that there is at least 1 other contributor who is doing a reasonable amount, e.g. > 10%, of commits.
"""

from scorecard.

I think our concern (based on experience) can be articulated as having a bus factor of 1 leaves you at heightened risk when it comes to decisions around vulnerability disclosure process and execution. E.g. let's say there is a zero day and the solo maintainer has gone AWOL, what can be done? I think there is a strong relationship between effective governance and effective security policy implementation.

There's definitely room to debate how this "bus factor > 1" or "project governance meets a litmus test" policy can be implemented, and this thread brings up a number of good points and counterexamples. I'd just be weary about being completely agnostic to the number and structure of contributors/maintainers.

from scorecard.

The risk is more than just vulnerability disclosure process and execution. It could be as simple as you choosing a dependency that ends up abandoned. Then you end up needing to upgrade to a newer version of a language/runtime/framework/whatever, and realise you can't because an individual OSS maintainer has burnt out and hasn't continued maintaining it.

But the issue was raised around the wording "Does the project have contributors from at least two different organizations?".

So are we talking about a maintainer bus factor, or an organisation bus factor?

from scorecard.

@coderpatros Agree, that's my point. This check is not checking maintainers, it is checking organizations. Bus factor isn't what's being evaluated. A repo from [large company] with 20 maintainers and 100 contributors gets a lower score than a repo with 2 hobbiest maintainers / contributors. To me it makes no sense from a security perspective. Odds of the repo getting abandoned (or having pretty much any kind of security issue) are far higher with the latter.

EDIT: Actually the code currently doesn't account for "null" companies either. So unaffiliated individuals don't even count for the check (IE this check will only pass if at least two "companies" are sponsoring a project... volunteer or unaffiliated projects will never pass it....) The more I look at this check the more I disagree with how it works.

from scorecard.