All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Security
Security
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter

Census II Report on Open Source Software

6y ago

Source

dwheeler.comCensus II Report on Open Source Softwaredwheeler.com
Snippet from the RSS feed
The Linux Foundation and the Laboratory for Innovation Science at Harvard have just released a new report: “Vulnerabilities in the Core: Preliminary Report and Census II of Open Source Software” by Frank Nagle, Jessica Wilkerson, James Dana, and Jennifer L. Hoffman, 2020-02-14 . Just click on “Download Report” when you get there. A summary is available from Harvard . Here’s a quick introduction to the paper. Their long-term goal is to figure out what FOSS packages are most critical through data analysis. This turns out to extremely difficult, as discussed in the paper, and they expressly state that their current results “cannot - and do not purport to - be a definitive claim of which FOSS packages are the most critical”. That said, they have developed a method as a “proof of concept” to start working towards that answer. They describe their approach in detail. Here’s a quick summary. First they use data from Software Composition Analysis (SCAs) and application security companies, including Snyk and Synopsys Cybersecurity Research Center, to identify components used in actual systems. They then use dependency analysis (via libraries.io) to identify indirect (transitive) dependencies. Finally, they averaged the Z-scores to provide normalized rankings. Here are some key lessons learned from the report (Chapter 7): There’s a need for a standardized naming scheme for software components. There’s an increasing importance of individual developer account security. Legacy software persists in the open source space. Also, here’s an interesting nugget: “These statistics illustrate an interesting pattern: a high correlation between being employed and being a top contributor to one of the FOSS packages identified as most used.” I’m on the CII Steering Committee, so I did comment on an earlier draft, but credit goes to the actual authors.

You might also wanna read

How to write excellent vulnerability reports for open source projects

Daniel Stenberg, the maintainer of the curl project, shares a guide based on over a thousand vulnerability reports received over the years.

daniel.haxx.se·5d ago

LLM-powered scanners set to overwhelm open source maintainers with security vulnerabilities by 2026

The article warns that by summer 2026, LLM-powered code scanners will dramatically increase the rate of security vulnerability discoveries i

metabase.com·1mo ago

Critical Vulnerability Discovery in Nix Package Manager Ecosystem

The article details how the author and a colleague discovered a critical vulnerability in the Nix package manager ecosystem that could have

ptrpa.ws·8mo ago

GitHub's Decline and the Decay of Software Infrastructure: A Critical Analysis

A critical analysis of GitHub's decline in reliability, security, and performance, framed as a symptom of broader infrastructural decay in t

eblog.fly.dev·1mo ago

GitHub's Decline and the Decay of Software Infrastructure: A Critical Analysis

A critical analysis of GitHub's decline in reliability, security, and performance, framed as a symptom of broader infrastructural decay in t

eblog.fly.dev·1mo ago

A Report on Burnout in Open Source Software Communities (2025) [pdf]

mirandaheath.website·2mo ago

Reflections on Open-Source Contributions and Proprietary Use of Shared Resources

The article discusses the evolving perspective on contributing to open-source projects, particularly in the context of proprietary vendors u

news.ycombinator.com·10mo ago

Comments

Sign in to join the conversation.

No comments yet. Be the first.