On Thu, Apr 04, 2024 at 08:11:42PM +0200, Leon Fauster via devel wrote: > > One approach that would be at least bring some light into "weak" > (non technical layer) components (albeit not sure how feasible it is), > could be: > > - Checking the resources of a packaged project. > Resources in terms of man or firm power that backup the project > > - Contribution activity of people > > - General activity of the project > > - Transparency of the workflow / tools > > and that for all projects that the distribution includes. > > Why? This would allow to plan internal review activities > (or processes) more effectively. They would be directed > to the "weak" components with higher priority (recurrent, actions). > > > Like the current process for checking the license (SPDX) of a project, > it could also collect such metrics right away. Well, as others have noted there is already OpenSSF scorecards. I agree it's good to know this info, and for maintainers that have a ton of packages they maintain, it might be good to be able to look at this to remind them. For maintainers with fewer packages, they likely already just know this from interacting with the upstream project already. I don't think we can or should use that for things like deciding if we allow packages into the collection or the like, there's a lot of ways a low score there could not matter or be non represenative of what the project is like. kevin
Attachment:
signature.asc
Description: PGP signature
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
