Open Source Summit CHAOSS (Community Health Analytics for Open Source Software)
Risks:
- people
- tribal knowledge
- historical knowlege
- expertise in domain … etc
- money
- maintainability
- test coverage
- dependability: fit for purpose
- provenance
- export restrictions
types of dependency
- direct (e.g. upstream)
- transitive
- could leave it if you trust the package maintainer
- circular
- you depend on a b and c. a depends on b. b depends on c. c depends on a.
- interdependent
- you depend on a and b, but a depends on b.
You probably can’t track every dependency. Instead, you can use a heuristic for finding things likely to be the greatest risk. CHAOSS has a metric for this.
Augur has a toolchain to show how many files use a particular dependency
- can help w/ figuring out which things are important
“libyear”: age of dependency compared to the most recently released version e.g. “you’re 6 months behind the latest release” is likely riskier than “you’re up to date”.