FYI: Here are some other "top open source software (OSS)" lists
28 views
Skip to first unread message
David A. Wheeler
Mar 26, 2021, 3:28:58 PM3/26/21
to wg-securing-critical-projects
FYI, I’ve come across several sites that try to identify “top” open source software (OSS) in one way or another.
In case they’re useful, I list them below. I’m not arguing for any particular use of this information, however, the only way to consider something is to know it exists :-). I’m sure this is not a complete list, but I don’t think we’ve discussed some of them, & I wanted to make sure they were noted somewhere.
--- David A. Wheeler
==============
We’ve discussed many times the LF/Harvard (LISH) "Census II” work published in 2020,
but I should re-list it here. Title is
"Vulnerabilities in the Core Preliminary Report and Census II of Open Source Software"
https://www.coreinfrastructure.org/programs/census-program-ii/
That focused on language-level packages.
We’ve also previously discussed census I, but just in case you can’t find it, here it is.
"Open Source Software Projects Needing Security Investments”, aka Census I, focused on
system-level packages (specifically Debian). 2015. Report is here:
https://www.coreinfrastructure.org/wp-content/uploads/sites/6/2018/04/pub_ida_lf_cii_070915.pdf
Two Sigma Ventures’ “Open Source Index”, aka
"The Most Popular & Fastest Growing Open-Source Projects on GitHub”
https://twosigmaventures.com/open-source-index/
Near the bottom they explain their methodology;
they ignore GitHub stars (since they are easily gamed), and instead
weight several other metrics: #watchers, watcher growth (over the quarter),
# contributors, release cadence (aka # of commits), & GitHub’s “community health” score.
Stackshare "Top Tools” - list of the "Most popular Open Source & SaaS Tools on StackShare”
https://stackshare.io/tools/top
Not everything is OSS (they even include some specifications), but much is.
Click on “More” at the bottom several times to get a longer list.
You can see some specific tech stacks of certain organizations here:
https://stackshare.io/stacks
Zerodium (exploit acquisition)
This is a list of payouts for unreported zero-days;
Zerodium sells that information to organizations who typically
use those zero-days to attack users. Higher payouts suggest
“Important to society + hard to exploit”. It’s not just OSS, but there
is some OSS here. More info here:
https://zerodium.com/program.html
Zerodium was briefly mentioned in our March 25, 2021 meeting.
"Top 46 open source software applications"
https://entrepreneurhandbook.co.uk/open-source-software-list/
I’m especially dubious about this list; there are some programs
here that are useful but not widely used, and I see no evidence
of quantitative analysis (it looks more like a grab-bag).
It’s not really the same thing, but the
"Open Source Contributor Index”
ranks organizations by how much they contribute to OSS:
https://solutionshub.epam.com/OSCI
Also not the same thing, but interesting, is the
"The FOSS Contributor Fund: Forming a Community of Adopters”.
It’s a blog post on what Indeed does:
"The fund enables Indeed employees who make open source contributions
to nominate and vote for projects. Each month, the winning project receives funding.:"
https://engineering.indeedblog.com/blog/2019/11/foss-fund-adopters/
It’s run by their Open Source Program Office (OSPO).
They think it’s great, and include pointers to materials to help
other organizations do the same thing.
In case they’re useful, I list them below. I’m not arguing for any particular use of this information, however, the only way to consider something is to know it exists :-). I’m sure this is not a complete list, but I don’t think we’ve discussed some of them, & I wanted to make sure they were noted somewhere.
--- David A. Wheeler
==============
We’ve discussed many times the LF/Harvard (LISH) "Census II” work published in 2020,
but I should re-list it here. Title is
"Vulnerabilities in the Core Preliminary Report and Census II of Open Source Software"
https://www.coreinfrastructure.org/programs/census-program-ii/
That focused on language-level packages.
We’ve also previously discussed census I, but just in case you can’t find it, here it is.
"Open Source Software Projects Needing Security Investments”, aka Census I, focused on
system-level packages (specifically Debian). 2015. Report is here:
https://www.coreinfrastructure.org/wp-content/uploads/sites/6/2018/04/pub_ida_lf_cii_070915.pdf
Two Sigma Ventures’ “Open Source Index”, aka
"The Most Popular & Fastest Growing Open-Source Projects on GitHub”
https://twosigmaventures.com/open-source-index/
Near the bottom they explain their methodology;
they ignore GitHub stars (since they are easily gamed), and instead
weight several other metrics: #watchers, watcher growth (over the quarter),
# contributors, release cadence (aka # of commits), & GitHub’s “community health” score.
Stackshare "Top Tools” - list of the "Most popular Open Source & SaaS Tools on StackShare”
https://stackshare.io/tools/top
Not everything is OSS (they even include some specifications), but much is.
Click on “More” at the bottom several times to get a longer list.
You can see some specific tech stacks of certain organizations here:
https://stackshare.io/stacks
Zerodium (exploit acquisition)
This is a list of payouts for unreported zero-days;
Zerodium sells that information to organizations who typically
use those zero-days to attack users. Higher payouts suggest
“Important to society + hard to exploit”. It’s not just OSS, but there
is some OSS here. More info here:
https://zerodium.com/program.html
Zerodium was briefly mentioned in our March 25, 2021 meeting.
"Top 46 open source software applications"
https://entrepreneurhandbook.co.uk/open-source-software-list/
I’m especially dubious about this list; there are some programs
here that are useful but not widely used, and I see no evidence
of quantitative analysis (it looks more like a grab-bag).
It’s not really the same thing, but the
"Open Source Contributor Index”
ranks organizations by how much they contribute to OSS:
https://solutionshub.epam.com/OSCI
Also not the same thing, but interesting, is the
"The FOSS Contributor Fund: Forming a Community of Adopters”.
It’s a blog post on what Indeed does:
"The fund enables Indeed employees who make open source contributions
to nominate and vote for projects. Each month, the winning project receives funding.:"
https://engineering.indeedblog.com/blog/2019/11/foss-fund-adopters/
It’s run by their Open Source Program Office (OSPO).
They think it’s great, and include pointers to materials to help
other organizations do the same thing.
Reply all
Reply to author
Forward
0 new messages