|
|
|
|
|
|
by rhencke
2022 days ago
|
|
|
I would like to see a measure of criticality that takes the following into account: * Critical projects may have very little activity/maintenance. For example, Bash 4.0 to Bash 5.0 was only 123 commits over 8 years. But, Bash is a absolutely a critical project (ask any org about how much work they had to do when affected by https://en.wikipedia.org/wiki/Shellshock_(software_bug) ). * A measure of criticality should understand _as many of the various forms of dependence on software_ that may occur that it can. Dependencies can take many forms, such as: a package manager resolving a dependency a user purchasing a mobile phone with software pre-installed a user visiting a website (react/jquery/etc) etc. * Criticality should understand if, how, and when dependencies are updated. For example, fixing a bug in Chrome and distributing that fix to 80% of users in 1 week is feasible. Fixing a bug in Bash and distributing that fix to 80% of users in 1 week is not so feasible. |
|
|