[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Support for insecure applications


On 12/02/2021 01:17, Carles Pina i Estany wrote:
When I was discussing this with a friend I had thought if Debian could
make available and visible for the users some metrics, contextualised in
similar (per functionality) packages:

-number of recent updates in upstream
-number of contributors
-usage of control version system
-test coverage
-continous integration
-upstream activity (issues, PRs, etc. with more the better GitHub or
similar places stars, forks, etc?)
-translations? (the more, more popualar the software is?)
-warnings from the compilers?
-static code analyser?

Almost none of these relate to software _security_.
Let's keep in mind that active/popular software are often the ones with the earlier Time-To-Market, at the expense of security (check the history of PHP or Docker for instance).

Also beware that "automated" ranking usually ends up pretty biased as well, e.g. social media's "algorithms" (or SourceForge's front-page projects some years ago).


Reply to: