Tag

metrics models Archives - CHAOSS

Guide for OSS Viability: A CHAOSS Metric Model

By Blog Post
Photo by William Bout on Unsplash

This guide is part of a three part series. This is part three. Read part one or two for context and a deep dive into the metrics respectively.

In the last two posts of this series, we covered the existence of the CHAOSS Metrics (Super) Model for Viability. We then covered what exactly comprises that metrics model, and gave brief impressions of why and how they comprise a whole.

In this guide, we’ll talk about what’s possible with the CHAOSS tools, and how we can comprise a Viability metrics model. Namely, we’ll focus on GrimoireLab and Augur.

Consider the chart below to see the breakdown of what is available for which service.

Breakdown by Category

CategoryMetricGrimoirelabAugur
StrategyProgramming Language DistributionAvailableAvailable
StrategyBus FactorAvailableAvailable
StrategyElephant FactorAvailableAvailable
StrategyOrganizational InfluenceAvailableAvailable
StrategyRelease FrequencyNot AvailableAvailable
CommunityClonesNot AvailableNot Available
CommunityForksAvailableAvailable
CommunityTypes of ContributionsNot AvailableNot Available
CommunityChange RequestsAvailableNot Available
CommunityCommittersAvailableNot Available
CommunityChange Request Closure RatioAvailableAvailable
CommunityProject PopularityAvailableAvailable
CommunityLibyearsNot AvailableAvailable
GovernanceIssue Label InclusivityAvailableAvailable
GovernanceDocumentation UsabilityNot AvailableNot Available
GovernanceTime to CloseAvailableAvailable
GovernanceChange Request Closure RatioAvailableAvailable
GovernanceProject PopularityAvailableAvailable
GovernanceLibyearsNot AvailableAvailable
GovernanceIssue AgeAvailableAvailable
GovernanceRelease FrequencyNot AvailableNot Available
Compliance / SecurityOpenSSF Best PracticesNot AvailableNot Available
Compliance / SecurityLicense CoverageNot AvailableAvailable
Compliance / SecurityOSI Approved LicensesNot AvailableAvailable
Compliance / SecurityLicenses DeclaredNot AvailableAvailable
Compliance / SecurityDefect Resolution DurationAvailableNot Available
Compliance / SecurityLibyearsNot AvailableAvailable
Compliance / SecurityUpstream Code DepenciesNot AvailableNot Available
A Summary of Available CHAOSS metrics and their fit to Viability across Grimoire and Augur

Breakdown by Tool

Augur Summary  
CategoryAvailableNot Available
Community50.00%50.00%
Compliance / Security57.14%42.86%
Governance75.00%25.00%
Strategy100.00% 
Grand Total67.86%32.14%
Grimoirelab Summary  
CategoryAvailableNot Available
Community62.50%37.50%
Compliance / Security14.29%85.71%
Governance62.50%37.50%
Strategy80.00%20.00%
Grand Total53.57%46.43%

While we can’t get every metric for every service, we can get a good majority of what we need through a mix of Grimoire Lab, and Augur. We intend to continue building the ability to get this data into services like Grimore and Augur, then update the CHAOSS metrics wiki to reflect how we’ve done it.

Augur provides the most metrics overall for three categories, while Grimoire is best for Community management. Grimoire also provides sigils, which create panels for you as a user for a good amount of metrics you may want to use. Augur also has a tool supported by RedHat that visualizes metrics within it.

How Does this Guide My Decisions?

Depending on your use case, you may find different opportunities to use the Viability model. It was originally developed for use evaluating using open source products, and your thresholds for each model category will vary based on your assumption of risk.

For example:

  • Organizations starting their journey in governing Open Source Software at their organization usually start with Compliance and Security, cornering vulnerabilities and licensing information to choose their software.
  • Large companies may consider strategy to be the next-most important. Given that many organizations build software that is in use for years, the importance of the strategy in a project — and indeed who maintains that strategy — can be a critical decision.
  • Community is important for cutting-edge or newer implementations of technology. While older technology will likely have a less volatile community, where maintainers and flow of new contributions can be judged over time, a new project may need a stronger community with more vigilance on it’s competitors to ensure that a software stack isn’t abandoned.
  • Governance is crucial for organizations that intend to engage the open source community; or contribute to a project to shape new functionality. If an organization is willing to commit time and resources to maintaining a project — the Governance of that project becomes important to consider

Getting Started

Consult the documentation of GrimoireLab and Augur for more details on how to get started. Based on what your team needs or cares about, consider choosing the tool that has the highest coverage, or use them both to maximize your results. If you find that you can trace some metrics that I’ve gotten wrong here, I’d love to know! Drop by our OSPO working group, metrics working group, or somewhere else to publish your contributions!

Until then, you can find me on CHAOSS community slack, as Gary White. Thanks for reading!

Metrics for OSS Viability

By Blog Post

In the last post, we gave a background on Viability in Open Source. We covered the motivation, and implementation plan of how we’ll collect and measure metrics about open source that we use or might use at Verizon.

Metrics on a list next to a laptop, ruler, and calendar
Considering all these metrics together takes a list and a laptop, and maybe a ruler.
Photo by Marissa Grootes on Unsplash

In this post, we will cover the nitty-gritty details of which metrics we’re using in our model, and why they fit together. Rather than covering each metric individually, I’ll summarize what metrics are in each model, and give an overview on why they fit together for a good picture of the model. We’ll also cover the value proposition of metrics that cross between the categories comprising the full model.

What follows is the list of metrics comprising the Viability model, and why they are included:

Compliance + Security

Just for this model:

OpenSSF Best Practices

  • This is a proxy metric for us to ensure that a project responds to security incidents, and has enough protections in place to generally interpret a reliable Compliance and Security strategy.
  • This allows us to avoid using costly SCA/SAST scanning on every open source project we consider.

License Coverage

  • We use this to make decisions about risk of using unlicensed software, or determine if our use case of the software is compatible with the license provided.

Licenses Declared

  • This lets us compare our intended usage and project policy against the policy of our dependencies.

OSI Approved Licenses

  • Knowing we’ve reviewed the implication of each OSI license provides confidence that we understand how to use the software in compliance with those licenses.

Defect Resolution Duration

  • This metric allows us to consider, apples to apples, radically different response rates to defects when they occur between projects. 
  • Our understanding of this metric across projects and across a suite of dependencies calibrates our risk profile and tolerance.

Upstream Code Dependencies

  • Where we intend this metric for the model of viability is to ensure that dependencies of a project are also included in any viability evaluation we perform. 
  • It is important to consider an application alongside dependencies it shares to give a full picture of a particular project’s risk portfolio.

Shared between models:

Libyears

  • “A simple measure of software dependency freshness. It is a single number telling you how up-to-date your dependencies are.”
  • This metric allows for apples-to-apples comparisons between projects of freshness. 
  • Scales to show complex projects with many dependencies, and the risk associated with using those projects with the massive maintenance cost behind the scenes.

What the metrics for Viability

Overall, we use this metrics model to gauge how well both the community and the maintainers of the application consider the security and compliance of their application. We expect to use these indicators to gauge risk. We have showstoppers like licensing, where a license can be flatly incompatible with our intended use case, through security-centric badges and metrics, to how fast and regularly a team maintains the dependencies and defects reported to their application. 

Additionally, like in other models, some metrics are very tricky to trace or visualize. We leave a healthy amount of flexibility in how we rank applications against tricky-to-gather metrics, and we recommend that users of our models do the same. For example: Much like the Defect Resolution Duration; the appetite for how many Libyears is appropriate for a project will always be up to maintainers. Depending on how or where an app may run, and how frequently we can update it, we think about Libyears critically. 

Following other metrics and models, Libyears notably contributes to three of our metrics models: Compliance/Security, Governance, and Community. We believe that it fits particularly well in Compliance + Security as it gives an indicator not only about how critically maintainers consider compliance and security in their own project, but in the projects they’re dependent on.

Governance

Just for this model:

Issues Inclusivity

  • Provides an effective measurement for intentional aggregation of issues
  • Indicates how community skills are applied to project responsibilities.

Documentation Usability

  • Strong, usable documentation is required.
  • Though this can include a lot of manual effort, this is a very important metric to attempt to collect.

Time to Close

  • How long it usually takes for a contribution to the project to make its way to the codebase
  • Will give us an idea of consistency in the project (median, mean, mode)
    • This is not to be confused with defect resolution (we hold a higher standard for)
  • Other processes may occur alongside opening and closing a PR, for example, but this provides enough of an indicator to be inherently useful to the Governance of a project.

Issue Age

  • How long questions / suggestions / etc. generally hang around a project.
  • Simple to understand, easy to dive further into by looking at what issues are about.

Shared Between Models:

Change Request Closure Ratio

  • Compare the drift of new requests to their rate of closure. 
  • Gives us an idea of how the project is maintained – or if more maintainers might be needed to keep up with demand for new features.

Project Popularity

  • Aggregate of other smaller metrics one might expect to find in a cursory glance over a project landing page. 
  • Likes, stars, badges, forks, clones, downstream dependencies, mentions on social media, and more.

Release Frequency

  • Knowing the timing of regular releases, and being able to understand frequency and cadence we may expect security patches and new features to identify how well our project’s release cadence and strategy fits with potential dependencies. 
  • This is somewhat a proxy for LTS / release strategy that may otherwise be available for larger projects.

Libyears

  • “A simple measure of software dependency freshness. It is a single number telling you how up-to-date your dependencies are.”
  • This metric allows for apples-to-apples comparisons between projects of freshness. 
  • Scales to show complex projects with many dependencies, and the risk associated with using those projects with the massive maintenance cost behind the scenes.

What the metrics mean for Viability

These metrics are useful to show the intention or lack of intention in the project Governance. For example, If there’s a lack of inclusive labels on issues: it identifies a gap in welcoming new contributors and softing existing contributors through workstreams. The Governance of a project is reflected in turn. Same goes for many of these metrics. The ability to contribute, understand, or depend on a project is highly coupled to the effort behind Governance.

This isn’t to say poor Governance metrics indicate that a project is governed by fools. Low CRCR, for example, may simply indicate that there are not as many maintainers to support a contributing community. A lack of new issues could be the result of a recent large release that addresses many recurring issues. These metrics are important to aggregate these reasons not to cast doubt on maintainers of projects. Only to identify the Governance capacity and effort across projects in a software portfolio.

If some of these metrics feel like they could be strong community metrics, I think they can be. Many of the shared metrics here are a combination of the effort a community has with a project, and the effort of the body governing a project. We think the overlap of shared metrics captures this relationship well, considering the responsibility contributors and maintainers share in creating OSS.

Community

Just for this model:

Clones

  • How many times a project has been pulled from a repository into a local machine. 
  • Indicator of how many people are using or evaluating the project.

Technical Forks

  • How many forks have been made of a given project.
  • Forks, in our estimation, are normally performed to create contributions through changes or to take the project in a new direction in their own community.

Types of Contributions

  • Not all contributions are code, strategy / issues / Reviews / events / Writing articles / etc. gives a strong indication of the maintainer’s ability to grow or continue building a project.
    • Likewise, if contributions are coming in only as requests with no coding alongside it – we can assume the project doesn’t have active contributors. 
    • Any large ratio distribution might tip the scales of if we should or should not recommend a project as viable.

Change Requests

  • The volume of regular requests, or the emergence of a pattern of change requests (around holidays, weekends, weekdays) can tell us a lot about a project. 
  • By identifying trends, we can make many educated guesses about the strength, patterns, and sustainability of a project Community.

Committers

  • We don’t say “no projects under x committers is viable” – because the two are not related.
    • We care about committer trends

Shared Between Models:

Change Request Closure Ratio

  • Compare the drift of new requests to their rate of closure. 
  • Can help indicate a cooling or heating contribution community by monitoring merged community requests.

Project Popularity

  • Aggregate of other smaller metrics one might expect to find in a cursory glance over a project landing page. 
  • Likes, stars, badges, forks, clones, downstream dependencies, mentions on social media, and more.

Libyears

  • “A simple measure of software dependency freshness. It is a single number telling you how up-to-date your dependencies are.”
  • This metric allows for apples-to-apples comparisons between projects of freshness. 
  • Scales to show complex projects with many dependencies, and the risk associated with using those projects with the massive maintenance cost behind the scenes.

What the metrics mean for Viability

With Community, we seek to understand the “tinkering” that happens with a project, as well as being able to measure the contributions that are made. Clones and forks indicate how many users of software have pulled it to build from source, inspect the source code, submit a contribution, or take the project in a new direction. That flavor of popularity feels meaningful to trace community engagement in a project. 

With committer trends, types of contributions, and change requests, we can see how a Community is interacting. Maybe more markdown RFC’s are created than features, maybe vice-versa. With an understanding on what types of contributions are made, and how regular they are, we make a more informed judgment on project viability. In an example: we think it’s reasonable to expect that a project which has shed 90% of its committers in a three month period is less viable than a stable (flat) committer trend. The inverse could indicate a growing or stable project gaining popularity around a particular technology trend. Where some “tinkering” metrics feel micro, other metrics take a macro lens.

By measuring some shared metrics, we give this model an opportunity to be viewed from the perspective of how much the community maintains a project, and how much interest there is generally. We find this distinct from the Governance angle, even with significant overlap, as trends in these metrics are almost never entirely at fault of the community or in the maintainers of a given project. The numbers could be meaningful for either space, so they exist in both models.

Strategy

Just for this model:

Programming Language Distribution

  • We have strong opinions on which languages are viable at Verizon.
    • Many companies have similar standards and expectations – or normally center around a particular language. 
  • Unsupported or unused languages are a strong indicator of project viability. 

Bus Factor

  • A count of the fewest number of committers that comprise 50% of activity over a period. 
  • We can better understand the risk of using a particular project or set of projects, regarding how much support the project would get if top contributors left.

Elephant Factor

  • Elephant factor is a lot like bus factor – but it counts the fewest “entities” that comprise 50% of activity on a project. 
  • We use this to infer the influence companies have on a project, or how detrimental it would be if that company shifted priority.

Organizational Influence

  • Organizational Influence measures the amount of control an organization may have in a project. This is an estimate, and an aggregation of several other metrics. 
  • Details in the link, but organizational diversity is one example of a metric that can aggregate to create an imprint of influence. 

Shared Between Models:

Release Frequency

  • Knowing the timing of regular releases, and being able to understand frequency and cadence we may expect security patches and new features identifies how well our project’s release cadence and strategy fits with potential dependencies. 
  • This is somewhat a proxy for LTS / release strategy that may otherwise be available for larger projects.

What the metrics mean for Viability

Metrics we trace in this model trace the strategy, or expected influence from individuals and organizations. For example: With a bus factor of 1, it’s very possible that burnout or other factors could pull that one person away. With a more resilient count of folks, we are more likely to see a stable and viable maintenance strategy. As a highly regulated and large entity, Verizon considers which other entities might be developing critical infrastructure for our applications. We consider our risk appetite and tolerance in the scope of a project we use, to ensure we don’t rely too heavily on one particular provider. These metrics continue our mission of managing that risk profile.

We share release frequency between Strategy and Governance. This categorizes the overlap of how the maintainers of a project provide both a governance plan and a maintenance strategy.

Wrap Up

Compliance + Security, Governance, Community, and Strategy. These are the tenets we use for our Viability Metrics (Super) Model. I’m excited to share this model with the broader software community for input and feedback, and to make it better over time. We will share our lessons learned and what practices we find the most effective for maintaining a viable software portfolio as we iterate.

Tune in next time for us to share a guide on OSS viability. We include recommended tools to set up Viability monitoring on projects. If you’d like to connect to talk about this post, join the CHAOSS community slack and find me, Gary White!

 

Pile of intertwined measuring tapes of various colors

Demonstrating OSPO Value and How CHAOSS Can Help

By Blog Post No Comments

Recently, I’ve been thinking about how Open Source Program Offices (OSPOs) can demonstrate value within their organizations and how CHAOSS metrics and software can help. As a result, I’ve given presentations, had discussions on a podcast, and wrote a blog post about this topic. I wanted to write a summary blog post here to highlight the work in one place while tying some of those conversations together into a broader narrative.

I recently attended OSPOlogy Live in Frankfurt, which had presentations and engaging roundtable discussions about a wide variety of topics relevant for OSPOs. My presentation was about Getting More Value from your OSPO, and I talked about how OSPOs can take a more strategic approach by fostering alignment between individual contributors, business unit leadership, and the communities where employees contribute. The presentation also spent quite a bit of time on how an OSPO can demonstrate value toward accomplishing the overall goals of an organization while using metrics to make improvements and demonstrate success toward meeting those goals. Sean Goggins presented on the topic of Selecting the Right Collections of Sustainability Metrics with a focus on how OSPOs can be data providers that can help an organization make sense out of the mountains of data generated by open source software. CHAOSS Metrics Models help OSPOs focus on collections of meaningful data to create something that provides insight and wisdom about their open source efforts. Ulrike Fempel from SAP’s OSPO wrote a great wrap-up of the Frankfurt edition of OSPOlogy Live if you’d like more details. If you haven’t already attended an OSPOlogy Live event, it’s a great place to discuss challenges and solutions with your OSPO peers!

Building on my presentation about showing the value of an OSPO and Sean’s talk about metrics models as collections of metrics, I wrote a blog post about Measuring Open Source Project Health for Opensource.net that focused mostly on the CHAOSS Starter Project Health Metrics Model. OSPOs can be overwhelmed by the mountains of data and metrics available to understand open source projects, so this blog post and metrics model are designed to help new OSPOs (or ones new to metrics) get started with a few relatively easy metrics. Not only are these metrics relatively easy to gather, they also make it easy to understand how to take action on the data to make meaningful improvements to the health of open source projects. The goal is to get OSPOs started on their journey into using data to learn and improve with the idea that they can expand on this and start measuring other things that matter to an OSPO.

Another thing that OSPOs care deeply about is the long-term viability of the open source projects that their organizations’ rely on for infrastructure along with the products and services that they deliver to their customers. It ultimately comes down to a complex assessment of risk vs. reward across many dimensions, including security, community, and governance, just to name a few. We recently released a podcast about Open Source Software Viability and Project Selection where Matt Germonprez, Sophia Vargus (Google), Gary White (Verizon), and I talked in depth about how to assess viability and some of the metrics used in those assessments. Gary is also working on publishing some metrics models and blog posts, so watch this space to learn more about measuring open source software viability. 

If you are interested in learning more, we have an OSPO Working Group within the CHAOSS project that we have jointly with the TODO Group. We meet every other Thursday and have Slack channels both within the CHAOSS Slack and TODO Group Slack workspaces if you want to join in these discussions or ask questions.

Photo by patricia serna on Unsplash.

Explore Compass Lab and CHAOSS Metrics Models

By Blog Post No Comments

The following is a blog post from our friends in the OSS Compass Project. OSS Compass is a SaaS solution, hosted in China, that is built from CHAOSS GrimoireLab software and deploys CHAOSS metrics and metrics models. There is also a video demonstrating how Compass Lab works from our August 29, 2023, CHAOSS Metrics Models meeting. You can check out that video here.


Explore Compass Lab, Making it easy to create an open source project evaluation model!

Hi, open source adventurers! Today, I’m here to introduce the latest marvel from the open source realm – the new darling of the OSS Compass (hereinafter referred to as “Compass”) world! Yes, you heard it right. It’s our new SaaS service – Compass Lab! Wait, you haven’t heard about it yet? Don’t worry, let me explain it all to you step by step. I promise it will leave you dazzled and excited!

In the world of open source, countless projects emerge every day. However, accurately measuring the health of an open source project remains a vexing challenge. Luckily, we have Compass, which is like a health check doctor for open source projects. And recently, a new member has joined – Compass Lab!

01🌟 What is Compass Lab?

Compass Lab is an incubator for open source community evaluation metric models. It might sound sophisticated, but actually it’s essentially a “health evaluation center” that provides a comprehensive checkup for open source projects. This evaluation center not only offers data but also serves as a platform filled with fun and creativity.

Compass Lab gathers an enormous amount of data from over 20,000 open source projects, offering more than 200 project categories and over 100 evaluation metrics. This means you can conduct an all-encompassing health assessment for a project – the possibilities are endless! You can select different evaluation metrics and datasets based on your needs, making it a paradise for assessment enthusiasts!

02🚀 How to “play” with Compass Lab?

It’s actually quite simple! First, you need to approach it with a curious mindset. Then, register and log in to the SaaS service platform of Compass Lab, where you’ll discover a fascinating world. You can choose existing evaluation models or customize one based on your interests.

➤General Steps to Create a Model

1. Open the model creation page:

On the Compass official website, locate the model creation area on the right side of the Lab page and click “Create a model now”or use the button “Create a model”at the top.

2. Fill in basic information:

Provide basic model information, such as ecosystem dimension, model name, applicable industry, and whether it’s public or private.

3. Select datasets:

Choose a dataset from the 200+ datasets that suits your needs, offering flexibility for various domains.

4. Choose evaluation metrics:

Select the metrics you care about from the 100+ metrics provided by CHAOSS and Compass, categorized by code, issues, pull requests, repositories, contributors, etc. And confirm your selection.

5. Adjust weights and thresholds:

Next, modify weight values in the percentage input box or drag the slider to adjust weights (default is rightward only). Revise thresholds in the right input box (ensuring the values stay within the provided range). This process is similar to customizing your own pizza, adding toppings according to your taste!

6. Choose algorithms:

Currently, we only support the default algorithm (as shown below), but don’t worry, it’s a remarkable algorithm crafted by the expert Rob Pike himself! For an in-depth understanding of this algorithm, refer to our previously released article “OSS Compass Scoring System Switch:Watch Algorithms Transforming into Magic!” If you have more thoughts on algorithms, join the Compass Slack channel to discuss with fellow open source adventurers.

7. Publish the model:

After confirming all the information, click “save” to publish the model.

Next, let data and creativity collide here to create your own project health model!

03🌈 Your creativity finds a home here: creating a LLMs projects evaluation model!

Compass Lab not only offers general project evaluation models but also provides a special space for developers with unique ideas. If you have an extraordinary open source project and want to assign it a health score, this is the place for you! Here, you can customize an evaluation model for your project, allowing your creativity to soar!

For example, if you’re interested in open source LLMs projects or have your own open source LLMs project, you can create an evaluation model for it:

➤Steps for creating an LLMs projects evaluation model

1. Give your model a catchy name:

Besides naming, remember to choose whether it’s for a general or specific domain and whether you’re willing to make the model public.

2. Select datasets:

Choose projects under the categories of open source LLMs and open source LLMs tools to facilitate cross-category comparisons. (Our dataset is continuously expanding!)

3. Choose metrics and adjust weights and thresholds:

Select appropriate metrics based on the characteristics of open source LLMs projects, such as organization count, code commit frequency, ongoing contributions, etc. 

Adjust weights and thresholds for each metric following the previously demonstrated steps.

Then, click “save” and the model is created.

4. Analyze and view assessment results:

Click “Analyze” and wait for it to complete – then you can view the assessment report.

5. Add comments:

In addition, we’ve added a comment feature to the dashboard page. Click the comment button in the upper right corner to share your thoughts.

6. Invite friends to collaborate:

You can also invite friends to collaborate and help you create a more perfect model. Just click “Member” on the model page, set collaboration permissions, and send invitations!

04🌟 Explore limitless fun in the open source world, all in Compass!

Through today’s introduction, I believe you now have a deeper understanding of Compass Lab. Here, you can not only explore various dimensions of open source projects but also customize evaluation models for your own ideas, combining creativity and data. This “evaluation playground” in the open source world awaits your participation! 

If you haven’t experienced Compass Lab yet, take action now! Refer to below operation demonstration and create your evaluation model! Let’s explore the boundless fun of the open source world together, and unravel the mysteries of data! 

Remember to stay tuned for more interesting tech news and creative activities. Until next time, let’s embark on an infinite journey of open source creativity together!

Join OSS Compass Community

In the future, OSS Compass will continue to evolve and give back to the broader user base, providing greater convenience for open source project evaluation and assisting in the healthy and sustainable development of open source communities.

We look forward to more developers joining the OSS Compass community and contributing to its development. At the same time, we welcome users to continue using Compass SaaS services and providing feedback, continuously powering the enhancement of OSS Compass’s capabilities.

image2.png
https://join.slack.com/t/oss-compass/shared_invite/zt-1ttt9sv5h-8E~oPP6VJqm8ero5qH9LlA