This guide is part of a three part series. This is part three. Read part one or two for context and a deep dive into the metrics respectively.
In the last two posts of this series, we covered the existence of the CHAOSS Metrics (Super) Model for Viability. We then covered what exactly comprises that metrics model, and gave brief impressions of why and how they comprise a whole.
In this guide, we’ll talk about what’s possible with the CHAOSS tools, and how we can comprise a Viability metrics model. Namely, we’ll focus on GrimoireLab and Augur.
Consider the chart below to see the breakdown of what is available for which service.
Breakdown by Category
Category
Metric
Grimoirelab
Augur
Strategy
Programming Language Distribution
Available
Available
Strategy
Bus Factor
Available
Available
Strategy
Elephant Factor
Available
Available
Strategy
Organizational Influence
Available
Available
Strategy
Release Frequency
Not Available
Available
Community
Clones
Not Available
Not Available
Community
Forks
Available
Available
Community
Types of Contributions
Not Available
Not Available
Community
Change Requests
Available
Not Available
Community
Committers
Available
Not Available
Community
Change Request Closure Ratio
Available
Available
Community
Project Popularity
Available
Available
Community
Libyears
Not Available
Available
Governance
Issue Label Inclusivity
Available
Available
Governance
Documentation Usability
Not Available
Not Available
Governance
Time to Close
Available
Available
Governance
Change Request Closure Ratio
Available
Available
Governance
Project Popularity
Available
Available
Governance
Libyears
Not Available
Available
Governance
Issue Age
Available
Available
Governance
Release Frequency
Not Available
Not Available
Compliance / Security
OpenSSF Best Practices
Not Available
Not Available
Compliance / Security
License Coverage
Not Available
Available
Compliance / Security
OSI Approved Licenses
Not Available
Available
Compliance / Security
Licenses Declared
Not Available
Available
Compliance / Security
Defect Resolution Duration
Available
Not Available
Compliance / Security
Libyears
Not Available
Available
Compliance / Security
Upstream Code Depencies
Not Available
Not Available
A Summary of Available CHAOSS metrics and their fit to Viability across Grimoire and Augur
Breakdown by Tool
Augur Summary
Category
Available
Not Available
Community
50.00%
50.00%
Compliance / Security
57.14%
42.86%
Governance
75.00%
25.00%
Strategy
100.00%
Grand Total
67.86%
32.14%
Grimoirelab Summary
Category
Available
Not Available
Community
62.50%
37.50%
Compliance / Security
14.29%
85.71%
Governance
62.50%
37.50%
Strategy
80.00%
20.00%
Grand Total
53.57%
46.43%
While we can’t get every metric for every service, we can get a good majority of what we need through a mix of Grimoire Lab, and Augur. We intend to continue building the ability to get this data into services like Grimore and Augur, then update the CHAOSS metrics wiki to reflect how we’ve done it.
Augur provides the most metrics overall for three categories, while Grimoire is best for Community management. Grimoire also provides sigils, which create panels for you as a user for a good amount of metrics you may want to use. Augur also has a tool supported by RedHat that visualizes metrics within it.
How Does this Guide My Decisions?
Depending on your use case, you may find different opportunities to use the Viability model. It was originally developed for use evaluating using open source products, and your thresholds for each model category will vary based on your assumption of risk.
For example:
Organizations starting their journey in governing Open Source Software at their organization usually start with Compliance and Security, cornering vulnerabilities and licensing information to choose their software.
Large companies may consider strategy to be the next-most important. Given that many organizations build software that is in use for years, the importance of the strategy in a project — and indeed who maintains that strategy — can be a critical decision.
Community is important for cutting-edge or newer implementations of technology. While older technology will likely have a less volatile community, where maintainers and flow of new contributions can be judged over time, a new project may need a stronger community with more vigilance on it’s competitors to ensure that a software stack isn’t abandoned.
Governance is crucial for organizations that intend to engage the open source community; or contribute to a project to shape new functionality. If an organization is willing to commit time and resources to maintaining a project — the Governance of that project becomes important to consider
Getting Started
Consult the documentation of GrimoireLab and Augur for more details on how to get started. Based on what your team needs or cares about, consider choosing the tool that has the highest coverage, or use them both to maximize your results. If you find that you can trace some metrics that I’ve gotten wrong here, I’d love to know! Drop by our OSPO working group, metrics working group, or somewhere else to publish your contributions!
Until then, you can find me on CHAOSS community slack, as Gary White. Thanks for reading!
In the last post, we gave a background on Viability in Open Source. We covered the motivation, and implementation plan of how we’ll collect and measure metrics about open source that we use or might use at Verizon.
In this post, we will cover the nitty-gritty details of which metrics we’re using in our model, and why they fit together. Rather than covering each metric individually, I’ll summarize what metrics are in each model, and give an overview on why they fit together for a good picture of the model. We’ll also cover the value proposition of metrics that cross between the categories comprising the full model.
What follows is the list of metrics comprising the Viability model, and why they are included:
This is a proxy metric for us to ensure that a project responds to security incidents, and has enough protections in place to generally interpret a reliable Compliance and Security strategy.
This allows us to avoid using costly SCA/SAST scanning on every open source project we consider.
We use this to make decisions about risk of using unlicensed software, or determine if our use case of the software is compatible with the license provided.
Knowing we’ve reviewed the implication of each OSI license provides confidence that we understand how to use the software in compliance with those licenses.
Where we intend this metric for the model of viability is to ensure that dependencies of a project are also included in any viability evaluation we perform.
It is important to consider an application alongside dependencies it shares to give a full picture of a particular project’s risk portfolio.
“A simple measure of software dependency freshness. It is a single number telling you how up-to-date your dependencies are.”
This metric allows for apples-to-apples comparisons between projects of freshness.
Scales to show complex projects with many dependencies, and the risk associated with using those projects with the massive maintenance cost behind the scenes.
What the metrics for Viability
Overall, we use this metrics model to gauge how well both the community and the maintainers of the application consider the security and compliance of their application. We expect to use these indicators to gauge risk. We have showstoppers like licensing, where a license can be flatly incompatible with our intended use case, through security-centric badges and metrics, to how fast and regularly a team maintains the dependencies and defects reported to their application.
Additionally, like in other models, some metrics are very tricky to trace or visualize. We leave a healthy amount of flexibility in how we rank applications against tricky-to-gather metrics, and we recommend that users of our models do the same. For example: Much like the Defect Resolution Duration; the appetite for how many Libyears is appropriate for a project will always be up to maintainers. Depending on how or where an app may run, and how frequently we can update it, we think about Libyears critically.
Following other metrics and models, Libyears notably contributes to three of our metrics models: Compliance/Security, Governance, and Community. We believe that it fits particularly well in Compliance + Security as it gives an indicator not only about how critically maintainers consider compliance and security in their own project, but in the projects they’re dependent on.
How long it usually takes for a contribution to the project to make its way to the codebase
Will give us an idea of consistency in the project (median, mean, mode)
This is not to be confused with defect resolution (we hold a higher standard for)
Other processes may occur alongside opening and closing a PR, for example, but this provides enough of an indicator to be inherently useful to the Governance of a project.
Knowing the timing of regular releases, and being able to understand frequency and cadence we may expect security patches and new features to identify how well our project’s release cadence and strategy fits with potential dependencies.
This is somewhat a proxy for LTS / release strategy that may otherwise be available for larger projects.
“A simple measure of software dependency freshness. It is a single number telling you how up-to-date your dependencies are.”
This metric allows for apples-to-apples comparisons between projects of freshness.
Scales to show complex projects with many dependencies, and the risk associated with using those projects with the massive maintenance cost behind the scenes.
What the metrics mean for Viability
These metrics are useful to show the intention or lack of intention in the project Governance. For example, If there’s a lack of inclusive labels on issues: it identifies a gap in welcoming new contributors and softing existing contributors through workstreams. The Governance of a project is reflected in turn. Same goes for many of these metrics. The ability to contribute, understand, or depend on a project is highly coupled to the effort behind Governance.
This isn’t to say poor Governance metrics indicate that a project is governed by fools. Low CRCR, for example, may simply indicate that there are not as many maintainers to support a contributing community. A lack of new issues could be the result of a recent large release that addresses many recurring issues. These metrics are important to aggregate these reasons not to cast doubt on maintainers of projects. Only to identify the Governance capacity and effort across projects in a software portfolio.
If some of these metrics feel like they could be strong community metrics, I think they can be. Many of the shared metrics here are a combination of the effort a community has with a project, and the effort of the body governing a project. We think the overlap of shared metrics captures this relationship well, considering the responsibility contributors and maintainers share in creating OSS.
Forks, in our estimation, are normally performed to create contributions through changes or to take the project in a new direction in their own community.
Not all contributions are code, strategy / issues / Reviews / events / Writing articles / etc. gives a strong indication of the maintainer’s ability to grow or continue building a project.
Likewise, if contributions are coming in only as requests with no coding alongside it – we can assume the project doesn’t have active contributors.
Any large ratio distribution might tip the scales of if we should or should not recommend a project as viable.
The volume of regular requests, or the emergence of a pattern of change requests (around holidays, weekends, weekdays) can tell us a lot about a project.
By identifying trends, we can make many educated guesses about the strength, patterns, and sustainability of a project Community.
“A simple measure of software dependency freshness. It is a single number telling you how up-to-date your dependencies are.”
This metric allows for apples-to-apples comparisons between projects of freshness.
Scales to show complex projects with many dependencies, and the risk associated with using those projects with the massive maintenance cost behind the scenes.
What the metrics mean for Viability
With Community, we seek to understand the “tinkering” that happens with a project, as well as being able to measure the contributions that are made. Clones and forks indicate how many users of software have pulled it to build from source, inspect the source code, submit a contribution, or take the project in a new direction. That flavor of popularity feels meaningful to trace community engagement in a project.
With committer trends, types of contributions, and change requests, we can see how a Community is interacting. Maybe more markdown RFC’s are created than features, maybe vice-versa. With an understanding on what types of contributions are made, and how regular they are, we make a more informed judgment on project viability. In an example: we think it’s reasonable to expect that a project which has shed 90% of its committers in a three month period is less viable than a stable (flat) committer trend. The inverse could indicate a growing or stable project gaining popularity around a particular technology trend. Where some “tinkering” metrics feel micro, other metrics take a macro lens.
By measuring some shared metrics, we give this model an opportunity to be viewed from the perspective of how much the community maintains a project, and how much interest there is generally. We find this distinct from the Governance angle, even with significant overlap, as trends in these metrics are almost never entirely at fault of the community or in the maintainers of a given project. The numbers could be meaningful for either space, so they exist in both models.
A count of the fewest number of committers that comprise 50% of activity over a period.
We can better understand the risk of using a particular project or set of projects, regarding how much support the project would get if top contributors left.
Organizational Influence measures the amount of control an organization may have in a project. This is an estimate, and an aggregation of several other metrics.
Details in the link, but organizational diversity is one example of a metric that can aggregate to create an imprint of influence.
Knowing the timing of regular releases, and being able to understand frequency and cadence we may expect security patches and new features identifies how well our project’s release cadence and strategy fits with potential dependencies.
This is somewhat a proxy for LTS / release strategy that may otherwise be available for larger projects.
What the metrics mean for Viability
Metrics we trace in this model trace the strategy, or expected influence from individuals and organizations. For example: With a bus factor of 1, it’s very possible that burnout or other factors could pull that one person away. With a more resilient count of folks, we are more likely to see a stable and viable maintenance strategy. As a highly regulated and large entity, Verizon considers which other entities might be developing critical infrastructure for our applications. We consider our risk appetite and tolerance in the scope of a project we use, to ensure we don’t rely too heavily on one particular provider. These metrics continue our mission of managing that risk profile.
We share release frequency between Strategy and Governance. This categorizes the overlap of how the maintainers of a project provide both a governance plan and a maintenance strategy.
Wrap Up
Compliance + Security, Governance, Community, and Strategy. These are the tenets we use for our Viability Metrics (Super) Model. I’m excited to share this model with the broader software community for input and feedback, and to make it better over time. We will share our lessons learned and what practices we find the most effective for maintaining a viable software portfolio as we iterate.
Tune in next time for us to share a guide on OSS viability. We include recommended tools to set up Viability monitoring on projects. If you’d like to connect to talk about this post, join the CHAOSS community slack and find me, Gary White!
This post is part of a three part series. This is part one. Stay tuned to the CHAOSS blog for a deep dive into the metrics around Viability, and a guide on how we can use this model.
Companies who use open source software (so, all of them) have been thinking more and more about bills of material, vulnerabilities, and license risks. This has especially been encouraged through recent United States efforts regarding Software Bills of Material (SBOM’s). This push is a good opportunity to observe and report on software supply chains. We can all learn a lot from knowing what’s in our software dependencies! Proliferation of SBOM’s, SAST, and SCA scanning tools allows for users and developers of software everywhere to better understand their risk portfolio. Most people find significant value by using these reports to surface critically important vulnerabilities and license information.
Choosing and Updating Components
When Verizon, and the OSPO within, looked through our own SBOM’s and assessed which dependencies we should update. We found that common practice sparsely dictates relative priority. Barely any priority is set as industry practice for updating dependencies. Outside of CVE’s (with their own criticality rating), and licensing resolution (usually a hard yes/no from legal teams). Old dependencies without any open vulnerabilities are regularly put behind new features and critical breakages. That felt wrong to us. Over time, dependencies that had “never needed updating” find themselves painfully entrenched in our applications. When they do need upgrading the effort to do so can take dramatic time away from other development. We thought for sure, there has to be a way to identify (and reduce) that risk.
What else should we be looking for in our open source software choices? What guidance can we give to encourage good decisions not just when maintaining software? Should that guidance be different than when people decide on software to use? Software technologists regularly make decisions about which software they should use in their project. Rarely is this done with an SCA tool, SAST tool, or an SBOM. Could we provide tools and metrics to guide decisions? How can we create less risk in our choices, providing more sustainable software infrastructure? From these question we set to develop a model to make sense of the complexity.
More than Vulnerabilities and Licensing
Enter: Viability. Metrics (and metrics models) about open source projects. These provide insight into the Community, Strategy, Governance, and Compliance/Security of open source projects. This series of blog posts will cover the motivation and background, what metrics are included in the model, and finally how we can use those metrics to measure Viability in OSS. Viability is built with metrics detailed by CHAOSS, as CHAOSS has spent a while talking about how to make these metrics serviceable and understandable for technologists across geography and industry focus.
For brevity and focus Viability is split into four metrics models: Community, Strategy, Governance, and Compliance + Security. The individual value proposition of metrics per model is best described in their respective pages. The whole includes many metrics, and some overlap per sub-model. We did this so they may be used independently or in concert for a full picture of viable open source projects. We recommend using all of the models together, but mixing and matching them is also expected and appropriate.
The application of these metrics at Verizon allows us to operationalize tasks for choosing and maintaining software. While evaluating dependencies, engineers have a better idea of what parts of an open source project excel, and what may fall short. Depending on the application intended, OSPOs and application teams can decide if the risk is worth taking on a project together.
Viability provides direction to what dependencies should be updated. Instead of lumping old dependencies into a ball of vague “technical debt”, we can estimate the fit of community, strategy, governance, and compliance / licensing against a particular project. We can also approximate the risk of not addressing projects in a way that is quantifiable to stakeholders; and in review of priorities.
Thanks, and come see us!
I’m excited to share this model with everyone; it’s been a while in the making. Be part of the next project, ask questions, and get involved with CHAOSS working group by dropping into the CHAOSS slack channel. You can ping me (Gary White!) while you’re there.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.