Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cost-benefit analysis #2627

Open
mattip opened this issue Jan 31, 2023 · 4 comments
Open

Cost-benefit analysis #2627

mattip opened this issue Jan 31, 2023 · 4 comments
Labels
kind/enhancement New feature or request Stale

Comments

@mattip
Copy link

mattip commented Jan 31, 2023

NumPy recently recieved a PR numpy/numpy#23131 to add various checks and changes, based on a step-security-bot. The recommendations here were used as reasons to add the requested checks and changes. Do you have any connection to that service?

Does the ossf do a cost-benefit analysis of the suggestions? Maybe along side the recommendations you could state what the expected maintainer burden might be. I find the static analysis tools particularly costly. Especially in a world of volunteer contributors, asking them to service automated scans and third-party tools can become quite burdensome.

@evverx
Copy link
Contributor

evverx commented Feb 18, 2023

Does the ossf do a cost-benefit analysis of the suggestions?

I don't think it does. If anything scorecard appears to be fine with wasting maintainer's time. For example instead of using sensible defaults it appears to prefer another approach where maintainers have to explain their reasoning: #1907 (comment). My understanding is that the idea behind scorecard is to make it easier for consumers to evaluate their open-source dependencies and to that end it tries to push as much stuff as possible to upstream projects (whether it makes any sense or not). Up until some point it was possible to ignore that but then semi-automated PRs suggesting questionable changes kicked in: #1907 (comment). All in all I think it would be really great if the scorecard project could start doing some sort of cost-benefit analysis.

Do you have any connection to that service?

I've been trying to figure that out too: systemd/systemd#25205 (comment) and got some sort of cease and desist in the process.

@evverx
Copy link
Contributor

evverx commented Feb 21, 2023

Does the ossf do a cost-benefit analysis of the suggestions?

I don't think it does.

To be fair I'm actually subscribed to a bunch of SBOM-related issues (mostly to figure out how far "consumers" are willing to go to shift their responsibilities to upstream projects) and I've just seen a comment where the idea of generating SBOMs upstream was questioned in terms of the usability implications for maintainers so it seems my comment wasn't entirely accurate and those questions are actually raised sometimes. I don't know where that conversation will go but that's good to know that it's discussed at least.

@github-actions
Copy link

Stale issue message - this issue will be closed in 7 days

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Sep 25, 2023
Copy link

This issue is stale because it has been open for 60 days with no activity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement New feature or request Stale
Projects
Status: No status
Development

No branches or pull requests

3 participants