What does HackerNews think of criticality_score?
Gives criticality score for an open source project
> Generate a criticality score for every open source project. Create a list of critical projects that the open source community depends on. Use this data to proactively improve the security posture of these critical projects ... A project's criticality score defines the influence and importance of a project. It is a number between 0 (least-critical) and 1 (most-critical). It is based on the following algorithm by Rob Pike..
Top 20 projects, based on "criticality score" algo output, you can run the script on your favorite OSS project:
> node, kubernetes, rust, spark, nixpkgs, cmsSW, tensorflow, symfony, DefinitelyTyped, git, azure-docs, magento2, rails, ansible, pytorch, PrestaShop, framework, ceph, php-src, linux
Here's a non-exhaustive list: Security Scorecards (https://github.com/ossf/scorecard): auto-generated security checks for OSS, Criticality Score (https://github.com/ossf/criticality_score): auto-generated criticality score for OSS, Package Feeds (https://github.com/ossf/package-feeds): watches package registries for updates, malware analysis tools, SLSA (https://github.com/slsa-framework/slsa): proposal for a supply chain integrity framework, Sigstore/Cosign (https://sigstore.dev/): code signing made easy!
We are also investing and exploring different efforts for improving security of critical OSS projects, and making it sustainable! If any of these projects sound interesting, come join us in the OpenSSF Working Groups!
*edited formatting
For example, it counts the number of issues as determining criticality. If there is any kind of money attached to this score (now or in the future), obviously this is going to encourage people to introduce more bugs into their projects.