Hi,
On Feb/12/2021, Sylvain Beucler wrote: > Hi, > > On 12/02/2021 01:17, Carles Pina i Estany wrote: > > When I was discussing this with a friend I had thought if Debian could > > make available and visible for the users some metrics, contextualised in > > similar (per functionality) packages: > > > > -popularity > > -number of recent updates in upstream > > -number of contributors > > -usage of control version system > > -test coverage > > -continous integration > > -upstream activity (issues, PRs, etc. with more the better GitHub or > > similar places stars, forks, etc?) > > -translations? (the more, more popualar the software is?) > > -warnings from the compilers? > > -static code analyser? > > -documentation? > > -CVEs? > > Almost none of these relate to software _security_. You are right, I was thinking on software quality hoping that security would come along in the majority of cases. > Let's keep in mind that active/popular software are often the ones > with the earlier Time-To-Market, at the expense of security (check the > history of PHP or Docker for instance). Yep, in number of items in my list I realise that it seems more like a popularity contest (it wasn't what I was thinking and Popularity Contest might be enough for this). I've read Paul Wise's email in this thread and I'll follow the links and project. I was thinking thinking on something along that lines but to give information to the final users. I'm interested in the checks that are already included there and see if they match the checks that I do when choosing software. We all decide to use A over B (e.g. to use pwgen password generator instead of one of the other at least 5 similar ones in Debian; or to use geeqie file image viewer instead of another one...) and having more information when choosing software might help taking better informed decisions. Perhaps it's not even about software quality but more general. Since probably my thoughts about metrics to help deciding packages might be off-topic here I'll move my thoughts to a better venue. Cheers, thanks for answering! -- Carles Pina i Estany https://carles.pina.cat
