Q: Why re-do existing projects like open-hub?

[ecki]

There are many projects which visualize some metrics. The only currently documented (design.md) metric for example is available by Github or OpenHub or Chaoss. I dont want to spoil the fun, but is there a real justification for yet anther project? (and it might need to be coordinated with the tools project and the CII bagde successor infrastructure work (if there is any yet?).

Apologies if I missed the discussion about reasoning, I havent seen much in the meeting minutes about it.

If this is only about tooling, its probably better to start with a smaller footprint, like a cli command to lookup the commit count?

[scovetta]

@ecki This is a good question -- there have been a some good dashboard projects over the past few years covering different areas, but when we started talking about this nearly a year ago, there was reasonable consensus that our vision needed something a little different.

I think I can speak for the working group when I describe the vision we have as follows: We want to provide a way for stakeholders (developers, security researchers, etc.) to quickly understand the security posture of any open source project. We think this needs to include both process information (i.e. how is the project developed/maintained?) as well as implementation signals (i.e. what does the code actually do?). We want to leverage existing tools and services, but add to that expert opinions -- for example, we think that knowing that a security researcher has reviewed component X and found it to be safe, would be of high value.

Having "our own" dashboard also gives us an opportunity to experiment, learn, and iterate. I've added a design document to the wiki, and below is a screenshot of an early PoC.

Our next meeting is on January 6th -- we'd love to have you join the conversation!