Census II lists critical application libraries
The Linux Foundation announced the release of “Census II of Free and Open Source Software – Application Libraries” which identifies over a thousand of the most widely deployed open source application libraries found from analyzes of commercial applications and of business.
This is because this information can be used to decide which open source packages, components, and projects warrant proactive operations and security support.
The original Census project (“Census I”) was conducted in 2015 to identify the Debian Linux distribution software packages that were most critical to the operation and security of a Linux server. According to the Linux Foundation:
The objective of the current study (Census II) is to pick up where Census I left off and identify and measure which open source software is most widely deployed in applications developed by private and public organizations. .
Brian Behlendorf, Executive Director of the Open Source Software Foundation (OpenSSF), a partner in the Census II project, explained:
“Understanding which FOSS packages are most widely used across the company allows us to proactively engage critical projects that warrant operations and security support. Census II provides the foundational details we need to support the most critical and valuable infrastructure in the world.”
Census II was launched in 2018 when the Linux Foundation partnered with Harvard University’s Laboratory for Innovation Science (LISH), with the goal of identifying and measuring which open source software is most widely deployed in applications by private and public organizations. To get as complete a picture as possible of FOSS usage, it analyzed usage data based on software codebase scans across thousands of companies with the aim of uncovering which FOSS packages heavily depend on. private companies.
As results, Census II includes eight lists of the 500 most used FOSS packages. These include different slices of data including versioned/version independent, npm/non-npm package manager, and direct/direct and indirect package calls.
For example, the top 10 version-independent packages available on the npm package manager that have been called directly ranked by usage are:
In its conclusion, the report states:
Far from being the final word on critical FOSS projects, this mapping effort represents the start of a broader dialogue on how to identify vital packages and ensure they receive adequate resources and support. .
The study also identified five high-level outcomes important to the future health and safety of FOSS:
- The need for a standardized naming scheme for software components.
- The complexities associated with package versions.
- Most popular free software is developed by just a handful of contributors.
- The growing importance of individual developer account security.
- The persistence of legacy software in the open source space.
Given the distributed nature of free and open source software, it is only through data sharing, coordination and investment that the value of this essential component of the digital economy will be preserved for generations to come.
Census II of Free and Open Source Software — Application Libraries (pdf)
New Initiative to Take Open Source Software Security Seriously
Taking Open Source Criticality Seriously
Open source insights into the software supply chain
The State of Secure Software Development – Three OpenSSF Courses
or send your comment to: [email protected]