Topics

GnuPG and some charts...


David A. Wheeler
 

We have another project with a passing badge: GnuPG.  Details here:

  https://bestpractices.coreinfrastructure.org/projects/197

That’s an important project that many depend on, so I’m very glad to see it.

 

We also have a page where you can see some statistics we gather over time:

  https://bestpractices.coreinfrastructure.org/project_stats

This shows line charts of various information over time like the number of total badge entries, badge entries at various % levels, number of new entries, and number of edited projects (the latter one does *not* include new ones).  You can mouseover to see the specific numbers.  We capture the numbers at a fixed time each day, so GnuPG’s 100% isn’t (yet) captured in the graphs.

 

--- David A. Wheeler

 


Kevin W. Wall
 

David,

This is interesting, but as an AppSec practitioner, it doesn't address what I'm most interested in, which is where, how, and why are projects failing.

I think the most interesting statistic would be to look for patterns in the data as to *where / what criteria* the projects coming in at less than 100% (so either failing or still "in progress")? E.g., where are the the top-N common places they are failing to meet the criteria. I think that is a very interesting data pointis the CII badges _might_ help reveal to us. If, say, it turns put that 80% of the submitted projects are failing 2 or 3 common points, that may indicate that those criteria need better explained, OR (if that is not perceived to be the problem) it could indicate where we as a application / software security community can get the overall biggest bang for the buck trying to educate the development community. That could give us insight similar to what OWASP Top 10 and SANS Top 25 Programming Errors tell us...it helps the AppSec community know where to better focus our scarce resources.

Thanks for all your effort and time spent on this.

-kevin
Sent from my Droid; please excuse typos.

On Jun 10, 2016 11:14 AM, "Wheeler, David A" <dwheeler@...> wrote:

We have another project with a passing badge: GnuPG.  Details here:

  https://bestpractices.coreinfrastructure.org/projects/197

That’s an important project that many depend on, so I’m very glad to see it.

 

We also have a page where you can see some statistics we gather over time:

  https://bestpractices.coreinfrastructure.org/project_stats

This shows line charts of various information over time like the number of total badge entries, badge entries at various % levels, number of new entries, and number of edited projects (the latter one does *not* include new ones).  You can mouseover to see the specific numbers.  We capture the numbers at a fixed time each day, so GnuPG’s 100% isn’t (yet) captured in the graphs.

 

--- David A. Wheeler

 


_______________________________________________
CII-badges mailing list
CII-badges@...
https://lists.coreinfrastructure.org/mailman/listinfo/cii-badges


David A. Wheeler
 

Kevin W. Wall:
This is interesting, but as an AppSec practitioner, it doesn't address what I'm most interested in, which is where, how, and why are projects failing.
I think the most interesting statistic would be to look for patterns in the data as to *where / what criteria* the projects coming in at less than 100% (so either failing or still "in progress")? E.g., where are the the top-N common places they are failing to meet the criteria. I think that is a very interesting data pointis the CII badges _might_ help reveal to us. If, say, it turns put that 80% of the submitted projects are failing 2 or 3 common points, that may indicate that those criteria need better explained, OR (if that is not perceived to be the problem) it could indicate where we as a application / software security community can get the overall biggest bang for the buck trying to educate the development community. That could give us insight similar to what OWASP Top 10 and SANS Top 25 Programming Errors tell us...it helps the AppSec community know where to better focus our scarce resources.
Thanks for all your effort and time spent on this.
I hope to separately work on that at some point in the future, once we have much more data. But I think it'd be better to have *multiple* eyes take public data & look for patterns - even if I do it, you may notice something I missed.

I *encourage* you to grab the data, analyze it for patterns, and report on what you find. I do request that you announce what you find to the world, if it's potentially interesting, so that others can build on it. You can snag all the current project data as a big JSON file by retrieving <https://bestpractices.coreinfrastructure.org/projects.json>; (we may eventually have to paginate that).

--- David A. Wheeler