Background for bus factor item in OpenSSF Best Practices levels?
bartlettroscoe opened this issue · 3 comments
Hello,
I noticed that bus factor is not even suggested until the SILVER level and not required until the GOLD level (see here). Why is a bus factor > 1 not even recommended for a PASSING badge? Are there a lot of important open-source packages that only have a bus factor of 1 and we don't want to exclude them from getting a PASSING badge?
That's because a vast number of OSS projects are single-person projects. We want single-person projects to take steps to produce secure results, as well as the rarer multi-person projects.
The best data currently available suggests that the majority of OSS projects are single-person projects. E.g.:
It'd be good for more projects to be multi-person projects. But even well-run projects don't always get more contributors.
There's also the problem that getting more people onto a project is generally completely outside a project's control. You can change your process, and you can change your code, but you often can't force other people to work on a project.
@david-a-wheeler, thanks for the info!