 So um, hi, my name is Nathan Avine and I'm here to speak about securing open source with open SSF credit Cali score So let me first introduce myself. I'm a tenth grader. I love to solve algorithms and have solved over a thousand liquid problems. I Enjoy competing coin competitions. I conjure to open source and I'm a jizzu practitioner Okay, so before we dive into the demo, let me give you a quick overview of what credit Cali score does To do this let's take an analogy of ordering a pizza in this analogy We can only afford to add one topping But we won't pick the topping that's the worst for our health because we're away from home at a conference and just want to indulge So we can mathematically calculate the badness of each topping using factors like fat sodium and carbs And then assign weights to each of these factors For instance, if I have high cholesterol that fat might be worse for me in carbs So fat will get a higher weight We can then combine the weights and nutritional information using an algorithm to calculate the score of each topping We can use a score to find out which topic is the worst So this analogy so none of these values are real and the credit Cali score algorithm isn't just by multiplying two values together Let me transition to an example repo instead of the analogy Use the analogy to give a quick overview of what credit Cali score does So credit Cali score functions similarly to our analogy except our goal isn't a pass out after dinner We give credit Cali score data such as the contribute account commit frequency a number of close issues and then assign weights to each of these values We then use an algorithm developed by Rob Pike to calculate a score of your dependencies This score provides insight into a project significance and helps you determine how many resources to allocate to it So this is an example repo and I'll explain how it works in a few slides So credit Cali score uses signals to calculate the score of your dependencies For example, when was the last update? What's the contribute account and how many close issues are there? Going back to our analogy signals are factors like fat and carbs so What are weights in our analogy? We said that weights are how much we value a factor like fat and carbs In credit Cali score weights are how much we value a signal for example If the weight of the number of contributors is equal to two and the weight of the number of organizations is equal to one We value the number of contributors more than the number of organizations come into a specific repo So the credit Cali score algorithm developed by Rob Pike May look a little daunting. So I've got the slide to help simplify and explain it The credit Cali score algorithm has got three variables a of i s of i and t of i and A of i is the weight of the i-th signal S by is a value of the i-th signal and t of i is a threshold of the i-th signal by threshold I mean the maximum value that the signal can take So before we start explaining the algorithm, let me give you a quick explanation of summation Summation is the process of adding the results of a given function over a range of numbers In this example, we've got the function f of n equals n and the range of numbers 1 through 20 So we evaluate our function for each number in that range to get 1 plus 2 plus 3 all the way to 20 So okay back to algorithm We can first simplify a little bit and then substitute out log 1 plus s of i over log 1 plus max of s of i and t of i in for x y Now our equation looks similar to a weighted arithmetic mean a Weighted arithmetic mean is basically a better way to calculate average than just a regular arithmetic mean We're calculating the average on x y with the weight being a of i and On the following slide I'm going to show an example of this in use and it's going to use a simplified version of the credit Cali score equation The summation of z of i over the summation of a of i with z of i equaling a of i times x y So as I said before we're going to be using I'm going to explain this example repo It's the same example repo except now. I've added threshold to each signal so that we can use the credit Cali score outcome on it And as I said on the previous slide, I'm going to be explaining it using the equation the summation of z of i over the summation of a of i with z of i equaling a of i times x of i Since we only have two signals country to count and commit frequency. I can only equal zero and one So the summation of z of i over the summation of a of i is basically equal to z of zero plus z of one over a of zero plus a of one So solve this we can start off by solving for z of zero We can substitute two in for a of zero two hundred in for s of zero five thousand inch for t of zero to get z of zero Equaling one point two four five two We can do something similar for z of one to get z of one equaling zero four nine seven Now that we know z of zero z of one a zero and a one we can get our credit Cali score of zero point five eight oh seven Okay, enough explaining onto the demo in this demo We're going to calculate the credit Cali score of all dependencies of some open SSF repos We're gonna first calculate the score of default weights and then calculate a score of modified weights and compare them So first we can get all the dependencies and then parse them as github repo URLs So basically anything after repo name like file names folder names version numbers can go for a toss We are in this demo. I'm going to be storing all of these in a file called parser txt We can then run credit Cali score on parser txt to get our signal data We can then run the score on the signal data to get our with default weights to get our most and least critical projects So to do something we can do something similar to get modified weights We can run the score on the same signal data, but this time of modified weights and this demo I've changed the commit frequency weight from one to ten and With original weights our most critical projects have scores of point eight three and point eight oh While with modified weights our most critical project has scores of point six nine and point six six This is a huge difference In the end anyone can calculate credit Cali score of a project and use their own way to do it If you'd like to learn more about me hit up this QR code. Thank you. It's a lightning dog Wait, do I have can I ask questions? I mean, can I yeah So question for you on you mentioned it was easy to use your own weights. Is it also easy to use your own? Bits of github data for example Can I mute the organization part if all I'm looking at our repositories from my own organization? So I've got the I'm looking at the criticality data and you're you're looking at it for sort of everything right to see the most critical things Yeah, anywhere, but if I want to only look at what's most critical within my own set of repositories that I own Am I able to easily sort of turn off some of the fields as being important? So I Think you can calculate it with just you can just calculate with certain weights So as I said before so I can zero away. Yeah, um good point like you can just calculate with certain signals So in this demo like this example repo, I've just calculated with two signals You can just basically just delete some of the signals for your repository And just I guess calculate with just those signals sweet. Thank you. Okay. I Guess any other questions? Yes How are those weights chosen out of curiosity? So weights are objection like it's up to you If you value the number of country readers more than a number of organizations The number of country is we get a higher weight than a number of organizations for you The score is determined how much by what you value So it's there are default weights But you can add the weights to your preferences Anything else? Okay. Well, thank you