- backed by a large company ?
- number of contributor doing 80% of the work ? or active in the last 12 months ? commits breakdown (99% is done by one guy) ?
- issues created/closed ratio
- PR created/merged ratio
- use critical projects ?
- other from your original score
A nice bonus: if we could use the tool to assess critical score for our project (not globally). For local dependency, we could increase the critical value if dependents count is low. Very few person is using it: that's a bad sign. With this, we could find those dependencies.
Currently CA management was very dangerous because it was not updated (as stated in the article).
New CA were not added so if you kept your phone long enough you would see insecure warning popping up. People would take the habits of accepting without thinking: very problematic behaviour. One solution is to used Firefox which doesn't use the system CA unlike Chrome.
Another more problematic one: untrusted CA were not removed (the author give the example of TrustCor but they were other examples in the past like DigiNotar). Who knows what happens to private key of old untrusted CA ? If they end up in the wrong hands people could get MITM. (Personally, I had to remove DigiNotar for my old phone.)
And of course as the author said: it's also problematic for new certificate authority like Let's Encrypt which at a time needed the complex cross sign certificate to ensure the certificates work for everyone. [1][2]
[1] https://letsencrypt.org/2020/11/06/own-two-feet.html [2] https://letsencrypt.org/2020/09/17/new-root-and-intermediate...