Dependency Mapping Working Group

Sent! Yes, it starts in five.

@RichardLitt would you be able to facilitate this week? I have a conflict and won’t be able to make it.

Yes! No problem. Will send out the invite presently.

This weekend at FOSDEM I discovered the whole section named Software Composition which seems concerned about tracking license compliance. There is a new term for me there called Software Bill of Materials (SBOM). It may be interesting to browse the talks once processed videos show up.

Invite sent out. Everyone who is interested in talking about Libraries.io, that’s the topic for Wednesday based on last week’s conversation, along with weight mapping for deps.

Agenda is here.

Matt Germonprez from CHAOSS said he’d be able to attend the next meeting to talk about what they’re doing there involving metrics. @GeorgLink You might be interested, too. I’ve sent him an invite.

Yes, please send me an invite as well

I contacted ClearlyDefined, and they don’t keep trees of project dependencies. However, they pointed me to this list: Compliance Process for Developers - Open Compliance Program

Might be some projects in there that do this work, too?

Two years ago I tried to use CHAOSS to see my digital trace and because the ticket was closed I’ve got an impression that the project is more about collecting data for companies rather than serving users. It is still interesting to know about what metrics they gather.

I couldn’t tell you on the meeting, but just want to comment that FOSS Backstage was a very useful event. Need to find a time to wrap it up though.

Hi @abitrolly. Thanks for your interest in the CHAOSS project. A lot has changed in two years

We have several initiatives that are meant to draw out the developed metrics so that they are more meaningful to people. Happy to chat more and help in any way.

Hey Everyone,

I created another topic for weight maps specifically, it can be found here.

Thanks, Joel.

An update on today: Our regularly scheduled Dependency WG is today, but I can’t make it, as I’m attending the Mozfest session on open source governance run by Georg, Javi, and Greg (here: mozfest-2021-website).

As well, I think attending a few more calls with the Risk WG would be great to assess whether or not we overlap in efforts. Alyssa and I were at the last call; would be great to see others there. GitHub - chaoss/wg-risk: Risk Working Group Repository

Given that, I think it makes sense to cancel today’s session. Let me know if you’d like to meet, anyway!

CHAOSS risk assessment focus may be too broad for discussing building dependency trees. But I don’t mind. There are still things I need to write down since the last meeting, so I will dedicate that hour to the writing.

1. deps.clouds and fetching the graph of dependencies for my Python projects. Parts are there, but interface is not. Evaluated pipgrip and a few other tools. Need some kind of awesome list with reviews, roadmaps and progress updates on these tools for my user story.

2. CHAOSS digital trace. I planned to create a separate topic on this forum, but could not find place and time. Basically I need a public timeline of my activities for each day that I can mark. This tool should help people to take a glimpse into what the life of maintainer entails and “bill” activities to certain aspects. Like calculate the maintenance debt for my open source libraries by multiplying my hourly rate to all the time I’ve spent answering and troubleshooting issues, and then diffing that to my income and cost of life.

Looks like Gunner and Tobias may be able to make it today, @abitrolly and others. I’ll make sure you can get into the zoom before hopping off to help with the Mozfest session.

just seen this. thanks for being on hand to keep things together!

Slight snafu in the calendar invite, but hopefully others were able to make it. Thank you for coming and taking over the host, @abitrolly!

Hey all! Our regularly scheduled WG is starting in an hour. Hope you can all make it - let me know if anyone is missing the invite. Here is the WG calendar for people who want to see the event on a calendar.

After talking to @benjam, I think it makes sense to free up the Dep WG hour for now by not continuing with the active meetings.

Over time, the WG has solidified around helping out Joel from Flossbank with their work on dependency graphs, and @benjam is going to keep helping them out as needed. By this point, all of the WG members know each other well enough to reach out and ask for help as needed, I believe. As well, the Risk WG from CHAOSS is also doing similar work in this area.

If anyone has other topics that you think would be good to discuss, drop them here, or open a topic like this one: Dependency Tree Node Weights - #7 by sgoggins. Also, if I’ve radically misunderstood the status of this WG, let me know.

It may be a good outcome to make a write up as there are people who may find this thread and I imagine they would be left with an impression that this meeting stuff is useless. While we are synchronized and are definitely way ahead of where we were before we started, the outside world is not synced. That’s the consequence of not being able to stream in the public, where you may be cancelled for expressing critics or arguments against things that people love or even build.

For me the write up is basically the discovery of few initiatives that do dependency mapping - some older ones, some newer (with CHAOSS in the end). I still not that good organized to keep track of who came from which project, though. It was nice to hear about funded opportunity for dealing with Python dependencies on https://deps.cloud/ (which I haven’t used), the discovery of closed conferences about open source (still nice), the way how people see the dependency mapping from different aspects (marketing, design, management, legal, etc.) that I have no experience with.

In the end it was nice that I switched to testing practical solutions, which now requires significantly more time than just 1 hour every 2 weeks. Like getting all user stories in order and each two weeks iterating over them stating current status. Stories like “get a list of all Python dependencies for my package without rebuilding the package” are still not solved in 2021 and there is no place where you can place spotlight on them. Or coding a visual weight mapping in Godot or Observable - that’s like a full time job, and that job is not sustainable. I feel like there is a need in capacity building to continue digging. It was fun so far.