An update on OpenSSF's XZ fumble: https://micro.webology.dev/2024/04/01/an-update-on.html
@webology holy shit I just noticed that one of the factors that contributes to the score is whether you put their badge in your README. Total fucking garbage.
@jacob I believe that's 5 to 10 points depending on gold, silver, or bronze status.
I want these tools not to suck, but when someone blogs about a low score being an indicator of security...
...and then three projects I use and genuinely respect get dinged and are within ~1 point of XZ, but someone says to not worry about that because ~7 is pretty good.
Bad metrics are worse than no metrics in this case.