• Published on
    Tools for assessing the security of the software supply chain largely lack metrics related to software maintenance patterns and quality. Instead, current solutions focus on enumerating a manifest of packages for known vulnerabilities in their code. These do not account for the status of maintainers or the integrity, liveness, or health of the processes that produce that code. This article discusses how the recent archival of the ipmitool project illustrates the main difficulties in perceiving this status. Having tools that observe and model such information can help inform decisions about the trustworthiness of open source software and dependencies beyond the presence of known bugs and vulnerabilities.