Interesting! Clicking through the report, I have some questions about the metrics (which this may be the wrong venue to bring up). They seem like they are very focused on corporate backed / directed projects and not community driven projects which leads to some very odd conclusions.

• The organization metric in very odd for us as the most frequent organization is ours which is everyone with commit rights. It is a bit tautological that if the community stopped working on the project the project would stop being worked on. This metric feels like it is setup to reflect a multi-corporation project that we just are not and it seems unfair to ding us for having a different model
• It seems odd that we are being dinged for being a volunteer project (as shown by the out-of-hours contributions). Similar to previous ones these metrics seem skewed to favor a particular type of project that we are not. Some of our contributors have expressed a desire for this to remain a volunteer effort on their time rather than being a "day job" thing.
• I have mixed feelings about the way contributor retention is scored. On one hand, I would love more retention (and even wrote improving that into a recent grant!), but I think it is also healthy that new contributors can put in a PR that fixes their problem, get it merged, and then go back to what ever it is they do day-to-day without requiring an on-going commitment from them.
• The rules on the licenses seem to have missed. We have a folder https://github.com/matplotlib/matplotlib/tree/main/LICENSE which has both our license and that of code we have vendored

On the positive side, I very much appreciate that this is pulling out basically everything we can get from github! Still does not capture the user support / community work off of GH, but is far better than just counting commits! It is possible to also ingest our discourse server?

On one hand, this is very low cost to merge technically, but I also don't want to highlight a score card that are structurally always going to look bad on (because we are a community project not a corporate project).

Thanks a lot for your feedback @tacaswell

When we initially built Insights, we had the projects in mind that are under the umbrella of the Linux Foundation. This led to metrics like "contributions outside of work hours" as most contributors are getting paid for their work on LF projects.

I agree that this should not apply to a project like matplotlib. I went on and removed the following metrics for your project (it might take a few hours to reflect):

• Organizations leaderboard
• Organizations dependency
• Contributions outside work hours

Other than that, I don't think Insights makes matplotlib look "bad" at all. Our overall assessment is "healthy" which is really awesome for a volunteer-driven project!

The rules on the licenses seem to have missed. We have a folder https://github.com/matplotlib/matplotlib/tree/main/LICENSE which has both our license and that of code we have vendored

We will take a look. You can follow the ticket here.

It is possible to also ingest our discourse server?

Yes. We do have a Discourse integration. But I would need an API key to onboard it.
Please feel free to reach out via jreimer@linuxfoundation.org if you're interested to get Discourse onboarded.

Dropping those metrics I'm happy to merge this!

Our rules are normally 1 review for docs merges, but I would like a second review on this.

If/when we merge this I'll reach out to sort out the discourse API key.

Let's try this.

@jonathimer Is there a way to gain insights on why these issues pop up and how to mitigate them?
grafik

The controls in "Security & Best Practices" are powered by the OpenSSF Baseline projects. You can documentation about the controls on their website.

We're currently working on a new feature that will tell you in Insights what this actually means and how you can mitigate it. I expect this to go live in the next 1-2 weeks.