Metric: has source control

[dgkf]

Description

Try to infer whether a package has accessible public source code.

Varies based on ...

• known source code hosting services

Discussion

In riskmetric we tried to infer a source control url from the website and bug reports urls. We have a rather restrictive allow-list which knows to associate github.com, bitbucket.org and gitlab.com. These are certainly not exhaustive and probably lead to many false negatives, especially with the rise of federated git providers via forgejo (codeberg.org). Should definitely add r-forge.r-project.org.

Open to other ideas that might generalize more easily than domain curation. If we do want to curate domains, we should at least make it customizable via an option.

---

^{please vote using 👍 reactions to help us prioritize metrics}

[dominik-appsilon]

I see at least a few levels of the metric of depth that we could get into.

We probably need to have whitelist approach. The first question is whether the list should be fixed or parametrized -- like having a package option that lets user set this whitelist. How flexible can we be?

Another approach (or something that we can build on top of the whitelist) is to detect parts of the URL that could indicate this is repo, like having ".git" or ".svg" pattern in the name. However, that goes agains objectivity of the metrics, cause heuristics from definition would be only an approximation.

More objective step that would require network permission is to "sniffle" for forge fingerprint -- make some lightweight HTTP request and check whether the response has some specific meta tag or other DOM hints. We can go a step further and actually test VCS access but this needs also some execution.

We can also combine those approaches. The question is whether user of the package should be able to control this level of details and/or setup parameters like whitelist entries or URL patterns.

Any thoughts on that?

[dgkf]

From discussion on 2025/12/11

• Let's go with the allow list, exposed via an option (mentioned https://codeberg.org/dgkf/options on call, but please don't feel obligated to use this if you don't think it's warranted - I won't be offended in the least)
• Let's try to come up with a new name for this metric that better communicates that it is somewhat ambiguous and dependent on a known list of sources