You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello. I have noticed, that running pkg_score() returns different results, when run for pkg_source() and pkg_install(). I tested them with riskmetric 0.2.3, on askpass 1.1, dplyr 1.0.5 and openssl 1.4.3 packages. Shouldn't the results be equal? If not, which reference should be used for assessing package risk?
The results should not be equal. As to which to use, that is up to you and your use case.
Not all assessments/metrics are available for all ref sources, this is by design, as not all info is available for all sources (e.g. unit tests are not available for installed packages so there is no way to run code coverage for an installed package). That said we are working toward implementing as many assessments/metrics for as many sources as possible as we mature the package. We are evening discussing/designing chaining source together to create as complete a score as possible.
There are small discrepancies in scores when computing from different sources. So far these have been negligible so we have back logged this issue for now. Between source code and installation there are some things R does to "compile" the package that I haven't yet fully investigated.
Hello. I have noticed, that running
pkg_score()
returns different results, when run forpkg_source()
andpkg_install()
. I tested them with riskmetric 0.2.3, on askpass 1.1, dplyr 1.0.5 and openssl 1.4.3 packages. Shouldn't the results be equal? If not, which reference should be used for assessing package risk?Reproducible code:
Below you can see the differences in metrics:
Thanks and greetings.
The text was updated successfully, but these errors were encountered: