Page MenuHomePhabricator

Add higher-level organizational header names to the risk matrix Google sheets
Closed, ResolvedPublic

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
sbassett renamed this task from Add higher-level organizational columns to the risk matrix Google sheets to Add higher-level organizational header names to the risk matrix Google sheets.Oct 12 2023, 8:41 PM

@acooper I think I need edit privileges to modify the sheet. I'd like to make a copy of the 'Matrix' sheet and tweak it.

@acooper I think I need edit privileges to modify the sheet. I'd like to make a copy of the 'Matrix' sheet and tweak it.

I think you should have access to both of the linked Google sheets now.

@acooper I think I need edit privileges to modify the sheet. I'd like to make a copy of the 'Matrix' sheet and tweak it.

I think you should have access to both of the linked Google sheets now.

Thanks

I had another thought about this requirement. Besides the higher level organizational header names, it would be helpful if the risk of those columns could be collectively expressed by a single value.

So for example you would have for each extension not a single risk score, but a risk score for each related higher level organizational header names, in addition to the overall risk score.

This would facilitate an high level analysis like this:

  • I see an extension has a low risk score. But where is that risk coming from specifically?
  • Now I look at the summary risks from a few high level factors. I can see whether there is one area that is particularly bad, and get a sense of where the overall risk score is coming from.
  • I can now form an action plan. Maybe we need to do more work on certain aspects. The summary gives an idea what these are
  • Detailed analysis can now be carried out on the individual factors and columns to make a decision what to do with that area

I had another thought about this requirement. Besides the higher level organizational header names, it would be helpful if the risk of those columns could be collectively expressed by a single value.

Makes sense. I'll tweak the high-level headers first and poke you to see if I am heading in the right direction before getting a bit deeper with score of the high-level dimensions.

I've given it a try in the sheet COPY_High-level indicators and grouped the factors under 4 high-level indicators: security, testability, activity, and stewardship. These indicators are mainly inspired by our Mediawiki documentation on Codehealth[1][2] and some external resources[3].

[1] https://www.mediawiki.org/wiki/Code_Health
[2] https://www.mediawiki.org/wiki/Code_Stewardship
[3] https://leaddev.com/tech/four-pillars-code-health

Lemme know what you think

I've given it a try in the sheet COPY_High-level indicators and grouped the factors under 4 high-level indicators: security, testability, activity, and stewardship.

Can I get access to this sheet? Thanks.

I've reviewed @sguebo_WMF's changes and they look good to me. So as long as @acooper does not object, I'd say this task, as described, could likely be resolved for now. Any additional work described in comments could eventually be a part of future phases of development and filed as separate tasks.

sbassett triaged this task as Medium priority.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.

Resolving for now.

I like these headings, thank you.

It would be really nice as an extension to this, when we show that an extension has a high risk score, to give more of a sense of which of these four high level categories is most contributing to that, maybe by combining the scores for those categories and then giving it a low/medium/high risk colouring based on some threshold for that category.

It would be really nice as an extension to this, when we show that an extension has a high risk score, to give more of a sense of which of these four high level categories is most contributing to that, maybe by combining the scores for those categories and then giving it a low/medium/high risk colouring based on some threshold for that category.

Ok, let's put this in a follow-up bug for @sguebo_WMF to investigate.

Update: filed T352563.