Use Debian/other distro dependent count data for C/C++ projects

[oliverchang]

For Debian, we could potentially extract this information from package indexes. This could be a useful proxy for C/C++ projects.

e.g. from https://snapshot.debian.org/archive/debian/20220627T213404Z/dists/bullseye/main/binary-amd64/Packages.xz and https://snapshot.debian.org/archive/debian/20220627T213404Z/dists/bullseye/main/source/Sources.xz

[mudongliang]

We have implemented this idea in our own repository to choose the most "critical" open source projects.

We have open sourced our repository - https://github.com/HUSTSeclab/criticality_score. There are some differences between ours and ossf/criticality_score.

• Distribution Dependents: Collects data from various Linux distributions (e.g. Debian, Arch, Nix, Gentoo) and corresponding package managers to evaluate the dependency of open-source software synthetically.
• Support for All Git Repositories: Use metrics collected from offline repository. Therefore, it can analyze repositories from any Git platform, other than GitHub. Even it could extend to other source code version control systems.
• Customized Metrics Collection: Gathers a wider and customized metrics from Git repositories and package managers. BTW, this can lose some specific metrics in Github or code hosting platform.
• No Dependency on Google Cloud or BigQuery: ossf/criticality_score depends on Google Cloud service, making it hard to migrate to other platforms. This project runs independently of specific cloud services, ensuring ease of deployment. BTW, we use the public API of deps.dev.
• Easy Deployment: Runs a script, and the system will be easily setup with Docker.
• Provides Additional Information: Provides extra insights, such as relationships between projects and dependencies.