I have doubts on how does Tidelift considers the case where a client makes indirect usage of a “lifted” library.
Let’s say that a client has a project P, which directly depends on libraries L1, L2 & L3, and let’s also say that L1 & L2 depend on L4, and L3 & L4 depend on L5…
P ├────┬─────┐ L1 L2 L3 └─┬──┘ │ L4 │ └─┬─────┘ L5
Are only L1, L2 & L3 eligible to be rewarded? (for this specific project), and in case L4 & L5 are eligible too, how is their score computed?
My intuition tells me that it would be fair to make them eligible too, with a score inversely proportional to a growing function of the distance from the project to them, and proportional to a growing function of the number of intermediate dependencies that depend on them.
Something like (just as a vague idea):
score(lib) = value_from_static_analysis_and_other_factors(lib) * sum([W(pkg)/(1 + pow(dist(P, pkg), k)) for pkg in dependents(lib) ])
- one of those pkg instances could be P as well, so dist(P, pkg) would be 0
- dependents(lib) is computed, of course, only in the scope of the given project P
- W(pkg) is between 0 and 1, and is a growing function of score(pkg), but of course it could be the constant 1. W ( P ) would be 1 by convention.
- k >= 1.