The attack against the xz project has highlighted the need to evaluate and manage risks in upstream OSS projects. The idea is to develop a methodology to gather metrics, give an overall fitness score and cluster packages with similar properties.