Indeed, how can we measure risk of a
provider that does not exist and that is no
providing commercial services?
Beyond the usual analysis of source code
or compliance, have a look at other areas:
activity, community, and process.
And work with this community as this
were another partner. It happens this
should be done in a differnt way.