Me neither. Nevertheless, the commit rate plays a role.
If the last commit is months old, you should be careful. If it is years old, you should stay away from it. (Example: The original Qmail mailserver was rock solid and djb's masterpiece of security. But you had to add custom patches for even basic features such as SMTP Auth. Why? Because at the time Qmail was written, SMTP Auth wasn't common yet.)
If the author then says that this is not due to lack of time, but because the software is "ready" / "done", this is an even worse sign. (Yes, I'm looking at you, Tilecache.)
If the last commit is months old, you should be careful. If it is years old, you should stay away from it. (Example: The original Qmail mailserver was rock solid and djb's masterpiece of security. But you had to add custom patches for even basic features such as SMTP Auth. Why? Because at the time Qmail was written, SMTP Auth wasn't common yet.)
If the author then says that this is not due to lack of time, but because the software is "ready" / "done", this is an even worse sign. (Yes, I'm looking at you, Tilecache.)