Loading…
Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects
Open Source Software plays an important role in many software ecosystems. Whether in operating systems, network stacks, or as low-level system drivers, software we encounter daily is permeated with code contributions from open source projects. Decentralized development and open collaboration in open...
Saved in:
| Main Authors: | , , , , , |
|---|---|
| Format: | Conference Proceeding |
| Language: | English |
| Subjects: | |
| Online Access: | Request full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| cited_by | |
|---|---|
| cites | |
| container_end_page | 1896 |
| container_issue | |
| container_start_page | 1880 |
| container_title | |
| container_volume | |
| creator | Wermke, Dominik Wohler, Noah Klemmer, Jan H. Fourne, Marcel Acar, Yasemin Fahl, Sascha |
| description | Open Source Software plays an important role in many software ecosystems. Whether in operating systems, network stacks, or as low-level system drivers, software we encounter daily is permeated with code contributions from open source projects. Decentralized development and open collaboration in open source projects introduce unique challenges: code submissions from unknown entities, limited personpower for commit or dependency reviews, and bringing new contributors up-to-date in projects' best practices & processes.In 27 in-depth, semi-structured interviews with owners, maintainers, and contributors from a diverse set of open source projects, we investigate their security and trust practices. For this, we explore projects' behind-the-scene processes, provided guidance & policies, as well as incident handling & encountered challenges. We find that our participants' projects are highly diverse both in deployed security measures and trust processes, as well as their underlying motivations. Based on our findings, we discuss implications for the open source software ecosystem and how the research community can better support open source projects in trust and security considerations. Overall, we argue for supporting open source projects in ways that consider their individual strengths and limitations, especially in the case of smaller projects with low contributor numbers and limited access to resources. |
| doi_str_mv | 10.1109/SP46214.2022.9833686 |
| format | conference_proceeding |
| fullrecord | <record><control><sourceid>ieee_CHZPO</sourceid><recordid>TN_cdi_ieee_primary_9833686</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9833686</ieee_id><sourcerecordid>9833686</sourcerecordid><originalsourceid>FETCH-LOGICAL-i118t-a543000386039ecaac8eaffd7916350da4deb7ec4d9b19b06a5584750f6f9ea03</originalsourceid><addsrcrecordid>eNotkM1Kw0AYRUdBsNY-gS5m5S7xm9_MuCvBPyi0kroTyiT5AlOapkwmSt7eQLu6i3s4XC4hjwxSxsA-FxupOZMpB85Ta4TQRl-Rhc0M01pJJpi212TGRaYSxiG7JXd9vwfgIKyckZ-8a1sfI9Y0dnQbhj6-0CX9GtzBRxf9L9IiDvVIuyMtsBqCjyN9OoPUH-n6hFPRDaGawK6Jfy4g3YRuj1Xs78lN4w49Li45J99vr9v8I1mt3z_z5SrxjJmYOCUFAAijp01YOVcZdE1TZ5ZpoaB2ssYyw0rWtmS2BO2UMjJT0OjGogMxJw9nr0fE3Sn41oVxdzlD_AP8IlPr</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects</title><source>IEEE Xplore All Conference Series</source><creator>Wermke, Dominik ; Wohler, Noah ; Klemmer, Jan H. ; Fourne, Marcel ; Acar, Yasemin ; Fahl, Sascha</creator><creatorcontrib>Wermke, Dominik ; Wohler, Noah ; Klemmer, Jan H. ; Fourne, Marcel ; Acar, Yasemin ; Fahl, Sascha</creatorcontrib><description>Open Source Software plays an important role in many software ecosystems. Whether in operating systems, network stacks, or as low-level system drivers, software we encounter daily is permeated with code contributions from open source projects. Decentralized development and open collaboration in open source projects introduce unique challenges: code submissions from unknown entities, limited personpower for commit or dependency reviews, and bringing new contributors up-to-date in projects' best practices & processes.In 27 in-depth, semi-structured interviews with owners, maintainers, and contributors from a diverse set of open source projects, we investigate their security and trust practices. For this, we explore projects' behind-the-scene processes, provided guidance & policies, as well as incident handling & encountered challenges. We find that our participants' projects are highly diverse both in deployed security measures and trust processes, as well as their underlying motivations. Based on our findings, we discuss implications for the open source software ecosystem and how the research community can better support open source projects in trust and security considerations. Overall, we argue for supporting open source projects in ways that consider their individual strengths and limitations, especially in the case of smaller projects with low contributor numbers and limited access to resources.</description><identifier>EISSN: 2375-1207</identifier><identifier>EISBN: 9781665413169</identifier><identifier>EISBN: 1665413166</identifier><identifier>DOI: 10.1109/SP46214.2022.9833686</identifier><identifier>CODEN: IEEPAD</identifier><language>eng</language><publisher>IEEE</publisher><subject>Atmospheric measurements ; Codes ; Ecosystems ; interviews ; open-source ; Particle measurements ; Privacy ; Security ; Soft sensors ; trust</subject><ispartof>2022 IEEE Symposium on Security and Privacy (SP), 2022, p.1880-1896</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9833686$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,27925,54555,54932</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/9833686$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Wermke, Dominik</creatorcontrib><creatorcontrib>Wohler, Noah</creatorcontrib><creatorcontrib>Klemmer, Jan H.</creatorcontrib><creatorcontrib>Fourne, Marcel</creatorcontrib><creatorcontrib>Acar, Yasemin</creatorcontrib><creatorcontrib>Fahl, Sascha</creatorcontrib><title>Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects</title><title>2022 IEEE Symposium on Security and Privacy (SP)</title><addtitle>SP</addtitle><description>Open Source Software plays an important role in many software ecosystems. Whether in operating systems, network stacks, or as low-level system drivers, software we encounter daily is permeated with code contributions from open source projects. Decentralized development and open collaboration in open source projects introduce unique challenges: code submissions from unknown entities, limited personpower for commit or dependency reviews, and bringing new contributors up-to-date in projects' best practices & processes.In 27 in-depth, semi-structured interviews with owners, maintainers, and contributors from a diverse set of open source projects, we investigate their security and trust practices. For this, we explore projects' behind-the-scene processes, provided guidance & policies, as well as incident handling & encountered challenges. We find that our participants' projects are highly diverse both in deployed security measures and trust processes, as well as their underlying motivations. Based on our findings, we discuss implications for the open source software ecosystem and how the research community can better support open source projects in trust and security considerations. Overall, we argue for supporting open source projects in ways that consider their individual strengths and limitations, especially in the case of smaller projects with low contributor numbers and limited access to resources.</description><subject>Atmospheric measurements</subject><subject>Codes</subject><subject>Ecosystems</subject><subject>interviews</subject><subject>open-source</subject><subject>Particle measurements</subject><subject>Privacy</subject><subject>Security</subject><subject>Soft sensors</subject><subject>trust</subject><issn>2375-1207</issn><isbn>9781665413169</isbn><isbn>1665413166</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2022</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><recordid>eNotkM1Kw0AYRUdBsNY-gS5m5S7xm9_MuCvBPyi0kroTyiT5AlOapkwmSt7eQLu6i3s4XC4hjwxSxsA-FxupOZMpB85Ta4TQRl-Rhc0M01pJJpi212TGRaYSxiG7JXd9vwfgIKyckZ-8a1sfI9Y0dnQbhj6-0CX9GtzBRxf9L9IiDvVIuyMtsBqCjyN9OoPUH-n6hFPRDaGawK6Jfy4g3YRuj1Xs78lN4w49Li45J99vr9v8I1mt3z_z5SrxjJmYOCUFAAijp01YOVcZdE1TZ5ZpoaB2ssYyw0rWtmS2BO2UMjJT0OjGogMxJw9nr0fE3Sn41oVxdzlD_AP8IlPr</recordid><startdate>202205</startdate><enddate>202205</enddate><creator>Wermke, Dominik</creator><creator>Wohler, Noah</creator><creator>Klemmer, Jan H.</creator><creator>Fourne, Marcel</creator><creator>Acar, Yasemin</creator><creator>Fahl, Sascha</creator><general>IEEE</general><scope>6IE</scope><scope>6IH</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIO</scope></search><sort><creationdate>202205</creationdate><title>Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects</title><author>Wermke, Dominik ; Wohler, Noah ; Klemmer, Jan H. ; Fourne, Marcel ; Acar, Yasemin ; Fahl, Sascha</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i118t-a543000386039ecaac8eaffd7916350da4deb7ec4d9b19b06a5584750f6f9ea03</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Atmospheric measurements</topic><topic>Codes</topic><topic>Ecosystems</topic><topic>interviews</topic><topic>open-source</topic><topic>Particle measurements</topic><topic>Privacy</topic><topic>Security</topic><topic>Soft sensors</topic><topic>trust</topic><toplevel>online_resources</toplevel><creatorcontrib>Wermke, Dominik</creatorcontrib><creatorcontrib>Wohler, Noah</creatorcontrib><creatorcontrib>Klemmer, Jan H.</creatorcontrib><creatorcontrib>Fourne, Marcel</creatorcontrib><creatorcontrib>Acar, Yasemin</creatorcontrib><creatorcontrib>Fahl, Sascha</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan (POP) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE/IET Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP) 1998-present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Wermke, Dominik</au><au>Wohler, Noah</au><au>Klemmer, Jan H.</au><au>Fourne, Marcel</au><au>Acar, Yasemin</au><au>Fahl, Sascha</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects</atitle><btitle>2022 IEEE Symposium on Security and Privacy (SP)</btitle><stitle>SP</stitle><date>2022-05</date><risdate>2022</risdate><spage>1880</spage><epage>1896</epage><pages>1880-1896</pages><eissn>2375-1207</eissn><eisbn>9781665413169</eisbn><eisbn>1665413166</eisbn><coden>IEEPAD</coden><abstract>Open Source Software plays an important role in many software ecosystems. Whether in operating systems, network stacks, or as low-level system drivers, software we encounter daily is permeated with code contributions from open source projects. Decentralized development and open collaboration in open source projects introduce unique challenges: code submissions from unknown entities, limited personpower for commit or dependency reviews, and bringing new contributors up-to-date in projects' best practices & processes.In 27 in-depth, semi-structured interviews with owners, maintainers, and contributors from a diverse set of open source projects, we investigate their security and trust practices. For this, we explore projects' behind-the-scene processes, provided guidance & policies, as well as incident handling & encountered challenges. We find that our participants' projects are highly diverse both in deployed security measures and trust processes, as well as their underlying motivations. Based on our findings, we discuss implications for the open source software ecosystem and how the research community can better support open source projects in trust and security considerations. Overall, we argue for supporting open source projects in ways that consider their individual strengths and limitations, especially in the case of smaller projects with low contributor numbers and limited access to resources.</abstract><pub>IEEE</pub><doi>10.1109/SP46214.2022.9833686</doi><tpages>17</tpages></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | EISSN: 2375-1207 |
| ispartof | 2022 IEEE Symposium on Security and Privacy (SP), 2022, p.1880-1896 |
| issn | 2375-1207 |
| language | eng |
| recordid | cdi_ieee_primary_9833686 |
| source | IEEE Xplore All Conference Series |
| subjects | Atmospheric measurements Codes Ecosystems interviews open-source Particle measurements Privacy Security Soft sensors trust |
| title | Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects |
| url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-07T20%3A45%3A28IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_CHZPO&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Committed%20to%20Trust:%20A%20Qualitative%20Study%20on%20Security%20&%20Trust%20in%20Open%20Source%20Software%20Projects&rft.btitle=2022%20IEEE%20Symposium%20on%20Security%20and%20Privacy%20(SP)&rft.au=Wermke,%20Dominik&rft.date=2022-05&rft.spage=1880&rft.epage=1896&rft.pages=1880-1896&rft.eissn=2375-1207&rft.coden=IEEPAD&rft_id=info:doi/10.1109/SP46214.2022.9833686&rft.eisbn=9781665413169&rft.eisbn_list=1665413166&rft_dat=%3Cieee_CHZPO%3E9833686%3C/ieee_CHZPO%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-i118t-a543000386039ecaac8eaffd7916350da4deb7ec4d9b19b06a5584750f6f9ea03%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=9833686&rfr_iscdi=true |