Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects

Dominik Wermke; Noah Wohler; Jan H. Klemmer; Marcel Fourne; Yasemin Acar; Sascha Fahl

doi:10.1109/SP46214.2022.9833686

Details

Original language	English
Title of host publication	Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	1880-1896
Number of pages	17
ISBN (electronic)	9781665413169
ISBN (print)	978-1-6654-1317-6
Publication status	Published - 2022
Event	43rd IEEE Symposium on Security and Privacy, SP 2022 - San Francisco, United States Duration: 23 May 2022 → 26 May 2022

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
Volume	2022-May
ISSN (Print)	1081-6011
ISSN (electronic)	2375-1207

Abstract

Open Source Software plays an important role in many software ecosystems. Whether in operating systems, network stacks, or as low-level system drivers, software we encounter daily is permeated with code contributions from open source projects. Decentralized development and open collaboration in open source projects introduce unique challenges: code submissions from unknown entities, limited personpower for commit or dependency reviews, and bringing new contributors up-to-date in projects' best practices & processes.In 27 in-depth, semi-structured interviews with owners, maintainers, and contributors from a diverse set of open source projects, we investigate their security and trust practices. For this, we explore projects' behind-the-scene processes, provided guidance & policies, as well as incident handling & encountered challenges. We find that our participants' projects are highly diverse both in deployed security measures and trust processes, as well as their underlying motivations. Based on our findings, we discuss implications for the open source software ecosystem and how the research community can better support open source projects in trust and security considerations. Overall, we argue for supporting open source projects in ways that consider their individual strengths and limitations, especially in the case of smaller projects with low contributor numbers and limited access to resources.

Keywords

interviews, open-source, security, trust

ASJC Scopus subject areas

Engineering(all)
Safety, Risk, Reliability and Quality
Computer Science(all)
Software
Computer Science(all)
Computer Networks and Communications

Cite this

Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects. / Wermke, Dominik; Wohler, Noah; Klemmer, Jan H. et al.
Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022. Institute of Electrical and Electronics Engineers Inc., 2022. p. 1880-1896 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2022-May).

Research output: Chapter in book/report/conference proceeding › Conference contribution › Research › peer review

Wermke, D, Wohler, N, Klemmer, JH, Fourne, M, Acar, Y & Fahl, S 2022, Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects. in Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022. Proceedings - IEEE Symposium on Security and Privacy, vol. 2022-May, Institute of Electrical and Electronics Engineers Inc., pp. 1880-1896, 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, United States, 23 May 2022. https://doi.org/10.1109/SP46214.2022.9833686

Wermke, D., Wohler, N., Klemmer, J. H., Fourne, M., Acar, Y., & Fahl, S. (2022). Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects. In Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022 (pp. 1880-1896). (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2022-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP46214.2022.9833686

Wermke D, Wohler N, Klemmer JH, Fourne M, Acar Y, Fahl S. Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects. In Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022. Institute of Electrical and Electronics Engineers Inc. 2022. p. 1880-1896. (Proceedings - IEEE Symposium on Security and Privacy). doi: 10.1109/SP46214.2022.9833686

Wermke, Dominik ; Wohler, Noah ; Klemmer, Jan H. et al. / Committed to Trust : A Qualitative Study on Security & Trust in Open Source Software Projects. Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022. Institute of Electrical and Electronics Engineers Inc., 2022. pp. 1880-1896 (Proceedings - IEEE Symposium on Security and Privacy).

Download

@inproceedings{441253b30f1641a1a09252f1c97c1d73,

title = "Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects",

abstract = "Open Source Software plays an important role in many software ecosystems. Whether in operating systems, network stacks, or as low-level system drivers, software we encounter daily is permeated with code contributions from open source projects. Decentralized development and open collaboration in open source projects introduce unique challenges: code submissions from unknown entities, limited personpower for commit or dependency reviews, and bringing new contributors up-to-date in projects' best practices & processes.In 27 in-depth, semi-structured interviews with owners, maintainers, and contributors from a diverse set of open source projects, we investigate their security and trust practices. For this, we explore projects' behind-the-scene processes, provided guidance & policies, as well as incident handling & encountered challenges. We find that our participants' projects are highly diverse both in deployed security measures and trust processes, as well as their underlying motivations. Based on our findings, we discuss implications for the open source software ecosystem and how the research community can better support open source projects in trust and security considerations. Overall, we argue for supporting open source projects in ways that consider their individual strengths and limitations, especially in the case of smaller projects with low contributor numbers and limited access to resources.",

keywords = "interviews, open-source, security, trust",

author = "Dominik Wermke and Noah Wohler and Klemmer, {Jan H.} and Marcel Fourne and Yasemin Acar and Sascha Fahl",

note = "Acknowledgments: With this, we want to acknowledge our interviewees for their participation: It was a great experience to interview you for this study. We appreciate your knowledge, project information, and most importantly your valuable time that you have generously given. We hope that with this work and your contribution, both the research and open source community are one step closer to more secure and trustworthy software. Last but not least, we thank the anonymous reviewers for their valuable feedback. ; 43rd IEEE Symposium on Security and Privacy, SP 2022 ; Conference date: 23-05-2022 Through 26-05-2022",

year = "2022",

doi = "10.1109/SP46214.2022.9833686",

language = "English",

isbn = "978-1-6654-1317-6",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "1880--1896",

booktitle = "Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022",

address = "United States",

}

Download

TY - GEN

T1 - Committed to Trust

T2 - 43rd IEEE Symposium on Security and Privacy, SP 2022

AU - Wermke, Dominik

AU - Wohler, Noah

AU - Klemmer, Jan H.

AU - Fourne, Marcel

AU - Acar, Yasemin

AU - Fahl, Sascha

N1 - Acknowledgments: With this, we want to acknowledge our interviewees for their participation: It was a great experience to interview you for this study. We appreciate your knowledge, project information, and most importantly your valuable time that you have generously given. We hope that with this work and your contribution, both the research and open source community are one step closer to more secure and trustworthy software. Last but not least, we thank the anonymous reviewers for their valuable feedback.

PY - 2022

Y1 - 2022

N2 - Open Source Software plays an important role in many software ecosystems. Whether in operating systems, network stacks, or as low-level system drivers, software we encounter daily is permeated with code contributions from open source projects. Decentralized development and open collaboration in open source projects introduce unique challenges: code submissions from unknown entities, limited personpower for commit or dependency reviews, and bringing new contributors up-to-date in projects' best practices & processes.In 27 in-depth, semi-structured interviews with owners, maintainers, and contributors from a diverse set of open source projects, we investigate their security and trust practices. For this, we explore projects' behind-the-scene processes, provided guidance & policies, as well as incident handling & encountered challenges. We find that our participants' projects are highly diverse both in deployed security measures and trust processes, as well as their underlying motivations. Based on our findings, we discuss implications for the open source software ecosystem and how the research community can better support open source projects in trust and security considerations. Overall, we argue for supporting open source projects in ways that consider their individual strengths and limitations, especially in the case of smaller projects with low contributor numbers and limited access to resources.

AB - Open Source Software plays an important role in many software ecosystems. Whether in operating systems, network stacks, or as low-level system drivers, software we encounter daily is permeated with code contributions from open source projects. Decentralized development and open collaboration in open source projects introduce unique challenges: code submissions from unknown entities, limited personpower for commit or dependency reviews, and bringing new contributors up-to-date in projects' best practices & processes.In 27 in-depth, semi-structured interviews with owners, maintainers, and contributors from a diverse set of open source projects, we investigate their security and trust practices. For this, we explore projects' behind-the-scene processes, provided guidance & policies, as well as incident handling & encountered challenges. We find that our participants' projects are highly diverse both in deployed security measures and trust processes, as well as their underlying motivations. Based on our findings, we discuss implications for the open source software ecosystem and how the research community can better support open source projects in trust and security considerations. Overall, we argue for supporting open source projects in ways that consider their individual strengths and limitations, especially in the case of smaller projects with low contributor numbers and limited access to resources.

KW - interviews

KW - open-source

KW - security

KW - trust

UR - http://www.scopus.com/inward/record.url?scp=85135955777&partnerID=8YFLogxK

U2 - 10.1109/SP46214.2022.9833686

DO - 10.1109/SP46214.2022.9833686

M3 - Conference contribution

AN - SCOPUS:85135955777

SN - 978-1-6654-1317-6

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 1880

EP - 1896

BT - Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 23 May 2022 through 26 May 2022

ER -

Research@Leibniz University

Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects

Authors

Research Organisations

External Research Organisations