Open Source Software Interviews

Sprache : Es gibt diese Seite auch auf Deutsch.

Looking for Interview Partners

Do you contribute to open source projects? We would love to interview you about the projects and your experiences!

We are a group of security & privacy researchers from the German CISPA Helmholtz-Center for Information Security, the Max Planck Institute for Security and Privacy, and the Leibniz University Hannover. We are looking for interview partners from a diverse set of open source projects, to gain deeper insights from many involved contributors and a wide field of projects.

The interview would be:

  • Fully anonymous for you and the projects, at most, short anonymized quotes from the interview might be published.
  • We estimate the interview will take about ~45 min of your valuable time.
  • On any audio platform of your choice (Zoom, Skype, our self-hosted Jitsi, …), no camera required.

Participate: You can directly book a timeslot for the interview via our Calendly event.

For any further questions or better fitting timeslots (e.g., weekend or after-work), feel free to write us an informal email at dominik.wermke@cispa.de

Context #

Whether as low-level system drivers in operating systems, as tooling in our daily jobs, or simply as dependencies of our hobby projects, open source software is an important building block of our everyday lives.

“To what extent should one trust a statement that a program is free of Trojan horses. Perhaps it is more important to trust the people who wrote the software." – Ken Thompson in “Reflections on Trusting Trust”.

The decentralized development and open collaboration of open source projects also introduce some unique challenges such as code submissions from unknown entities, limited people-power for reviewing the supply chain & dependencies, and bringing new contributors up-to-speed in projects' best practices & processes.

With those unique challenges in mind, we asked us: How we can empower open source contributors to build more secure projects? For this, we decided to conduct a series of interviews with open source maintainers and contributors to gain insights into currently employed security & trust processes.

Figure 1. A hypothetical example of a repository with a somewhat questionable CONTRIBUTING.md file.

Figure 1. A hypothetical example of a repository with a somewhat questionable CONTRIBUTING.md file.

Overall, we aim to better support open source projects with trust and security considerations — by investigating both public and internal security measures and trust processes within a diverse set of projects.

Who we are #

We are a group of security & privacy researchers from the German CISPA Helmholtz-Center for Information Security, the Max Planck Institute for Security and Privacy, and the Leibniz University Hannover.

We study the intersection of computer security and privacy with human factors. We are particularly interested in investigating end users, administrators, developers, and designers of computer systems and their interdependencies with computer security and privacy mechanisms.

You can find some of our recent publications here.

Researchers

Dominik Wermke | Researcher (CISPA) and PhD Student (Leibniz University Hannover).
Contact: dominik.wermke@cispa.de

Sascha Fahl | Principal Investigator, Tenured Faculty (CISPA) and Full Professor (Leibniz University Hannover).
Yasemin Acar | Research Group Leader (Max Planck Institute for Security and Privacy) and Research Professor (George Washington University).

Institutions

CISPA logo

CISPA Helmholtz-Center for Information Security

MPI SW logo

Max Planck Institute for Security and Privacy

Interview #

Do you contribute to open source projects? We would like to invite you to an interview via an audio call on a platform of your choice (e.g., Zoom, Skype, our self-hosted Jitsi, …).

We are interested in your personal experiences and opinions, as well as the security & trust processes of your projects. We are not judging deployed security measures of the project in any way, we are just interested in the underlying structures.

Example Questions #

We would like to conduct the interview in a semi-structured approach: we would open with a somewhat general question, on which you can elaborate to your liking and knowledge, after which we might ask some additional follow-up questions.

Some example questions:

  • S1Q1 Project: Can you tell us a bit about the project(s) you are involved in?
  • S2Q2 Challenges: Can you remember any security challenges that the project faced in the past?
  • S5Q1 Repository: What does the general repository structure look like?
  • S6Q1 Release and Updates: How are releases and updates published?
  • S8Q1.5 Trusted: How could a new contributor become a trusted member of the project/team?

Data Handling #

We would like to analyze the interviews based on transcripts. For this, we would need to collect the following data:

  • A recording of your interview, which will be destroyed after transcription (likely a few days after the interview).
  • A fully anonymized and de-identified (your & project information) transcript of the interview, destroyed after completion of our research (likely a few months after the interview).

The interview & data handling process was approved by our German equivalent of an IRB:

  • Collected data is fully anonymized and de-identified if possible.
  • During all research, data access is restricted to a small number of trained researchers.
  • All collected data is handled according to strict GDPR/DSGVO regulations.
  • All data will be destroyed after completion of our research.

Our full consent disclosure is as follows:

  • Participation: Your participation is of course entirely voluntary. You may skip any questions you don’t want to answer, abort the interview at any time for any reason, or cancel the interview appointment.
  • Data Collection: We would like to record the call’s audio for later transcription by a GDPR/DSGVO compliant transcription service. After we de-identify as well as pseudonymize transcripts and check them for accuracy, all recordings will be discarded.
  • Sensitive Questions: We are mostly interested in the approaches to trust & security in the project. Of course, you can skip any question at any time.
  • Risks: The risks to your participation in this online interview study are those associated with basic computer tasks, including boredom, fatigue, mild stress, or breach of confidentiality.
  • Benefits Benefits of participating in the interview are the learning experience from participating in a research study, and the contribution to the state of scientific knowledge.