Do you work on making software builds reproducible? Maybe even in open source projects? We would love to interview you about the projects and your experiences!
Whether as low-level system drivers in operating systems, as tooling in our daily jobs, or simply as dependencies of our hobby projects, open source software is an important building block of our everyday lives.
“To what extent should one trust a statement that a program is free of Trojan horses. Perhaps it is more important to trust the people who wrote the software." – Ken Thompson in “Reflections on Trusting Trust”.
According to Ken Thompson, the expectation that a compiler only produces code corresponding to the source code it processes might be false.
Even the same source code can produce different results after recompilation.
The decentralized development and open collaboration of open source projects also introduce some unique challenges such as large and diverse groups of people who work on projects, compilation in different build setups on distributed computers, and powerful toolchains which are maintained by third parties.
With those unique challenges in mind, we asked us: How can we support developers with building software reproducibly?
For this, we decided to conduct a series of interviews with open source maintainers and contributors to gain insights into motivation, experiences, and approaches for reproducible builds.
Overall, we aim to better support open source projects starting to work on reproducible builds in getting up to speed.
We study the intersection of computer security and privacy with human factors. We are particularly interested in investigating end users, administrators, developers, and designers of computer systems and their interdependencies with computer security and privacy mechanisms.
Do you contribute to open source projects? We would like to invite you to an interview via an audio call on a platform of your choice (e.g., Zoom, our self-hosted Jitsi, …).
We are interested in your personal experiences and opinions, what approach was taken, as well as the potential security impacts.
We are not judging deployed security measures of the project in any way, we are just interested in the underlying structures.
We would like to conduct the interview in a semi-structured approach:
we would open with a somewhat general question, on which you can elaborate to your liking and knowledge, after which we might ask some additional follow-up questions.
Some example questions:
S1Q1 Project: To start, we are interested in your background and that of [project we are interested in re: reproducible builds]. Please tell us a little bit about how you got involved?
S2Q4 Reasons: [project] has[/has not yet] made progress towards reproducible builds. We’ll be very interested in the process in a moment. Before we start on that, we are interested in your reasons for making [project] reproducible?
S3Q7 Tooling: What is your tech setup/specific tooling or other resources to help you make [project] reproducible?
S5Q11a Hindsight: Would using current tools solve a lot of the problems you encountered?
S5Q13 Generalizability: How specific would you say your process was to your project?
We would like to analyze the interviews based on transcripts. For this, we would need to collect the following data:
A recording of your interview, which will be destroyed after transcription (likely a few days after the interview).
A de-identified (your & project information) transcript of the interview, destroyed after completion of our research (likely a few months after the interview).
The interview & data handling process was approved by an IRB:
Collected data is de-identified if possible.
During all research, data access is restricted to a small number of trained researchers.
All collected data is handled according to strict GDPR/DSGVO regulations.
All data will be destroyed after completion of our research.
Participation: Your participation is of course entirely voluntary. You may skip any questions you don’t want to answer, abort the interview at any time for any reason, or cancel the interview appointment.
Data Collection: We would like to record the call’s audio for later transcription by a GDPR/DSGVO compliant transcription service.
After we de-identify as well as pseudonymize transcripts and check them for accuracy, all recordings will be discarded.
Sensitive Questions: We are mostly interested in the approaches and experiences with reproducible builds and potential security impacts in the project. Of course, you can skip any question at any time.
Risks: The risks to your participation in this online interview study are those associated with basic computer tasks, including boredom, fatigue, mild stress, or breach of confidentiality.
Benefits Benefits of participating in the interview are the learning experience from participating in a research study, the contribution to the state of scientific knowledge, and a wider audience for the reproducible builds effort.
