Supply Chain Interviews
Does your company use open source components in software projects? We would love to interview you about the projects and your experiences!

What: We are looking for interview partners from industry and related areas to gain deeper insights into the use of open source components (More ).

Who: We are a group of cyber security & privacy researchers from the George Washington University and the German CISPA Helmholtz-Center for Information Security (More ).

Why: As part of the supply chain, a single compromised open source component threatens the whole software stack. We are interested in how industry stakeholders deal with these challenges and how we can better support them. (More )

How: Transcribed, anonymous voice interview (More ), the interview would be:

  • Fully anonymous for you, the company, and the projects. We will remove all references or identifying information.
  • At most, we plan on publishing short anonymized quotes from the interview. You will get a chance to update or veto any quotes before a publication.
  • On any voice platform of your choice (Our self-hosted Jitsi instance, Zoom, Webex, BBB, …), no camera required.
Participate
You can directly book a timeslot for the interview via our Calendly event or write us an email for a more convenient time slot.
(The 1 hour timeslot is with time to spare, median interview time so far was around 35 minutes)

About #

Whether as low-level system drivers in operating systems, as tooling in our daily jobs, or simply as dependencies of our hobby projects, open source software is an important building block of our everyday lives.

Motivation #

Open source software is often itself part of an even larger chain: the supply chain of included packages. These packages are often included from package repositories and present a wide attack surface.

Just one compromised package threatens all users of the open source component it was included in.

“To what extent should one trust a statement that a program is free of Trojan horses. Perhaps it is more important to trust the people who wrote the software." – Ken Thompson in “Reflections on Trusting Trust”.1

Previous Publication #

In a previous publication, we conducted interviews with open source maintainers and committers to better understand the security and privacy processes that happen behind-the-scenes in open source projects.


First page of the publications
Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects
Dominik Wermke, Noah Wöhler, Jan H. Klemmer, Marcel Fourné, Yasemin Acar and Sascha Fahl.
43rd IEEE Symposium on Security and Privacy (S&P'22), May 22-26, 2022.

While this publication focused on the “beginning” of the open source supply chain, we are now interested in how the “consumers” of these open source components approach supply chain challenges.

Overall, we aim to better support open source stakeholders with trust and security considerations — by investigating both public and internal security measures and trust processes within a diverse set of projects.

Interview #

Do you work on projects with open source components? We would like to invite you to an interview via an audio call on a platform of your choice (e.g., Zoom, Skype, our self-hosted Jitsi, …).

We are interested in your personal experiences and opinions, as well as the security & trust processes in the projects. We are not judging deployed security measures of the project, we are just interested in the underlying structures and considerations.

Example Questions #

The interview is set up in a semi-structured approach: each section opens with a somewhat general question on which you can elaborate to your liking and knowledge, after which we might ask some additional follow-up questions.

Some examples for questions:

  • S1Q1 Project: Can you tell us a bit about the project(s) you are involved in?
  • S2Q1 Components: Are you aware of any open source components included in your project?
  • S2Q3 Supply Chain: How are those external components pulled/included into the build process?
  • S3Q3 Documentation: Does your project provide guides/best practices/hints for including external code (e.g., open source components)?
  • S4Q2 Updating: How are you keeping open source components up to date?

Data Handling #

We would like to analyze the interviews based on transcripts. For this, we need to collect the following data:

  • A recording of the interview, which will be destroyed after we verified the transcription (likely a few days after the interview).
  • A fully anonymized and de-identified (your & project information) transcript of the interview, destroyed after completion of our research (likely a few months after the interview).

The interview & data handling process was approved by our IRB:

  • Collected data is fully anonymized and de-identified if possible.
  • During all research, data access is restricted to a small number of trained researchers.
  • In addition, all collected data is handled according to strict GDPR/DSGVO regulations.
  • All data will be destroyed after completion of our research.

Who we are #

We are a group of security & privacy researchers from George Washington University and the CISPA Helmholtz-Center for Information Security.

Our research focuses on end users, administrators, developers and designers of computer systems and their interdependencies with computer security and privacy mechanisms. You can find some of our recent publications on our institute page, as well as on our personal websites.

The involved main researchers are listed below, additional team members are listed on our institutes' pages [1, 2].

Main Researchers

Dominik Wermke
Visiting Researcher (George Washington University) and Researcher (CISPA).
Yasemin Acar | Principal Investigator
Tenure Track Assistant Professor (George Washington University).
Sascha Fahl
Tenured Faculty (CISPA) and Full Professor (Leibniz University Hannover).

Involved Institutions

George Washington University
University, Washington DC, USA.
CISPA Helmholtz-Center for Information Security
German national Big Science Institution within the Helmholtz Association.

Informed Consent Disclosure #

Listed below is our full Informed Consent Disclosure, as approved by IRB:

The following information is provided to inform you about the research project and your participation in it. Your participation in this research study is voluntary. You are free to withdraw from this study at any time during the interview. Before the start of the interview we will ask you to verbally confirm your willingness to participate in this research and have the interview recorded. Please keep a copy of this document in case you want to read it again.

1. Purpose of the Study #

This study seeks to explore the use of open source components in software projects.

2. Who Is Eligible to Participate? #

We are looking to interview participants with stakes in software projects (especially if open source components are involved), such as developers, admins, managers, security & privacy officers, etc. who agree with being interviewed.

3. Description of Procedures to Be Followed and Approximate Time Duration Involved for the Participants #

You will indicate your availability for an interview schedule using Calendly. The interview will be conducted and recorded via a video call software of your choice (e.g., Zoom). Use and recording of video is optional, you can choose to turn off your camera for the entire duration of the interview. The interview will approximately last 30-40 minutes, depending on the length of your answers.

4. Expected Costs #

There are no direct costs (aside from your time) involved with participating in the interview.

5. Description of the Discomforts, Inconveniences, and/or Risks That Can Be Reasonably Expected as a Result of Participation #

Expected discomforts and inconveniences are those commonly associated with video calls, such as boredom and loss of time. Expected risks are generally minimal, but may include loss of confidentiality or reputational harm. We aim to reduce these risks by de-identifying your transcript and mentions of identifiable information, both during data analysis and in a resulting publication. If requested, we will provide you with a preprint of our research, allowing you to request changes or veto use of quotes.

6. Anticipated Benefits From This Study #

There are no direct benefits to participating in this study.

The indirect benefits include your contribution to current scientific research, and ultimately improving the supply chain security of (your) software projects.

7. Compensation for Participation #

The Upwork job includes a compensation of $60 for participation in this study (which already includes Upwork fees; your actual payout may be less than $60). If desired, we will send you the final publication based on this interview study.

8. Circumstances Under Which the Principal Investigator May Withdraw You from the Study #

In case the internet connection does not allow for a meaningful conversation, or in cases of ineligibility, we may remove you from the study. In that case, we would discard your responses and not use them for analysis.

9. What Happens If You Choose to Withdraw from the Study #

You can withdraw from the study at any time by informing the interviewer. If you choose to do so, your data will not be used in the study. You will not be compensated should you choose to do so.

10. Contact Information #

For any questions or concerns, feel free to contact the researchers directly via email:

You can also contact GWU IRB by visiting https://humanresearch.gwu.edu/contact-us or by emailing ohrirb@gwu.edu.

11. Confidentiality #

  • All information and codes you provide will be stored de-identified and anonymized in a potential publication.
  • Before any publication, we will provide you with a preprint of our research, allowing you to request changes or to veto quotes.
  • All interview recordings will be deleted after the transcripts were checked for correctness.
  • All data is stored and handled by a small number of qualified researchers following IRB guidelines and the strict European privacy laws (GDPR).
  • Audio files will be transcribed by the GDPR-compliant service Amberscript.

  1. Ken Thompson: Reflections on Trusting Trust. PDF ↩︎