Nowadays, open source software is well-established and ever-present, and has long found its way into various commercial tools. Due to this, anything that removes or (maliciously) modifies these projects can have a vast and often disastrous impact on the digital world, which has been illustrated by various recent incidents. This includes not only developer choices such as protestware, but also supply-chain-attacks.
Furthermore, open source projects are highly dependent on the security choices of motivated individuals. Other than companies, who have developers under contract and provide security and safety policies, open source projects need to create and maintain policies themselves, or trust their contributors. However, this can majorly influence the security of the overall project.
In this interview study, we are interested in the individual security and safety practices of open source contributors. We aim to speak with developers who are part of popular open source projects, and talk with them about their practices regarding, e. g., device usage, authentication, or data safety.
What security and safety practices do open source contributors deploy to secure their devices, accounts and data? What security/safety challenges do contributors face?
Which guides and measures do open source projects provide for contributors?
How can we better support open source contributors in maintaining their security and safety practices?
If we sent you an email: Thank you for your interest! We reached out to you based on your valuable contributions to popular repositories, that were active within the last few months, and that are highly entwined into the open source community according to their high number of dependents.
To participate, please follow the pre-survey link in the email we sent you.
If we did not sent you an email:
To ensure a transparent recruitment approach, our study is conducted on an email invite basis. Sadly, there is currently no way to participate in an other way.
To be able to analyze our conversation properly, we would like to record it with your consent. This recording will be processed into a fully anonymized transcript, i.e., we will remove any pointers to your identity or projects you are affiliated with. This data will be only shared with involved researchers, and destroyed as soon it is no longer needed, at latest after the project is finished.
Our research is approved by the Ethical Research Board of our institution, to make sure that our research complies with current data protection regulations and ethical research standards.
We are a research team from the state-funded CISPA Helmholtz Center for Information Security in Germany. Our group studies the intersection of computer security and privacy with human factors. We are particularly interested in investigating end users, administrators, developers, and designers of computer systems and their interdependencies with computer security and privacy mechanisms.
