Trusting Code in the Wild: Exploring Contributor Reputation Measures to Review Dependencies in the Rust Ecosystem

IF 6.5 1区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

IEEE Transactions on Software Engineering Pub Date : 2025-03-18 DOI:10.1109/TSE.2025.3551664

Sivana Hamer;Nasif Imtiaz;Mahzabin Tamanna;Preya Shabrina;Laurie Williams

{"title":"Trusting Code in the Wild: Exploring Contributor Reputation Measures to Review Dependencies in the Rust Ecosystem","authors":"Sivana Hamer;Nasif Imtiaz;Mahzabin Tamanna;Preya Shabrina;Laurie Williams","doi":"10.1109/TSE.2025.3551664","DOIUrl":null,"url":null,"abstract":"Developers rely on open-source packages and must review dependencies to safeguard against vulnerable or malicious upstream code. A careful review of all dependencies changes often does not occur in practice. Therefore, developers need signals to inform of dependency changes that require additional examination, particularly measures for contributor reputation. The goal of this study is to help developers prioritize dependency review efforts by analyzing contributor reputation measures as a signal in the Rust ecosystem. We use network centrality measures to proxy contributor reputation using collaboration activity. We employ a mixed method methodology from the top 1,644 packages in the Rust ecosystem to build a network of 6,949 developers, survey 285 developers, and model 5 centrality measures. Through our survey, we find that only 24% of respondents often review dependencies before adding or updating a package, mentioning difficulties in the review process and signals are therefore employed. Particularly, 51% of respondents often consider contributor reputation when reviewing dependencies. We further explore contributor reputation through network centrality measures employing multivariate mixed-effect linear regression models. We find that the closeness centrality measure is a significant factor in explaining how developers choose to review dependencies. Yet, centrality measures alone do not account for how developers choose to review dependencies. We recommend the Rust ecosystem implement a contributor reputation badge based on our modeled coefficients to complement developers’ dependency review efforts.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 4","pages":"1319-1333"},"PeriodicalIF":6.5000,"publicationDate":"2025-03-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Software Engineering","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10932824/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Developers rely on open-source packages and must review dependencies to safeguard against vulnerable or malicious upstream code. A careful review of all dependencies changes often does not occur in practice. Therefore, developers need signals to inform of dependency changes that require additional examination, particularly measures for contributor reputation. The goal of this study is to help developers prioritize dependency review efforts by analyzing contributor reputation measures as a signal in the Rust ecosystem. We use network centrality measures to proxy contributor reputation using collaboration activity. We employ a mixed method methodology from the top 1,644 packages in the Rust ecosystem to build a network of 6,949 developers, survey 285 developers, and model 5 centrality measures. Through our survey, we find that only 24% of respondents often review dependencies before adding or updating a package, mentioning difficulties in the review process and signals are therefore employed. Particularly, 51% of respondents often consider contributor reputation when reviewing dependencies. We further explore contributor reputation through network centrality measures employing multivariate mixed-effect linear regression models. We find that the closeness centrality measure is a significant factor in explaining how developers choose to review dependencies. Yet, centrality measures alone do not account for how developers choose to review dependencies. We recommend the Rust ecosystem implement a contributor reputation badge based on our modeled coefficients to complement developers’ dependency review efforts.

查看原文本刊更多论文

在野外信任代码：探索贡献者声誉度量，以审查Rust生态系统中的依赖关系

开发人员依赖于开源包，必须审查依赖项，以防止易受攻击或恶意的上游代码。在实践中，对所有依赖项更改的仔细检查通常不会发生。因此，开发人员需要信号来通知需要额外检查的依赖项更改，特别是对贡献者声誉的度量。本研究的目标是通过分析贡献者声誉指标作为Rust生态系统中的信号，帮助开发人员优先考虑依赖审查工作。我们使用网络中心性度量来使用协作活动来代理贡献者的声誉。我们从Rust生态系统中的1,644个包中使用混合方法来构建一个由6,949名开发人员组成的网络，调查了285名开发人员，并模型5中心性度量。通过我们的调查，我们发现只有24%的受访者经常在添加或更新包之前审查依赖项，提到审查过程中的困难，并因此使用信号。特别是，51%的受访者在审查依赖关系时经常考虑贡献者的声誉。我们采用多元混合效应线性回归模型，通过网络中心性测度进一步探讨贡献者声誉。我们发现接近中心性度量是解释开发人员如何选择审查依赖项的一个重要因素。然而，中心度量本身并不能说明开发人员如何选择审查依赖项。我们建议Rust生态系统实现一个基于我们建模系数的贡献者声誉徽章，以补充开发人员的依赖审查工作。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Software Engineering 工程技术-工程：电子与电气

CiteScore

9.70

自引率

10.80%

发文量

724

审稿时长

6 months

期刊介绍： IEEE Transactions on Software Engineering seeks contributions comprising well-defined theoretical results and empirical studies with potential impacts on software construction, analysis, or management. The scope of this Transactions extends from fundamental mechanisms to the development of principles and their application in specific environments. Specific topic areas include: a) Development and maintenance methods and models: Techniques and principles for specifying, designing, and implementing software systems, encompassing notations and process models. b) Assessment methods: Software tests, validation, reliability models, test and diagnosis procedures, software redundancy, design for error control, and measurements and evaluation of process and product aspects. c) Software project management: Productivity factors, cost models, schedule and organizational issues, and standards. d) Tools and environments: Specific tools, integrated tool environments, associated architectures, databases, and parallel and distributed processing issues. e) System issues: Hardware-software trade-offs. f) State-of-the-art surveys: Syntheses and comprehensive reviews of the historical development within specific areas of interest.