ARMS: A Vision for Actor Reputation Metric Systems in the Open-Source Software Supply Chain
read the original abstract
Many critical information technology and cyber-physical systems rely on a supply chain of open-source software projects. OSS project maintainers often integrate contributions from external actors. While maintainers can assess the correctness of a pull request, assessing a pull request's cybersecurity implications is challenging. To help maintainers make this decision, we propose that the open-source ecosystem should incorporate Actor Reputation Metrics (ARMS). This capability would enable OSS maintainers to assess a prospective contributor's cybersecurity reputation. To support the future instantiation of ARMS, we identify seven generic security signals from industry standards; map concrete metrics from prior work and available security tools, describe study designs to refine and assess the utility of ARMS, and finally weigh its pros and cons.
This paper has not been read by Pith yet.
Forward citations
Cited by 3 Pith papers
-
On Good Authority: Release-Authority Measurement for Registry-Mediated Package Ecosystems
The study defines a predecessor-aware release-authority record, applies it to 45,812 releases across five registries, and identifies 204 public release-path discontinuities with practitioner-validated review rules.
-
On Good Authority: Release-Authority Measurement for Registry-Mediated Package Ecosystems
Introduces a predecessor-aware release-authority record and applies it to 43,100 comparisons across five registries to surface 204 policy-triggering release-path discontinuities validated by blinded practitioner review.
-
Operationalizing Research Software for Supply Chain Security
A harmonized RSSC-oriented taxonomy standardizes research software definitions, maps prior studies, and demonstrates that security signals from OpenSSF Scorecard vary meaningfully across taxonomy clusters on the RSE corpus.
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.