pith. sign in

arxiv: 2505.18760 · v4 · pith:7DF6SQL4new · submitted 2025-05-24 · 💻 cs.CR · cs.SE

ARMS: A Vision for Actor Reputation Metric Systems in the Open-Source Software Supply Chain

classification 💻 cs.CR cs.SE
keywords armsmaintainersassessopen-sourcereputationactorchaincybersecurity
0
0 comments X
read the original abstract

Many critical information technology and cyber-physical systems rely on a supply chain of open-source software projects. OSS project maintainers often integrate contributions from external actors. While maintainers can assess the correctness of a pull request, assessing a pull request's cybersecurity implications is challenging. To help maintainers make this decision, we propose that the open-source ecosystem should incorporate Actor Reputation Metrics (ARMS). This capability would enable OSS maintainers to assess a prospective contributor's cybersecurity reputation. To support the future instantiation of ARMS, we identify seven generic security signals from industry standards; map concrete metrics from prior work and available security tools, describe study designs to refine and assess the utility of ARMS, and finally weigh its pros and cons.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 3 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. On Good Authority: Release-Authority Measurement for Registry-Mediated Package Ecosystems

    cs.SE 2026-06 conditional novelty 8.0

    The study defines a predecessor-aware release-authority record, applies it to 45,812 releases across five registries, and identifies 204 public release-path discontinuities with practitioner-validated review rules.

  2. On Good Authority: Release-Authority Measurement for Registry-Mediated Package Ecosystems

    cs.SE 2026-06 unverdicted novelty 7.0

    Introduces a predecessor-aware release-authority record and applies it to 43,100 comparisons across five registries to surface 204 policy-triggering release-path discontinuities validated by blinded practitioner review.

  3. Operationalizing Research Software for Supply Chain Security

    cs.SE 2026-01 accept novelty 6.0

    A harmonized RSSC-oriented taxonomy standardizes research software definitions, maps prior studies, and demonstrates that security signals from OpenSSF Scorecard vary meaningfully across taxonomy clusters on the RSE corpus.