




















Abstract:Many critical information technology and cyber-physical systems rely on a supply chain of open-source software projects. OSS project maintainers often integrate contributions from external actors. While maintainers can assess the correctness of a pull request, assessing a pull request's cybersecurity implications is challenging. To help maintainers make this decision, we propose that the open-source ecosystem should incorporate Actor Reputation Metrics (ARMS). This capability would enable OSS maintainers to assess a prospective contributor's cybersecurity reputation. To support the future instantiation of ARMS, we identify seven generic security signals from industry standards; map concrete metrics from prior work and available security tools, describe study designs to refine and assess the utility of ARMS, and finally weigh its pros and cons.
From: Kelechi Gabriel Kalu [view email]
[v1]
Sat, 24 May 2025 15:55:57 UTC (3,247 KB)
[v2]
Tue, 27 Jan 2026 02:07:50 UTC (8,104 KB)
[v3]
Wed, 28 Jan 2026 19:31:44 UTC (8,104 KB)
[v4]
Fri, 3 Jul 2026 17:08:53 UTC (1,388 KB)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。