Youmei Fan,Dong Wang,Supatsara Wattanakriengkrai,Hathaichanok Damrongsiri,Christoph Treude,Hideaki Hata,Raula Gaikovina Kula

2024-01-30

Abstract:Maintainers are now self-sabotaging their work in order to take political or economic stances, a practice referred to as "protestware". In this poster, we present our approach to understand how the discourse about such an attack went viral, how it is received by the community, and whether developers respond to the attack in a timely manner. We study two notable protestware cases, i.e., Colors.js and es5-ext, comparing with discussions of a typical security vulnerability as a baseline, i.e., Ua-parser, and perform a thematic analysis of more than two thousand protest-related posts to extract the different narratives when discussing protestware.

Software Engineering

Tanner Finken,Jesse Chen,Sazzadur Rahaman

2024-09-30

Abstract:Protests are public expressions of personal or collective discontent with the current state of affairs. Although traditional protests involve in-person events, the ubiquity of computers and software opened up a new avenue for activism: protestware. The roots of protestware date back to the early days of computing. However, recent events in the Russo-Ukrainian war has sparked a new wave of protestware. While news and media are heavily reporting on individual protestware as they are discovered, the understanding of such software as a whole is severely limited. In particular, we do not have a detailed understanding of their characteristics and their impact on the community. To address this gap, we first collect 32 samples of protestware. Then, with these samples, we formulate characteristics of protestware using inductive analysis. In addition, we analyze the aftermath of the protestware which has potential to affect the software supply chain in terms of community sentiment and usage. We report that: (1) protestware has three notable characteristics, namely, i) the "nature of inducing protest" is diverse, ii) the "nature of targeting users" is discriminatory, and iii) the "nature of transparency" is not always respected; (2) disruptive protestware may cause substantial adverse impact on downstream users; (3) developers of protestware may not shift their beliefs even with pushback; (4) the usage of protestware from JavaScript libraries has been seen to generally increase over time.

Software Engineering

Marc Cheong,Raula Gaikovina Kula,Christoph Treude

2024-01-05

Abstract:A key drawback to using a Open Source third-party library is the risk of introducing malicious attacks. In recently times, these threats have taken a new form, when maintainers turn their Open Source libraries into protestware. This is defined as software containing political messages delivered through these libraries, which can either be malicious or benign. Since developers are willing to freely open-up their software to these libraries, much trust and responsibility are placed on the maintainers to ensure that the library does what it promises to do. Using different frameworks commonly used in AI ethics, we illustrate how an open-source maintainer's decision to protest is influenced by different stakeholders (viz., their membership in the OSS community, their personal views, financial motivations, social status, and moral viewpoints), making protestware a multifaceted and intricate matter.

Computers and Society,Cryptography and Security,Software Engineering

Jiaqi Wu,Lingfeng Bao,Xiaohu Yang,Xin Xia,Xing Hu

DOI: https://doi.org/10.1145/3643991.3644900

2024-01-01

Abstract:The popularity of open source software (OSS) has led to a significant increase in the number of available licenses, each with their own set of terms and conditions. This proliferation of licenses has made it increasingly challenging for developers to select an appropriate license for their projects and to ensure that they are complying with the terms of those licenses. As a result, there is a need for empirical studies to identify current practices and challenges in license usage, both to help developers make informed decisions about license selection and to ensure that OSS is being used and distributed in a legal and ethical manner. Moreover, the development of new licenses might be required to better meet the needs of the open source community and address emerging legal issues.In this paper, we conduct a large-scale empirical study of license usage across five package management platforms, i.e., Maven, NPM, PyPI, RubyGems, and Cargo. Our objective is to examine the current trends and potential issues in license usage of the OSS community. In total, we analyze the licenses of 33,710,877 packages across the selected five platforms. We statistically analyze licenses in package management platforms from multiple perspectives, e.g., license usage, license incompatibility, license updates, and license evolution. Moreover, we conduct a comparative study of various aspects of core packages and common packages in these platforms. Our results reveal irregularities in license names and license incompatibilities that require attention. We observe both similarities and differences in license usage across the five platforms, with Cargo being the most standardized among them. Finally, we discuss some implications for actions based on our findings.

Jing Wang,Patrick C. Shih,Yu Wu,John M. Carroll

DOI: https://doi.org/10.1016/j.infsof.2015.06.002

IF: 3.9

2015-01-01

Information and Software Technology

Abstract:The power of open source software peer review lies in the involvement of virtual communities, especially users who typically do not have a formal role in the development process. As communities grow to a certain extent, how to organize and support the peer review process becomes increasingly challenging. A universal solution is likely to fail for communities with varying characteristics. This paper investigates differences of peer review practices across different open source software communities, especially the ones engage distinct types of users, in order to offer contextualized guidance for developing open source software projects. Comparative case studies were conducted in two well-established large open source communities, Mozilla and Python, which engage extremely different types of users. Bug reports from their bug tracking systems were examined primarily, complemented by secondary sources such as meeting notes, blog posts, messages from mailing lists, and online documentations. The two communities differ in the key activities of peer review processes, including different characteristics with respect to bug reporting, design decision making, to patch development and review. Their variances also involve the designs of supporting technology. The results highlight the emerging role of triagers, who bridge the core and peripheral contributors and facilitate the peer review process. The two communities demonstrate alternative designs of open source software peer review and their tradeoffs were discussed. It is concluded that contextualized designs of social and technological solutions to open source software peer review practices are important. The two cases can serve as learning resources for open source software projects, or other types of large software projects in general, to cope with challenges of leveraging enormous contributions and coordinating core developers. It is also important to improve support for triagers, who have not received much research effort yet.

Jing Wang,Patrick C. Shih,John M. Carroll

DOI: https://doi.org/10.1016/j.ijhcs.2015.01.005

IF: 4.866

2015-01-01

International Journal of Human-Computer Studies

Abstract:Open source projects leverage a large number of people to review products and improve code quality. Differences among participants are inevitable and important to this collaborative review process—participants with different expertise, experience, resources, and values approach the problems differently, increasing the likelihood of finding more bugs and fixing the particularly difficult ones. To understand the impacts of member differences on the open source software peer review process, we examined bug reports of Mozilla Firefox. These analyses show that the various types of member differences increase workload as well as frustration and conflicts. However, they facilitate situated learning, problem characterization, design review, and boundary spanning. We discuss implications for work performance and community engagement, and suggest several ways to leverage member differences in the open source software peer review process.

Jing Wang,John M. Carroll

DOI: https://doi.org/10.1109/CTS.2011.5928673

2011-01-01

Abstract:Open source is an important model of collaborative knowledge work and virtual organizations. One of its work practices, peer review, is considered critical to its success, as Linus's law highlights. Thus, understanding open source peer review, particular effective review practices, will improve the understanding of how to support collaborative work in new ways. Therefore, we conduct case studies in two open source communities that are well recognized as effective and successful, Mozilla and Python. In this paper, we present the preliminary results of our analysis on data from the bug tracking systems of those two organizations. We identify four common activities critical to open source software peer review, submission, identification, resolution and evaluation. Differences between communities indicate factors, such as reporter expertise, product type and structure, and organization size, affect review activities. We also discuss features of open source software peer review distinct from traditional review, as well as reconsiderations of Linus's law.

Raula Gaikovina Kula,Christoph Treude

DOI: https://doi.org/10.48550/arXiv.2208.01393

2022-08-01

Software Engineering

Abstract:Reliance on third-party libraries is now commonplace in contemporary software engineering. Being open source in nature, these libraries should advocate for a world where the freedoms and opportunities of open source software can be enjoyed by all. Yet, there is a growing concern related to maintainers using their influence to make political stances (i.e., referred to as protestware). In this paper, we reflect on the impact of world politics on software ecosystems, especially in the context of the ongoing War in Ukraine. We show three cases where world politics has had an impact on a software ecosystem, and how these incidents may result in either benign or malignant consequences. We further point to specific opportunities for research, and conclude with a research agenda with ten research questions to guide future research directions.

Kholekile L. Gwebu,Jing Wang

DOI: https://doi.org/10.1016/j.jss.2010.07.011

IF: 3.5

2010-01-01

Journal of Systems and Software

Abstract:This study develops a typology that permits the classification of free open source software (FOSS) users into market segments. Based on the typology the nature and extent of perception differences between core FOSS users and FOSS users in other market segments is examined. Significant perception differences are observed between users in different market segments. Consequently, the potential barriers to FOSS adoption are identified and recommendations that may drive greater FOSS adoption are proposed.

Dror G. Feitelson

2023-06-02

Abstract:A tenet of open source software development is to accept contributions from users-developers (typically after appropriate vetting). But should this also include interventions done as part of research on open source development? Following an incident in which buggy code was submitted to the Linux kernel to see whether it would be caught, we conduct a survey among open source developers and empirical software engineering researchers to see what behaviors they think are acceptable. This covers two main issues: the use of publicly accessible information, and conducting active experimentation. The survey had 224 respondents. The results indicate that open-source developers are largely open to research, provided it is done transparently. In other words, many would agree to experiments on open-source projects if the subjects were notified and provided informed consent, and in special cases also if only the project leaders agree. While researchers generally hold similar opinions, they sometimes fail to appreciate certain nuances that are important to developers. Examples include observing license restrictions on publishing open-source code and safeguarding the code. Conversely, researchers seem to be more concerned than developers about privacy issues. Based on these results, it is recommended that open source repositories and projects address use for research in their access guidelines, and that researchers take care to ask permission also when not formally required to do so. We note too that the open source community wants to be heard, so professional societies and IRBs should consult with them when formulating ethics codes.

Software Engineering

Shehan Edirimannage,Charitha Elvitigala,Asitha Kottahachchi Kankanamge Don,Wathsara Daluwatta,Primal Wijesekara,Ibrahim Khalil

2024-11-12

Abstract:With the wave of high-profile supply chain attacks targeting development and client organizations, supply chain security has recently become a focal point. As a result, there is an elevated discussion on securing the development environment and increasing the transparency of the third-party code that runs in software products to minimize any negative impact from third-party code in a software product. However, the literature on secure software development lacks insight into how the third-party development tools used by every developer affect the security posture of the developer, the development organization, and, eventually, the end product. To that end, we have analyzed 52,880 third-party VS Code extensions to understand their threat to the developer, the code, and the development organizations. We found that ~5.6\% of the analyzed extensions have suspicious behavior, jeopardizing the integrity of the development environment and potentially leaking sensitive information on the developer's product. We also found that the VS Code hosting the third-party extensions lacks practical security controls and lets untrusted third-party code run unchecked and with questionable capabilities. We offer recommendations on possible avenues for fixing some of the issues uncovered during the analysis.

Cryptography and Security,Software Engineering

Lucas Franke,Huayu Liang,Sahar Farzanehpour,Aaron Brantly,James C. Davis,Chris Brown

2024-06-21

Abstract:Background: Governments worldwide are considering data privacy regulations. These laws, e.g. the European Union's General Data Protection Regulation (GDPR), require software developers to meet privacy-related requirements when interacting with users' data. Prior research describes the impact of such laws on software development, but only for commercial software. Open-source software is commonly integrated into regulated software, and thus must be engineered or adapted for compliance. We do not know how such laws impact open-source software development. Aims: To understand how data privacy laws affect open-source software development. We studied the European Union's GDPR, the most prominent such law. We investigated how GDPR compliance activities influence OSS developer activity (RQ1), how OSS developers perceive fulfilling GDPR requirements (RQ2), the most challenging GDPR requirements to implement (RQ3), and how OSS developers assess GDPR compliance (RQ4). Method: We distributed an online survey to explore perceptions of GDPR implementations from open-source developers (N=56). We further conducted a repository mining study to analyze development metrics on pull requests (N=31462) submitted to open-source GitHub repositories. Results: GDPR policies complicate open-source development processes and introduce challenges for developers, primarily regarding the management of users' data, implementation costs and time, and assessments of compliance. Moreover, we observed negative perceptions of GDPR from open-source developers and significant increases in development activity, in particular metrics related to coding and reviewing activity, on GitHub pull requests related to GDPR compliance. Conclusions: Our findings motivate policy-related resources and automated tools to support data privacy regulation implementation and compliance efforts in open-source software.

Software Engineering

Tien Rahayu Tulili,Ayushi Rastogi,Andrea Capiluppi

DOI: https://doi.org/10.48550/arXiv.2405.16981

2024-05-27

Abstract:Collaborative software development happens in teams, that cooperate on shared artefacts, and discuss development on online platforms. Due to the complexity of development and the variety of teams, software components often act as effective containers for parallel work and teams. Past research has shown how communication between team members, especially in an open-source environment, can become extremely toxic, and lead to members leaving the development team. This has a direct effect on the evolution and maintenance of the project in which the former members were active in. The purpose of our study is two-fold: first, we propose an approach to evaluate, at a finer granularity, the positive and negative emotions in the communication between developers; and second, we aim to characterise a project's development paths, or components, as more or less impacted by the emotions. Our analysis evaluates single sentences rather than whole messages as the finest granularity of communication. The previous study found that the high positivity or negativity at the sentence level may indirectly impact the writer him/herself, or the reader. In this way, we could highlight specific paths of Gentoo as the most affected by negative emotions, and show how negative emotions have evolved and changed along the same paths. By joining the analysis of the mailing lists, from which we derive the sentiment of the developers, with the information derived from the development logs, we obtained a longitudinal picture of how development paths have been historically affected by positive or negative emotions. Our study shows that, in recent years, negative emotions have generally decreased in the communication between Gentoo developers. We also show how file paths, as collaborative software development artefacts, were more or less impacted by the emotions of the developers.

Software Engineering

Hsu Myat Win,Haibo Wang,Shin Hwei Tan

DOI: https://doi.org/10.48550/arXiv.2302.11985

2023-02-23

Abstract:Given the rapid growth of Open-Source Software (OSS) projects, ethical considerations are becoming more important. Past studies focused on specific ethical issues (e.g., gender bias and fairness in OSS). There is little to no study on the different types of unethical behavior in OSS projects. We present the first study of unethical behavior in OSS projects from the stakeholders' perspective. Our study of 316 GitHub issues provides a taxonomy of 15 types of unethical behavior guided by six ethical principles (e.g., autonomy).Examples of new unethical behavior include soft forking (copying a repository without forking) and self-promotion (promoting a repository without self-identifying as contributor to the repository). We also identify 18 types of software artifacts affected by the unethical behavior. The diverse types of unethical behavior identified in our study (1) call for attentions of developers and researchers when making contributions in GitHub, and (2) point to future research on automated detection of unethical behavior in OSS projects. Based on our study, we propose Etor, an approach that can automatically detect six types of unethical behavior by using ontological engineering and Semantic Web Rule Language (SWRL) rules to model GitHub attributes and software artifacts. Our evaluation on 195,621 GitHub issues (1,765 GitHub repositories) shows that Etor can automatically detect 548 unethical behavior with 74.8% average true positive rate. This shows the feasibility of automated detection of unethical behavior in OSS projects.

Software Engineering

Ramtin Ehsani,Rezvaneh Rezapour,Preetha Chatterjee

DOI: https://doi.org/10.48550/arXiv.2307.15631

2023-07-28

Abstract:To foster collaboration and inclusivity in Open Source Software (OSS) projects, it is crucial to understand and detect patterns of toxic language that may drive contributors away, especially those from underrepresented communities. Although machine learning-based toxicity detection tools trained on domain-specific data have shown promise, their design lacks an understanding of the unique nature and triggers of toxicity in OSS discussions, highlighting the need for further investigation. In this study, we employ Moral Foundations Theory to examine the relationship between moral principles and toxicity in OSS. Specifically, we analyze toxic communications in GitHub issue threads to identify and understand five types of moral principles exhibited in text, and explore their potential association with toxic behavior. Our preliminary findings suggest a possible link between moral principles and toxic comments in OSS communications, with each moral principle associated with at least one type of toxicity. The potential of MFT in toxicity detection warrants further investigation.

Software Engineering

Anne Henning,Lukas Schulte,Steffen Herbold,Oksana Kulyk,Peter Mayer

DOI: https://doi.org/10.48550/arXiv.2304.06367

2023-04-13

Software Engineering

Abstract:Context: Data protection regulations such as the GDPR and the CCPA affect how software may handle the personal data of its users and how consent for handling of such data may be given. Prior literature focused on how this works in operation, but lacks a perspective of the impact on the software development process. Objective: Within our work, we will address this gap and explore how software development itself is impacted. We want to understand which data protection-related issues are reported, who reports them, and how developers react to such issues. Method: We will conduct an exploratory study based on issues that are reported with respect to data protection in open source software on GitHub. We will determine the roles of the actors involved, the status of such issues, and we use inductive coding to understand the data protection issues. We qualitatively analyze the issues as part of the inductive coding and further explore the reasoning for resolutions. We quantitatively analyze the relation between the roles, resolutions, and data protection issues to understand correlations.

Yuxia Zhang,Mian Qin,Klaas-Jan Stol,Minghui Zhou,Hui Liu

DOI: https://doi.org/10.1145/3597503.3639197

2024-01-25

Abstract:It is now commonplace for organizations to pay developers to work on specific open source software (OSS) projects to pursue their business goals. Such paid developers work alongside voluntary contributors, but given the different motivations of these two groups of developers, conflict may arise, which may pose a threat to a project's sustainability. This paper presents an empirical study of paid developers and volunteers in Rust, a popular open source programming language project. Rust is a particularly interesting case given considerable concerns about corporate participation. We compare volunteers and paid developers through contribution characteristics and long-term participation, and solicit volunteers' perceptions on paid developers. We find that core paid developers tend to contribute more frequently; commits contributed by one-time paid developers have bigger sizes; peripheral paid developers implement more features; and being paid plays a positive role in becoming a long-term contributor. We also find that volunteers do have some prejudices against paid developers. This study suggests that the dichotomous view of paid vs. volunteer developers is too simplistic and that further subgroups can be identified. Companies should become more sensitive to how they engage with OSS communities, in certain ways as suggested by this study.

Software Engineering

Yang Yue,Yi Wang,David Redmiles

DOI: https://doi.org/10.48550/arXiv.2306.05548

2023-06-08

Software Engineering

Abstract:Encompassing a diverse population of developers, non-technical users, organizations, and many other stakeholders, open source software (OSS) development has expanded to broader social movements from the initial product development aims. Ideology, as a coherent system of ideas, offers value commitments and normative implications for any social movement, so does OSS ideology for the open source movement. However, the literature on open source ideology is often fragile, or lacking in empirical evidence. In this paper, we sought to develop a comprehensive empirical theory of ideologies in open source software movement. Following a grounded theory procedure, we collected and analyzed data from 22 semi-structured interviews and 41 video recordings of Open Source Initiative (OSI) board members' public speeches. An empirical theory of OSS ideology emerged in our analysis, with six key categories: membership, norms/values, goals, activities, resources, and positions/group relations; each consists of a number of themes and subthemes. We discussed a subset of carefully selected themes and subthemes in detail based on their theoretical significance. With this ideological lens, we examined the implications and insights into open source development, and shed light on the research into open source as a social-cultural construction in the future.

Lauren Olson,Tom P. Humbert,Ricarda Anna-Lena Fischer,Bob Westerveld,Florian Kunneman,Emitzá Guzmán

2024-10-11

Abstract:Many modern software applications present numerous ethical concerns due to conflicts between users' values and companies' priorities. Intersectional communities, those with multiple marginalized identities, are disproportionately affected by these ethical issues, leading to legal, financial, and reputational issues for software companies, as well as real-world harm for intersectional users. Historically, the voices of intersectional communities have been systematically marginalized and excluded from contributing their unique perspectives to software design, perpetuating software-related ethical concerns. This work aims to fill the gap in research on intersectional users' software-related perspectives and provide software practitioners with a starting point to address their ethical concerns. We aggregated and analyzed the intersectional users' ethical concerns over time and developed a prioritization method to identify critical concerns. To achieve this, we collected posts from over 700 intersectional subreddits discussing software applications, utilized deep learning to identify ethical concerns in these posts, and employed state-of-the-art techniques to analyze their content in relation to time and priority. Our findings revealed that intersectional communities report \textit{critical} complaints related to cyberbullying, inappropriate content, and discrimination, highlighting significant flaws in modern software, particularly for intersectional users. Based on these findings, we discuss how to better address the ethical concerns of intersectional users in software development.

Software Engineering,Human-Computer Interaction

Yi Wen Heng,Zeyang Ma,Haoxiang Zhang,Zhenhao Li,Tse-Hsun,Chen

2024-11-12

Abstract:Reusing third-party libraries increases productivity and saves time and costs for developers. However, the downside is the presence of vulnerabilities in those libraries, which can lead to catastrophic outcomes. For instance, Apache Log4J was found to be vulnerable to remote code execution attacks. A total of more than 35,000 packages were forced to update their Log4J libraries with the latest version. Although several studies have been conducted to predict software vulnerabilities, the prediction does not cover the vulnerabilities found in third-party libraries. Even if the developers are aware of the forthcoming issue, replicating a function similar to the libraries would be time-consuming and labour-intensive. Nevertheless, it is practically reasonable for software developers to update their third-party libraries (and dependencies) whenever the software vendors have released a vulnerable-free version. In this work, our manual study focuses on the real-world practices (crowd reaction) adopted by software vendors and developer communities when a vulnerability is disclosed. We manually investigated 312 CVEs and identified that the primary trend of vulnerability handling is to provide a fix before publishing an announcement. Otherwise, developers wait an average of 10 days for a fix if it is unavailable upon the announcement. Additionally, the crowd reaction is oblivious to the vulnerability severity. In particular, we identified Oracle as the most vibrant community diligent in releasing fixes. Their software developers also actively participate in the associated vulnerability announcements.

Software Engineering