Trusting code in the wild: A social network-based centrality rating for developers in the Rust ecosystem
As modern software extensively uses open source packages, developers regularly pull in new upstream code through frequent updates. While a manual review of all upstream changes may not be practical, developers may rely on the authors' and reviewers' identities, among other factors, to decide what level of review the new code may require. The goal of this study is to help downstream project developers prioritize review efforts for upstream code by providing a social network-based centrality rating for the authors and reviewers of that code. To that end, we build a social network of 6,949 developers across the collaboration activity from 1,644 Rust packages. Further, we survey the developers in the network to evaluate if code coming from a developer with a higher centrality rating is likely to be accepted with lesser scrutiny by the downstream projects and, therefore, is perceived to be more trusted. Our results show that 97.7% of the developers from the studied packages are interconnected via collaboration, with each developer separated from another via only four other developers in the network. The interconnection among developers from different Rust packages establishes the ground for identifying the central developers in the ecosystem. Our survey responses (N=206) show that the respondents are more likely to not differentiate between developers in deciding how to review upstream changes (60.2% of the time). However, when they do differentiate, our statistical analysis showed a significant correlation between developers' centrality ratings and the level of scrutiny their code might face from the downstream projects, as indicated by the respondents.
READ FULL TEXT