ARMS: A Vision for Actor Reputation Metric Systems in the Open-Source Software Supply Chain
Many critical information technology and cyber-physical systems rely on a supply chain of open-source software projects. OSS project maintainers often integrate contributions from external actors. While maintainers can assess the correctness of a change request, assessing a change request's cybersecurity implications is challenging. To help maintainers make this decision, we propose that the open-source ecosystem should incorporate Actor Reputation Metrics (ARMS). This capability would enable OSS maintainers to assess a prospective contributor's cybersecurity reputation. To support the future instantiation of ARMS, we identify seven generic security signals from industry standards; map concrete metrics from prior work and available security tools, describe study designs to refine and assess the utility of ARMS, and finally weigh its pros and cons.
View on arXiv@article{kalu2025_2505.18760,
title={ ARMS: A Vision for Actor Reputation Metric Systems in the Open-Source Software Supply Chain },
author={ Kelechi G. Kalu and Sofia Okorafor and Betül Durak and Kim Laine and Radames C. Moreno and Santiago Torres-Arias and James C. Davis },
journal={arXiv preprint arXiv:2505.18760},
year={ 2025 }
}