What makes a trustworthy crate maintainer?

#1

Quite recently there was a paper published discussing various threats to the npm package manager. One thing mentioned was the trustworthiness of package maintainers and how package maintainers that are trusted, generally increase the overall security of their packages and those that depend on them.

I’m interested in what the Rust community has to say about what they think has a positive impact on the trustworthiness of a maintainer. For example, I don’t use my name when publishing crates, due to privacy concerns. Though, I can see how that could be interpreted as me not wanting to take full ownership and responsibility of the code I publish and thereby generally make me less trustworthy.

What do you think are good/bad signs of trustworthy package maintainers?

0 Likes

#2

Here’s a few metrics I think are useful:

  1. Reputation in larger community (do other reputable people also consider this person reputable; chain of trust)
  2. Real World Identity (corporate or personal; maintainer has a stake in how their persona is viewed)
  3. Project Management (does maintainer respond to issues, publish patch notes, follow semver)
0 Likes

#3

I’ve tried to compute “trust” automatically for the crates ecosystem based on assumptions that:

  • crate owners trust crate co-owners,
  • crate authors trust authors of their crate’s dependencies,
  • authors that belong to certain groups, like Mozilla or rust-lang developers, are more trusted,
  • and that the more popular a crate is, the more trusted it is in general by the community.

and then spreading that trust page-rank style throughout the graph. The results are here:

Some observations:

  • there’s likely to be a significant difference between what people say/think about trust, and what they do. You might not know authors of Rust’s most popular crates, but you can’t use Rust much without implicitly trusting them.

  • My “trust” analysis above is rather naive. Actual trust is contextual — you’ll think about trust very differently when you write a hobby project vs when you write firmware for a jet fighter.

5 Likes

Improving ranking and crate search
#4

Trust is indeed contextual. I trust my bank with my money but not with my children. I trust my sister with my children, but not with my money.

9 Likes

TWiR quote of the week
#5

Actual trust is contextual — you’ll think about trust very differently when you write a hobby project vs when you write firmware for a jet fighter.

Trust is indeed contextual. I trust my bank with my money but not with my children. I trust my sister with my children, but not with my money.

I do certainly agree that trust is contextual. Maybe I didn’t scope the question correctly, what I meant was things that indicate to you a trustworthy crate-maintainer, assuming you wish to use or implicitly depend on this maintainers code. I wasn’t thinking in specific terms such as safety-critical systems, since I expected some things would apply to most if not all contexts.

0 Likes

#6

These sound a lot more like “reliance”. Which is important but not quite the same thing as explicit trust.

1 Like