Trust in open-source software

Wed, Jan 24, 2024 · Aparna Sundar, Kris Freedain

An open-source project enhances community trust in multiple ways. Strategies recommended by the Linux Foundation to enhance community trust include seeking out influential peers and mentors, practicing in an open and collaborative environment, adopting flexible IT infrastructure that is supportive of open-source development, tracking metrics that are designed for an open-source environment, adopting a tailored but lightweight approach to code contributions, sharing information, contributing to products and services to remain relevant and up to date, and supporting maintainers. Also important are reduced technical debt, the development of internal talent, mentorship programs, and participation in technical discussions in order to increase visibility. In 2023-Q4, we measured trust in OpenSearch project. In this blog we share some of our findings and we detail how the practical involvement of community and being physically present can help boost community trust.

Transparency

While transparency is a key pillar of open-source projects, questions regarding trust are often raised. Critics of open-source code question whether contributors demonstrate a sufficient level of self-critique, which, if lacking, could result in “bad faith” commits. Critics also question whether the open-source system is designed for security, given the reduced amount of accountability, the vulnerability of developers to hackers, and other risks. Because the source code is available to anyone to modify or distribute, developer trust in the project is important. Individual developers and companies alike trust open-source software because using it is easier than developing code from scratch.

Findings from our survey

The Linux Foundation suggests ways to measure security awareness and the success of an open-source program. That said, there are other ways to measure organizational trust. The core foundation of organizational trust is the quality of the relationship between individuals and the organization. Trust is essentially a multi-level construct that is culturally rooted, dynamic, multi-dimensional, and is an outcome of organizational communication. Trust also has a measurable financial impact on an organization.

We hosted the survey on OpenSearch.org in Q2 and Q3 of 2023 and publicized it through partner communications and community meetings. There were 36 community members who participated in the survey. 91.7% of the sample indicated that they used OpenSearch in a self-service capacity, 66.7% of the sample identified as belonging to the Infra role, and 63.9% of the sample used OpenSearch to power their log analytics use cases. This sample expressed a relatively positive perception of OpenSearch, with an NPS of 64 (as compared to 57.8 in Q1). The users who took the survey represented a wide variety of organizations, with 22% part of large organizations with over 10,000 employees.

We were most interested in measuring trust in OpenSearch. The sample indicated a 7.4 out of 10 average score regarding trust. We adopted the KDPaine & Partners scale for measuring trust. This scale is comprised of six dimensions. Aspects of this measure included perceived dependability (4-item measure; 7.8; alpha =.89), perceived sense of control mutuality (3-item measure; 7.4; alpha = .96), perceived commitment (5-item measure; 7.5; alpha = .94), satisfaction, (5-item measure; 7.1, alpha = .95) communal relationship quality (2-item measure; 7.5, alpha = .77) and, importantly, exchange relationship quality (single item; 7.5). Depending on community perception, an open-source project can enhance trust in multiple ways.

How the OpenSearch Project approaches community building and trust

One of the ways that we build community trust is by holding twice-monthly community meetings where we invite those interested in the project to come and present what they’ve been building and how they’ve used OpenSearch. We hold them at 8 AM or 3 PM Pacific to enable more of the community to attend in person. They are also recorded and added to the OpenSearch Project YouTube channel. Our development teams have also begun holding triage meetings in public. We received feedback from community members that they would like to be more involved—not just through asynchronous communication on GitHub but also in person with the team of maintainers that determines prioritization of work. This has further enabled community members to volunteer to work on specific issues. Also available to the community is a blog platform, the project’s social media channels, a forum, and a public Slack instance, all of which facilitate conversations around the world. We also speak at conferences, continue to enable user groups, and hold OpenSearchCon each year. This allows the community to come together in different ways and in different locations throughout the year.

Presentation slides available here

References

  1. Paine, K. “Guidelines for Measuring Trust in Organizations
  2. King, B. “You Don’t Trust Open-Source Software? 6 Reasons Why You Should
  3. Felker, N. “Don’t Trust Open-source Software. it’s Inherently Insecure
  4. Linux Foundation. “12 Ways to Improve the Effectiveness and Impact of Enterprise Open Source Development
  5. The Amazon Effect on Open Source
  6. The Open Source Strategy of Amazon Web Services