Trust in Software Ecosystems

Software ecosystems are complex networks of organizations and individuals that collaboratively develop and maintain the software that our society depends on. Trust is a fundamental part of the software ecosystem, whether it is an individual deciding to install an app, a business manager deciding to use a multi-million accounting system, or a government deciding to use a cloud system. However, the rapid growth and decentralization of software ecosystems have introduced significant challenges in ensuring software trustworthiness. Malicious actors can exploit vulnerabilities, introduce harmful code, or take advantage of outdated packages. Software engineers and end-users face considerable risks in selecting reliable and secure software. This PhD dissertation introduces a community-managed tool that underpins the software ecosystem with a trust layer. It collects trust data on software packages and projects to help users assess the reliability, vulnerabilities, and trustworthiness of software packages. Implemented within npm, this tool is able to retrieve trust scores from a distributed ledger for safety checks, policy enforcement, and dependency scans. This dissertation explores how empirical software engineering can strengthen trust in the global software ecosystem. It offers both theoretical insights and practical methods for fostering the development of more trustworthy software.