From Whence Comes Trust in Software?

In the past few months, I’ve engaged in a number of discussions on trust. Specifically, in relation to software found on the internet, and most specifically with regard to software in public repositories like, a NuGet repo, an NPM repo, and so on. I’ll lay out some of what people have told me, offer some observations, and then – most important – ask you what you think.

Download count. This is something a lot of folks have cited – packages with a high download count are, in their estimation, more likely to be worthy of trust. It’s weird, but I find this completely baffling. Maybe it’s just lemming thinking? My concern is that, in many case, it’s incredibly easy to game this number. There’s no “downloaded, but uninstalled 10 minutes later” count. There’s no “downloaded and infected” count. This literally seems to be the software equivalent of, “well, if they all jumped off the bridge…” Maybe I’m just paranoid.

Updated. This I get a little, perhaps only because I tend to look for this myself. Is the package updated fairly often? Like, is it actively maintained? I freely admit that this is a little bogus, too. I have packages on my systems that haven’t been updated in years, because they haven’t needed to be.

Author. This, I totally get. Like, if I get a Red Hat package from a Red Hat repo, I have a good bit of trust in that. I think the problem is that my trust came partly from brand recognition, and partly from experience, both of which are hard for a newcomer. Move away from major brand names and the problem is even more severe. Do I trust packages made by open source guru John Devries? No, because there is no such person, as far as I’m aware – I just made the name up. But it could be a real person. They could be a guru. How would I know?

Documentation. This, too, I think I get. Good documentation implies a level of care and attention which does engender some trust in my soul. Some.

Signed. Signed code, solely as a single criteria, is not an indicator of trust for me. A signature identifies the author, and so if it’s an author I trust, sure – the signature also ensures the code is as the author intended. Fine. But it’s the author I trust; the signature is a way of codifying and protecting that trust, but trust in the author has to exist before a signature means anything.

Trust is subjective. Do you know the author? What do you think of them? Trust is rarely objective, partly because there are blessed few objective criteria on which to base trust. Download count is kinda objective, but it doesn’t really compel trust from me. The existence of documentation is objective, although its quality is subjective, and neither of them has a major impact on trust for me.

So… what does it for you?

One thought on “From Whence Comes Trust in Software?

  1. Joel Reed (@AKAJoelReed)

    I was just thinking about this today. I was looking for a PowerShell module to do a thing. My first instinct was to see what was in the gallery. I realized my view and use of the Gallery has changed of late. I think in the early days I was skeptical of that, especially since MS didn’t “trust” it. Which I get now, but didn’t then. I also steered clear of the Script Center downloads in the old days. Nowadays I think that the mere act of a module being in the gallery has some weight. I see it kind of as a hybrid category, an amalgam of several you have listed, but not an exclusive winner. I think that if the author took the time to put it there that’s points. I am even more encouraged when I see that they have a GitHub repo that is setup to build, test, and pipeline it into the Gallery. Even if it isn’t “active” in the sense of frequent commits, it demonstrates a commitment level, which instills trust. Of the 3 modules I found only 1 existed in the Gallery, but all three were housed on GitHub, some had more contributors then others, some seemed to have an active and possibly healthy level of issues and issue response. So I don’t think its just one thing. It’s a sum of the parts you listed as as well as some others.

    I also think trust is cumulative and earned. I think there is a critical mass around something receiving trust. Its subjective but its also holistic. The Gallery is good and evolving example, but I think even on the Linux side 3rd party or quasi 3rd party repos, for example EPEL, are representative of it being a multiple factor plus time equals trust kind of thing.

Comments are closed