In the past few months, I’ve engaged in a number of discussions on trust. Specifically, in relation to software found on the internet, and most specifically with regard to software in public repositories like PowerShellGallery.com, a NuGet repo, an NPM repo, and so on. I’ll lay out some of what people have told me, offer some observations, and then – most important – ask you what you think.
Download count. This is something a lot of folks have cited – packages with a high download count are, in their estimation, more likely to be worthy of trust. It’s weird, but I find this completely baffling. Maybe it’s just lemming thinking? My concern is that, in many case, it’s incredibly easy to game this number. There’s no “downloaded, but uninstalled 10 minutes later” count. There’s no “downloaded and infected” count. This literally seems to be the software equivalent of, “well, if they all jumped off the bridge…” Maybe I’m just paranoid.
Updated. This I get a little, perhaps only because I tend to look for this myself. Is the package updated fairly often? Like, is it actively maintained? I freely admit that this is a little bogus, too. I have packages on my systems that haven’t been updated in years, because they haven’t needed to be.
Author. This, I totally get. Like, if I get a Red Hat package from a Red Hat repo, I have a good bit of trust in that. I think the problem is that my trust came partly from brand recognition, and partly from experience, both of which are hard for a newcomer. Move away from major brand names and the problem is even more severe. Do I trust packages made by open source guru John Devries? No, because there is no such person, as far as I’m aware – I just made the name up. But it could be a real person. They could be a guru. How would I know?
Documentation. This, too, I think I get. Good documentation implies a level of care and attention which does engender some trust in my soul. Some.
Signed. Signed code, solely as a single criteria, is not an indicator of trust for me. A signature identifies the author, and so if it’s an author I trust, sure – the signature also ensures the code is as the author intended. Fine. But it’s the author I trust; the signature is a way of codifying and protecting that trust, but trust in the author has to exist before a signature means anything.
Trust is subjective. Do you know the author? What do you think of them? Trust is rarely objective, partly because there are blessed few objective criteria on which to base trust. Download count is kinda objective, but it doesn’t really compel trust from me. The existence of documentation is objective, although its quality is subjective, and neither of them has a major impact on trust for me.
So… what does it for you?