{"id":"https://openalex.org/W6886901578","doi":"https://doi.org/10.15168/11572_333508","title":"Towards Understanding and Securing the OSS Supply Chain","display_name":"Towards Understanding and Securing the OSS Supply Chain","publication_year":2022,"publication_date":"2022-03-14","ids":{"openalex":"https://openalex.org/W6886901578","doi":"https://doi.org/10.15168/11572_333508"},"language":"en","primary_location":{"id":"pmh:oai:iris.unitn.it:11572/333508","is_oa":true,"landing_page_url":"http://hdl.handle.net/11572/333508","pdf_url":null,"source":{"id":"https://openalex.org/S4306401913","display_name":"Institutional Research Information System (Universit\u00e0 degli Studi di Trento)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I193223587","host_organization_name":"University of Trento","host_organization_lineage":["https://openalex.org/I193223587"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"info:eu-repo/semantics/doctoralThesis"},"type":"article","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"http://hdl.handle.net/11572/333508","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Vu Duc, Ly","orcid":"https://orcid.org/0000-0002-5445-2729"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Vu Duc, Ly","raw_affiliation_strings":[],"raw_orcid":"https://orcid.org/0000-0002-5445-2729","affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":1,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.25177204,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":true,"primary_topic":{"id":"https://openalex.org/T11675","display_name":"Open Source Software Innovations","score":0.6162999868392944,"subfield":{"id":"https://openalex.org/subfields/1706","display_name":"Computer Science Applications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11675","display_name":"Open Source Software Innovations","score":0.6162999868392944,"subfield":{"id":"https://openalex.org/subfields/1706","display_name":"Computer Science Applications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.059300001710653305,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T13999","display_name":"Digital Rights Management and Security","score":0.04749999940395355,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/popularity","display_name":"Popularity","score":0.6610999703407288},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.6067000031471252},{"id":"https://openalex.org/keywords/supply-chain","display_name":"Supply chain","score":0.5774999856948853},{"id":"https://openalex.org/keywords/artifact","display_name":"Artifact (error)","score":0.5335999727249146},{"id":"https://openalex.org/keywords/quality","display_name":"Quality (philosophy)","score":0.38339999318122864},{"id":"https://openalex.org/keywords/software-quality","display_name":"Software quality","score":0.3824999928474426},{"id":"https://openalex.org/keywords/software-development","display_name":"Software development","score":0.3801000118255615},{"id":"https://openalex.org/keywords/package-development-process","display_name":"Package development process","score":0.3637000024318695},{"id":"https://openalex.org/keywords/dependency","display_name":"Dependency (UML)","score":0.35899999737739563}],"concepts":[{"id":"https://openalex.org/C2780586970","wikidata":"https://www.wikidata.org/wiki/Q1357284","display_name":"Popularity","level":2,"score":0.6610999703407288},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.63919997215271},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.6067000031471252},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.5871999859809875},{"id":"https://openalex.org/C108713360","wikidata":"https://www.wikidata.org/wiki/Q1824206","display_name":"Supply chain","level":2,"score":0.5774999856948853},{"id":"https://openalex.org/C2779010991","wikidata":"https://www.wikidata.org/wiki/Q2720909","display_name":"Artifact (error)","level":2,"score":0.5335999727249146},{"id":"https://openalex.org/C2779530757","wikidata":"https://www.wikidata.org/wiki/Q1207505","display_name":"Quality (philosophy)","level":2,"score":0.38339999318122864},{"id":"https://openalex.org/C117447612","wikidata":"https://www.wikidata.org/wiki/Q1412670","display_name":"Software quality","level":4,"score":0.3824999928474426},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.3801000118255615},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.36410000920295715},{"id":"https://openalex.org/C123551368","wikidata":"https://www.wikidata.org/wiki/Q7122888","display_name":"Package development process","level":5,"score":0.3637000024318695},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.36039999127388},{"id":"https://openalex.org/C19768560","wikidata":"https://www.wikidata.org/wiki/Q320727","display_name":"Dependency (UML)","level":2,"score":0.35899999737739563},{"id":"https://openalex.org/C21491501","wikidata":"https://www.wikidata.org/wiki/Q430253","display_name":"Backporting","level":5,"score":0.35420000553131104},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.352400004863739},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.35100001096725464},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.3474000096321106},{"id":"https://openalex.org/C18762648","wikidata":"https://www.wikidata.org/wiki/Q42213","display_name":"Work (physics)","level":2,"score":0.34529998898506165},{"id":"https://openalex.org/C48306297","wikidata":"https://www.wikidata.org/wiki/Q7554352","display_name":"Software quality management","level":5,"score":0.3393999934196472},{"id":"https://openalex.org/C101317890","wikidata":"https://www.wikidata.org/wiki/Q940053","display_name":"Software maintenance","level":4,"score":0.3328000009059906},{"id":"https://openalex.org/C74579156","wikidata":"https://www.wikidata.org/wiki/Q7554342","display_name":"Software peer review","level":5,"score":0.3100999891757965},{"id":"https://openalex.org/C82214349","wikidata":"https://www.wikidata.org/wiki/Q657339","display_name":"Software metric","level":5,"score":0.30660000443458557},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.304500013589859},{"id":"https://openalex.org/C149091818","wikidata":"https://www.wikidata.org/wiki/Q2429814","display_name":"Software system","level":3,"score":0.3012000024318695},{"id":"https://openalex.org/C186846655","wikidata":"https://www.wikidata.org/wiki/Q3398377","display_name":"Software construction","level":4,"score":0.29649999737739563},{"id":"https://openalex.org/C74196892","wikidata":"https://www.wikidata.org/wiki/Q7781188","display_name":"Thematic analysis","level":3,"score":0.29510000348091125},{"id":"https://openalex.org/C198140048","wikidata":"https://www.wikidata.org/wiki/Q10859422","display_name":"Software versioning","level":3,"score":0.29269999265670776},{"id":"https://openalex.org/C182500959","wikidata":"https://www.wikidata.org/wiki/Q7551380","display_name":"Social software engineering","level":5,"score":0.2904999852180481},{"id":"https://openalex.org/C195094911","wikidata":"https://www.wikidata.org/wiki/Q14167904","display_name":"Process management","level":1,"score":0.2896000146865845},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.28459998965263367},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.2777000069618225},{"id":"https://openalex.org/C120936955","wikidata":"https://www.wikidata.org/wiki/Q2155640","display_name":"Empirical research","level":2,"score":0.27469998598098755},{"id":"https://openalex.org/C199519371","wikidata":"https://www.wikidata.org/wiki/Q942695","display_name":"Source lines of code","level":3,"score":0.25859999656677246},{"id":"https://openalex.org/C44104985","wikidata":"https://www.wikidata.org/wiki/Q492886","display_name":"Supply chain management","level":3,"score":0.25699999928474426}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:oai:iris.unitn.it:11572/333508","is_oa":true,"landing_page_url":"http://hdl.handle.net/11572/333508","pdf_url":null,"source":{"id":"https://openalex.org/S4306401913","display_name":"Institutional Research Information System (Universit\u00e0 degli Studi di Trento)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I193223587","host_organization_name":"University of Trento","host_organization_lineage":["https://openalex.org/I193223587"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"info:eu-repo/semantics/doctoralThesis"},{"id":"doi:10.15168/11572_333508","is_oa":true,"landing_page_url":"https://doi.org/10.15168/11572_333508","pdf_url":null,"source":{"id":"https://openalex.org/S7407051007","display_name":"Universit\u00e0 degli Studi di Trento","issn_l":null,"issn":[],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article-journal"}],"best_oa_location":{"id":"pmh:oai:iris.unitn.it:11572/333508","is_oa":true,"landing_page_url":"http://hdl.handle.net/11572/333508","pdf_url":null,"source":{"id":"https://openalex.org/S4306401913","display_name":"Institutional Research Information System (Universit\u00e0 degli Studi di Trento)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I193223587","host_organization_name":"University of Trento","host_organization_lineage":["https://openalex.org/I193223587"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"info:eu-repo/semantics/doctoralThesis"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Free":[0],"and":[1,23,80,122,127,154,165,212,274,312,361,374,449],"Open-Source":[2,129],"Software":[3,130],"(FOSS)":[4],"has":[5,329],"become":[6,133],"an":[7,205],"integral":[8],"part":[9],"of":[10,30,62,110,137,151,209,222,235,358,366,388,406,430],"the":[11,16,31,40,60,63,72,87,91,108,124,134,218,233,236,249,258,267,271,306,313,338,355,364,386,403],"software":[12,32,64,92,104,237,240,359,368,397],"supply":[13,33,65,93,238,369],"chain":[14,41,370],"in":[15,39,44,50,55,76,90,157,266,310],"past":[17],"decade.":[18],"Various":[19],"entities":[20],"(automated":[21],"tools":[22,289],"humans)":[24],"are":[25,174,244,264],"involved":[26],"at":[27,350],"different":[28],"stages":[29],"chain.":[34],"Some":[35],"actions":[36],"that":[37,132,215,261],"occur":[38],"may":[42,70],"result":[43],"vulnerabilities":[45],"or":[46,68,196,286,295,344],"malicious":[47,81],"code":[48,112,273,300,315],"injected":[49],"a":[51,56,200,321,351,418,422,427,445],"published":[52,307],"artifact":[53],"distributed":[54],"package":[57,250,253,340],"repository.":[58],"At":[59,232],"end":[61,234],"chain,":[66,94,239],"developers":[67,98,150,373],"end-users":[69],"consume":[71],"resulting":[73],"artifacts":[74],"altered":[75],"transit,":[77],"including":[78],"benign":[79],"injection.":[82],"This":[83],"dissertation":[84],"starts":[85],"from":[86,248,437],"first":[88],"link":[89],"?developers?.":[95],"Since":[96],"many":[97,175],"do":[99],"not":[100],"update":[101,123],"their":[102,111,184,275],"vulnerable":[103],"libraries,":[105,125],"thus":[106],"exposing":[107],"user":[109],"to":[113,168,191,332,335,384,420],"security":[114,362],"risks.":[115],"To":[116,302,425],"understand":[117],"how":[118,412],"they":[119],"choose,":[120],"manage":[121],"packages,":[126],"other":[128],"(OSS)":[131],"building":[135],"blocks":[136],"companies?":[138],"completed":[139],"products":[140],"consumed":[141],"by":[142,284,391],"end-users,":[143],"twenty-five":[144],"semi-structured":[145],"interviews":[146,161],"were":[147,162,442],"conducted":[148,226],"with":[149],"both":[152],"large":[153],"small-medium":[155],"enterprises":[156],"nine":[158],"countries.":[159],"All":[160],"transcribed,":[163],"coded,":[164],"analyzed":[166],"according":[167],"applied":[169],"thematic":[170],"analysis.":[171],"Although":[172,378],"there":[173,198],"observations":[176],"about":[177,402],"developers?":[178,447],"attitudes":[179],"on":[180,317,372],"selecting":[181],"dependencies":[182],"for":[183,296,347,396,417],"projects,":[185],"additional":[186],"quantitative":[187],"work":[188],"is":[189,199,400],"needed":[190],"validate":[192],"whether":[193,197],"behavior":[194],"matches":[195],"gap.":[201],"Therefore,":[202],"we":[203,319],"provide":[204,426],"extensive":[206],"empirical":[207],"analysis":[208],"twelve":[210],"quality":[211],"popularity":[213,220],"factors":[214],"should":[216,415],"explain":[217],"corresponding":[219],"(adoption)":[221],"PyPI":[223,311],"packages":[224,309,349],"was":[225],"using":[227,407],"our":[228],"tool":[229,419],"called":[230,324],"py2src.":[231],"libraries":[241],"(or":[242],"packages)":[243],"usually":[245],"downloaded":[246],"directly":[247],"registries":[251],"via":[252],"dependency":[254,341],"management":[255,342,371],"systems":[256,343],"under":[257],"comfortable":[259],"assumption":[260],"no":[262],"discrepancies":[263,280],"introduced":[265,283],"last":[268],"mile":[269],"between":[270,305],"source":[272,314],"respective":[276],"packages.":[277],"However,":[278],"such":[279,410],"might":[281],"be":[282,333],"manual":[285],"automated":[287,379],"build":[288],"(e.g.,":[290],"metadata,":[291],"Python":[292,308],"bytecode":[293],"files)":[294],"evil":[297],"purposes":[298],"(malicious":[299],"injects).":[301],"identify":[303],"differences":[304],"stored":[316],"Github,":[318],"developed":[320],"new":[322],"approach":[323,328],"LastPyMile":[325],".":[326],"Our":[327],"been":[330],"shown":[331],"promising":[334],"integrate":[336],"within":[337,444],"current":[339],"company":[345],"workflow":[346],"vetting":[348],"minimal":[352],"cost.":[353],"With":[354],"ever-increasing":[356],"numbers":[357],"bugs":[360,436],"vulnerabilities,":[363],"burden":[365,387],"secure":[367],"project":[375],"owners":[376],"increases.":[377],"program":[380],"repair":[381],"approaches":[382],"promise":[383],"reduce":[385],"bug-fixing":[389],"tasks":[390],"suggesting":[392],"likely":[393],"correct":[394],"patches":[395],"bugs,":[398],"little":[399],"known":[401],"practical":[404],"aspects":[405],"APR":[408,433],"tools,":[409,434],"as":[411],"long":[413],"one":[414],"wait":[416],"generate":[421],"bug":[423],"fix.":[424],"realistic":[428],"evaluation":[429],"five":[431],"state-of-the-art":[432],"221":[435],"44":[438],"open-source":[439],"Java":[440],"projects":[441],"run":[443],"reasonable":[446],"time":[448],"effort.":[450]},"counts_by_year":[],"updated_date":"2025-11-06T06:51:31.235846","created_date":"2025-10-10T00:00:00"}