How Open Source Builds Distributed Trust

Trust in open source is a positive feedback loop.

 
Mike BursellThis is an edited excerpt from my forthcoming book on Trust in Computing and the Cloud for Wiley and leads on from a previous article I wrote called Trust & choosing open source.

In that article, I asked the question: What are we doing when we say, "I trust open source software"? In reply, I suggested that what we are doing is making a determination that enough of the people who have written and tested it have similar requirements to mine, and that their expertise, combined, is such that the risk to my using the software is acceptable. I also introduced the idea of distributed trust.

The concept of distributing trust across a community is an application of the wisdom of the crowd theory posited by Aristotle, where the assumption is that the opinions of many typically show more wisdom than the opinion of one or a few. While demonstrably false in its simplest form in some situations—the most obvious example being examples of popular support for totalitarian regimes—this principle can provide a very effective mechanism for establishing certain information.

This distillation of collective experience allows what we refer to as distributed trust and is collected through numerous mechanisms on the internet. Some, like TripAdvisor or Glassdoor, record information about organisations or the services they provide, while others, like UrbanSitter or LinkedIn, allow users to add information about specific people (see, for instance, LinkedIn's Recommendations and Skills & Endorsements sections in individuals' profiles). The benefits that can accrue from these examples are significantly increased by the network effect, as the number of possible connections between members increases exponentially as the number of members increases.

Other examples of distributed trust include platforms like Twitter, where the number of followers that an account receives can be seen as a measure of its reputation and even of its trustworthiness, a calculation which we should view with a strong degree of scepticism. Indeed, Twitter felt that it had to address the social power of accounts with large numbers of followers and instituted a "verified accounts" mechanism to let people know that "an account of public interest is authentic." Interestingly, the company had to suspend the service after problems related to users' expectations of exactly what "verified" meant or implied: a classic case of differing understanding of context between different groups.

Where is the relevance to open source, then? The community aspect of open source is actually a driver towards building distributed trust. This is because, once you become a part of the community around an open source project, you assume one or more of the roles that you start trusting once you say that you "trust" an open source project (see my previous article). Examples include architect, designer, developer, reviewer, technical writer, tester, deployer, bug reporter, or bug fixer. The more involvement you have in a project, the more you become part of the community, which can, in time, become a community of practice.

Jean Lave and Etienne Wenger introduced the concept of communities of practice in the book Situated Learning: Legitimate Peripheral Participation, where groups evolve into communities as their members share a passion and participate in shared activities, leading to improving their skills and knowledge together. The core concept here is that as participants learn around a community of practice, they become members of it at the same time:

"Legitimate peripheral participation refers both to the development of knowledgeably skilled identities in practice and to the reproduction and transformation of communities of practice."

Wenger further explored the concept of communities of practice, how they form, requirements for their health, and how they encourage learning in Communities of Practice: Learning, Meaning, and Identity. He identified negotiability of meaning ("why are we working together, what are we trying to achieve?") as core to a community of practice and noted that without engagement, imagination, and alignment by individuals, communities of practice will not be robust.

We can align this with our views of how distributed trust is established and built: when you realise that your impact on open source can be equal to that of others, the distributed trust relationships that you hold to members of a community become less transitive (second- or third-hand or even more remote) and more immediate. You understand that the impact you can have on the creation, maintenance, requirements, and quality of the software you are running can be the same as all of the other, previously anonymous contributors with whom you are now forming a community of practice or whose existing community of practice you are joining. Then you become part of a network of trust relationships that are distributed but less removed from what you experience when buying and operating proprietary software.

The process does not stop there; as a common property of open source projects is cross-pollination, where developers from one project also work on others. This increases as the network effect of multiple open source projects allows reuse and dependencies on other projects to rise and leads to greater take-up across the entire set of projects.

It is easy to see why many open source contributors become open source enthusiasts or evangelists, not just for a single project but for open source as a whole. In fact, work by Stanford sociologist Mark Granovetter suggests that too many strong ties within communities can lead to cliques and stagnation, but weak ties provide movement of ideas and trends around communities. This awareness of other projects and the communities that exist around them and the flexibility of ideas across projects leads to distributed trust being able to be extended (albeit with weaker assurances) beyond the direct or short-chain indirect relationships that contributors experience within projects where they have immediate experience and out towards other projects where external observation or peripheral involvement shows that similar relationships exist between contributors.

Put simply, the act of being involved in an open source project and building trust relationships through participation leads to stronger distributed trust towards similar open source projects or just to other projects that are similarly open source.

What does this mean for each of us? It means that the more we get involved in open source, the more trust we can have in open source, as there will be a corresponding growth in the involvement—and therefore trust—of other people in open source. Trust in open source isn't just a network effect: it's a positive feedback loop!


This article was originally published on Alice, Eve, and Bob and is reprinted with the author's permission.

About the author

Mike Bursell - I've been in and around Open Source since around 1997, and have been running (GNU) Linux as my main desktop at home and work since then: not always easy...  I'm a security bod and architect, co-founder of the Enarx project, and am currently employed as Chief Security Architect for Red Hat.  I have a blog - "Alice, Eve &… More about me

Attribution

This article was published in Opensource.com. It is republished by Open Health News under the terms of the Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). The original copy of the article can be found here.