Episode 65

How Projects Secure Their Code with Chris and Nir


16 September 2022

41 mins 6 secs

Your Host
Special Guests

About this Episode

Hello and welcome to CHAOSScast Community podcast, where we share use cases and experiences with measuring open source community health. Elevating conversations about metrics, analytics, and software from the Community Health Analytics Open Source Software, or short CHAOSS Project, to wherever you like to listen. Today, Georg has two experts in analyzing open source community repositories joining him from Arnica, which is focused on software security supply chain security. Our two guests today are Chris Abraham, Head of Data Science, and Nir Valtman, Co-Founder and CEO, and they’re here to tell us about an analysis they conducted called, “How do top open-source projects protect their code?”, the story behind why they decided to do this, and some surprising things they learned from the analysis. Download this episode now to find out much more, and don’t forget to subscribe for free to this podcast on your favorite podcast app and share this podcast with your friends and colleagues!

[00:01:09] Chris and Nir introduce themselves, how they got into open source, what brought them to Arnica, and what they’re doing now.

[00:05:38] Georg brings up a blog post that Chris and Nir wrote on, “How do top open-source projects protect their code?” and we hear why they did this study and how they went about doing it.

[00:09:11] When looking at the data, Georg asks if people have policies around it and if we can infer from it if there’s a security issue or not. Also, Nir and Chris detail how they went about collecting data and looking at what open source is doing.

[00:14:15] Chris and Nir wanted to know if code owners contribute to quality, and we find out how they assessed quality.

[00:19:57] We learn some surprising things Chris and Nir learned from the analysis.

[00:22:10] Georg mentions maintainer burnout and the workload that is being put on maintainers, and he asks how Chris and Nir see the security controls contributing to maintainer burnout or even helping the demands on maintainers.

[00:27:24] Chris and Nir looked at the top 250 projects on GitHub, they tell us how the findings apply to smaller open source and the long tail of projects we have.

[00:33:28] Find out where you can follow Chris and Nir and the work they’re doing.

[00:34:45] Nir tells us about their open source project called, GitGoat.

Value Adds (Picks) of the week:

  • [00:36:16] Georg’s pick is rediscovering Firefox Focus.
  • [00:37:32] Chris’s pick is his connection with the Digital and Analog world and finishing his wood floors with the help of watching YouTube videos.
  • [00:39:16] Nir’s pick is realizing Startup life is not easy and his wife helped him to do more things like mountain biking twice a week.


  • Georg Link


  • Chris Abraham
  • Nir Valtman



Support CHAOSScast