After working on a 12+ week project looking at how to express in the varied UI's of three package repositories (npm, pypi and RubyGems) we can now see more clearly what developers, across skill and knowledge levels, use in package repository pages to make a decision on the security of an OSS located on a registry. These decisions are critical for better understanding trust, value, social proof and the knowledge of secure practices across developers and helps answer the question: how much do developers know about the security of their software supply chain?
This talk will cover: 1. The essential user research findings from the project, 2. How user research informed the UI style guide design build 3. What gaps and opportunities are here to continue design in the SBOM, Attestations and securing software repositories topics.
https://github.com/ossf/wg-securing-software-repos/tree/main/docs/attestations-style-guide