As part of our netidee project, we conducted 22 semi-structured interviews over the past months with people from the Open Source ecosystem — ranging from developers in large corporations to freelancers, and from newcomers to veterans with more than 20 years of OSS experience. All interviews were recorded and transcribed using Whisper (specifically: noScribe).

Overall, we achieved a satisfactory level of diversity, partly through distributing the call across different subcommunities. However, older people and — despite targeted outreach — non-male participants remain underrepresented in the sample. The conversations lasted a little over an hour on average — many thanks to all interviewees for their time!

In the interviews, we focused on three main topics in order to place the further development of CrOSSD and the accompanying research on a stronger empirical foundation:

• Definitions and understandings of OSS quality and project “health”
• Concepts and characteristics of criticality
• Needs, expectations, feature requests, etc. regarding CrOSSD

The interviews revealed a multifaceted picture of how the quality of Open Source projects is understood. While functionality was regarded as fundamental, it was rarely considered sufficient on its own. Overall, the most frequently mentioned factors for project health matched our prior expectations: popularity/adoption, documentation quality, number of contributors, and activity. Beyond that, however, there was considerable variation as well as some interesting outliers in the data that still require closer analysis.

The definition of criticality turned out to be surprisingly complex; few interviewees had a clear understanding of the concept beforehand, and many asked follow-up questions about what exactly we meant by it. Nevertheless, some common themes emerged across the interviews. A recurring thread was the issue of dependencies and the consequences of failure. Critical Open Source software was described as being deeply embedded in other systems, infrastructures, or workflows, meaning that failures or compromises could have significant downstream effects.

The interviews show that CrOSSD is perceived as potentially highly valuable and as filling a clear gap in the Open Source security landscape. There was an overwhelming consensus that a tool facilitating automated vulnerability detection and dependency analysis specifically for Open Source projects is urgently needed, particularly given the increasing complexity of software supply chains. At the same time, several important reservations and suggestions were raised; some interviewees even considered such a tool to be of little or no use for their own work. Overall, the interviews provided a broad range of input for the further development of CrOSSD, which we will continue to incorporate throughout the upcoming project phases.

The insights gained from the interviews are being incorporated directly into scientific publications currently in preparation, as well as into the further development of metric selection and platform functionalities. In particular, the findings were also presented and discussed at the CHAOSScon EU 2026, where they received positive feedback from the international community.