I presented the FASTEN project at OW2con'2020 online conference. The project aims at making software package management intelligent and robust.
https://www.fasten-project.eu/
2. Content
● Open Source Software (OSS)
● Package Management
● Package Dependency Networks (PDNs)
○ Issues with PDNs
○ Existing Solutions
○ The Root Cause
● The FASTEN Project
○ Solution
○ The FASTEN Architecture
○ The Metadata Database
○ Current State
○ Examples of FASTEN Workflow
3. Open Source Software (OSS)
● Allows to reuse code to reduce development and maintenance costs
● Hosted on centralized repositories (Maven, PyPI, ....)
● Made the dream of collaborative development feasible
4. Package Management
● Open-source libraries as a building block for creating new software
● Package managers resolve dependencies and download required libraries
6. Package Dependency Networks (PDNs)
● Packages versions and their dependencies from huge and complex dependency
networks
● Version constraints make these networks more complicated
9. Issues with PDNs
From a developer’s perspective
● The observability problem
● The update problem
● The compliance problem
● The trust problem
From a maintainer’s perspective
● The update problem
● The deprecation problem
● The unlawful use problem
● The lack of incentive problem
10. Existing Solutions to the Issues of PDNs
● Services like GitHub, Dependabot
● Problems:
○ No support for assessing updates
○ No help with impact assessment
○ False positives
11. The Root Cause of the Issues of PDNs
Current Solutions
Call Dependency
Networks (CDNs)
12. The FASTEN Project
● Fine-Grained Analysis of Software Ecosystems as Network
● Aims at solving the issues of PDNs by making package management robust and
intelligent
● A centralized service to host the graphs and serve the analyses
● Consortium:
13. The FASTEN Solution
● More precise license compliance
○ Am I linking to GPL code?
● More precise risk profiling
○ Does this vulnerability affect my package?
● More precise change impact analysis
○ How many packages will I break if I change this function?
○ Can I safely update the dependencies of my package?
● Integration with package managers
14. Overview of the FASTEN Architecture
Data streams
Package repositories
Vulnerability information
FASTEN server
Call graph generators
Analysis layer
Security Change impact
Compliance Quality and Risk
Storage layer
RESTAPIWebUI
Continuous
Integration
servers
16. Current Status of the Project
● Alpha version of the project in May
● Generated 1.2M Java call graphs
● Generated 80K Rust call graphs
● Generating call graphs for Debian packages
● Deployment of the FASTEN server on Kubernetes clusters
● Initial implementation of the storage layer
○ The metadata database
○ Graph database
17. Examples of FASTEN Workflow
Updating with confidence
Before FASTEN After FASTEN
18. Examples of FASTEN Workflow
Deciding to use a library
Before FASTEN After FASTEN