SlideShare a Scribd company logo
1 of 67
Download to read offline
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
1
16:00 Ahmed Zerouali
Public PhD Defense
“A Measurement Framework for Analyzing Technical Lag in Open-Source
Software Ecosystems”
A Measurement Framework for
Analyzing Technical Lag in
Open-Source Software Ecosystems
Presented by:
Ahmed Zerouali
Advisor:
Dr. Tom Mens
Public PhD Defense
Software Engineering Lab, Université de Mons - Belgium, 4 September 2019
Jury:
Dr. Olivier Delgrange
Dr. Alexandre Decan
Dr. Jesus Gonzalez-Barahona
Dr. Alexander Serebrenik
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Belgian Excellence of
Science Research Project 2018- 2021
https://secoassist.github.io/
3
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Background
4
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Focus
IssuesUp-to-date
5
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Focus
Don’t updateUpdate
How can we help software developers to
decide when and why they should update
6
?
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Published papers
7
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag
8
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical lag
> Background
Technical lag¹: the increasing difference between
deployed software packages and the ideal available
upstream packages.
¹ Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How
Outdated a Software Deployment Is." IFIP International Conference on Open Source
Systems. Springer, Cham, 2017.
➢ Ideal: stability, security, functionality, recency, etc.
➢ Difference: version updates, bugs, vulnerabilities, lines
of code, commits, etc.
9
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical lag
> Background
Credits: https://exploring-data.com/vis/npm-packages-dependencies/
+20M
dependencies
10
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical lag
> Background
package.json
11
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical lag
> Background
12
Semantic Versioning
Examples: 0.0.1, 1.0.0, 1.2.3, 1.2.3-beta
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical lag
> Background
Other: *, ==1.2.3, >1.2.3, <1.2.3, 1.2.x, 1.x.x
13
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical lag
> Example
14
1.0.1
3.6.0
*
1.2.0
allowed
4.0.0
^1.0.0
^1.0.0 = [ 1.0.0, 2.0.0 [
dependent
package P
required
package D
up-to-date
dependency
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical lag
> Example
15
1.0.1 1.2.0 2.0.1
3.6.0
4.0.0
2.0.0
*
^1.0.0 = [ 1.0.0, 2.0.0 [
allowed
4.1.0
missing updates
dependent
package P
required
package D
outdated
^1.0.0
dependency
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical lag
> Example
16
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Followed research approach
Qualitative analysis:
surveys and interviews
Tooling
Quantitative
analysis
Technical lag
formal framework
Mixed-methods
approach
17
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Qualitative analysis:
surveys and interviews
Tooling
Quantitative
analysis
Mixed-methods
approach
Technical lag
formal framework
18
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
A Framework for Technical Lag
> Qualitative analysis
Semi-structured Interviews:
➢ 5 software practitioners
➢ Place: FOSDEM 2019
➢ Highly educated interviewees with an average of 10
years of experience
19
Technical Lag is important, especially if we mix
between the benefits of updating and the effort
needed to do that.
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
A Framework for Technical Lag
> Qualitative analysis
Online surveys:
➢ 17 candidates (from facebook groups)
➢ Highly educated interviewees with an average of 3
years of experience
MCQ: What would be the most appropriate (ideal) version
of a software library to use?
20
★ Most stable (14)
★ Latest available (9)
★ Most documented (7)
★ Most secure (5)
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Qualitative analysis:
surveys and interviews
Tooling
Quantitative
analysis
Mixed-methods
approach
Technical lag
formal framework
21
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical lag
22
∆ version
∆ time
∆ bugs
∆ vulnerabilities
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
A Framework for Technical Lag
● is a set of component releases
● is a set of possible lag values
● ideal : → is a function returning the “ideal” component release
● delta : x → is a function computing the difference between two
component releases
● agg : is a function aggregating the results of a set of lags
23
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
A Framework for Technical Lag
24
Given a technical lag framework , we define:
Aggregated Technical lag
Technical lag
Let be a set of components, then:
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Qualitative analysis:
surveys and interviews
Tooling
Quantitative
analysis
Mixed-methods
approach
Technical lag
formal framework
25
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
A Framework for Technical Lag
> Framework Instantiation
26
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in npm Packages
27
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
28
Technical Lag in npm Packages
Time-based instantiation of :
➢ Ideal: Highest available version
➢ Delta: Time Lag = date(ideal) - date(used)
➢ Aggregation: Max
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
29
Technical Lag in npm Packages
Version-based instantiation of :
➢ Ideal: Highest available version
➢ Delta: Version lag = (∆Major, ∆Minor, ∆Patch)
➢ Aggregation: Sum
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
30
Technical Lag in npm Packages
> Time-based instantiation
1.0.1 1.1.0 2.0.01.2.0 2.0.1
Dependent
package
Technical lag
time lag = date(2.0.1) - date(1.1.0)
Required
package
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
31
Technical Lag in npm Packages
> Version-based instantiation
1.0.1 1.1.0 2.0.01.2.0 2.0.1
Dependent
package
Technical lag
1 minor
time lag = date(2.0.1) - date(1.1.0)
Required
package
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
32
Technical Lag in npm Packages
> Version-based instantiation
1.0.1 1.1.0 2.0.01.2.0 2.0.1
Dependent
package
Technical lag
1 minor
time lag = date(2.0.1) - date(1.1.0)
1 major
Required
package
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
33
Technical Lag in npm Packages
> Version-based instantiation
1.0.1 1.1.0 2.0.01.2.0 2.0.1
Dependent
package
Technical lag
1 minor
time lag = date(2.0.1) - date(1.1.0)
version lag = (1 major, 1 minor ,1 patch)
1 major 1 patch
Required
package
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in npm Packages
> Example
Time-based technical lag for the package debug:
- ideal (2.6.9) = 3.1.0
- time_lag(2.6.9) = 26-09-2017 - 22-09-2017 = 4 days
- version_lag(2.6.9) = (1,1,1)
34
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in npm Packages
> Example
Time-based technical lag for the package ms:
- time_lag(2.0.0) = 198 days
35
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in npm Packages
> Example
Aggregated Time-based technical lag for the package release
youtube-player@5.5.0:
- time_lag(debug@2.6.9) = 4 days
- time_lag(ms@2.0.0) = 198 days
➔ agglag({debug@2.6.9, ms@2.0.0}) = max (4 days, 198 days) = 198 days
36
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in npm Packages
New package releases have an increased technical lag.
Technical lag is induced by version constraints
Time lag induced by direct dependencies in npm package
releases:
37
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in npm Packages
Time lag induced by transitive runtime dependencies in npm
package releases:
Technical lag is accumulated from a level to another in the dependency
tree.
38
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in npm applications
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in npm applications
Time lag induced by direct dependencies in GitHub applications:
Technical lag in GitHub applications is higher than in npm
package releases
40
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Docker Containers
41
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in Docker Containers
> Background
42
● Containers are isolated bundles
of software packages
● Docker is one of the main tools
for containerisation
● DockerHub is the largest repository
for container images
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in Docker Containers
> Background
43
What are the biggest barriers to putting containers in a
production environment? - ClusterHQ
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in Docker Containers
> Background
44
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in Docker Containers
> Focus
45
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in Docker Containers
> Background
1.0.1 1.1.0 2.0.01.2.1 2.1.0
Docker container
C
Technical lag
technical lag =
∆ Versions (freshness)
∆ Vulnerabilities (security)
∆ Bugs (stability)
Ideal Version
deployed
container
Included
Package
version
Available
releases of a
Debian package
46
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in Docker Containers
> Software Freshness
The majority of packages in Debian containers is up-to-date...
… but most of the images contain outdated packages.
How outdated are images?
IDEAL = LATEST
47
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in Docker Containers
> Software Freshness
Outdated Debian packages in Docker containers induce a
median version lag of 1 version.
What is the version lag induced by the used Debian package releases?
IDEAL = LATEST
48
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in Docker Containers
> Software Security
The number of vulnerabilities depends on the Debian release, and is
moderately correlated with the number of outdated packages in a container.
49
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in Docker Containers
> Software Security
Few packages (2.5%) need to be downgraded in order to have the
most secure version.
Can we reduce security lag in DockerHub container images?
IDEAL = Most Secure
50
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in Docker Containers
> Survey
51
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in Docker Containers
52
1 out of 3 depending on a vulnerable npm package never update
their dependency and remain vulnerable
A. Decan et al. “On the impact of security vulnerabilities in the npm package
dependency network”, MSR 2018.
"37% of websites include a JavaScript library
with a known open source vulnerability”
T. Lauinger et al. "Thou Shalt Not Depend on Me: Analysing the Use of Outdated
JavaScript Libraries on the Web", NDSS 2017.
So what about Docker containers having npm packages?
Security vulnerabilities in npm JavaScript
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Technical Lag in Docker Containers
53
★ Old Node images might be missing many updates, including
one major update.
★ All official Node-based images have vulnerable npm packages,
with an average of 16 security vulnerabilities per image.
★ Older images are more likely to have more vulnerabilities.
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Qualitative analysis:
surveys and interviews
Tooling
Quantitative
analysis
Mixed-methods
approach
Technical lag
formal framework
54
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
ConPan: A tool to analyze packages in software containers
> Existing tools
55
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
(*): https://github.com/neglectos/ConPan
ConPan(*): “CONtainer Packages ANalyzer”
ConPan: A tool to analyze packages in software containers
> Overview
56
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Example: $ conpan -p debian -c google/mysql -d ~/ConPan/data/debian/
ConPan: A tool to analyze packages in software containers
> From the CLI
57
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
ConPan: A tool to analyze packages in software containers
> From the API
58
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
ConPan: A tool to analyze packages in software containers
> From the API
59
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
ConPan: A tool to analyze packages in software containers
> From the API
60
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Summary and Outlook
61
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Summary
62
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Future Work
● Other instantiations of the technical lag
○ Effort needed to reduce the technical lag
● Extend and enhance ConPan
● Cross ecosystems comparison
● Promote technical lag to be used by software developers
63
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
Conclusion
The technical lag could help open source software developers
and deployers to keep their software in a healthy shape.
64
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
https://github.com/neglectos/PhD_Dissertation
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
66
Evolution of Dependency constraints in npm packages
- Caret (^) usage is increasing over time.
- Caret introduction coincides with Major version lag increase.
PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems
67
The usage of strict constraint is much higher in external
applications
Evolution of Dependency constraints in GitHub applications

More Related Content

Similar to Analyzing Technical Lag in Open-Source Software

On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
ProDebt's Lessons Learned from Planning Technical Debt Strategically
ProDebt's Lessons Learned from Planning Technical Debt StrategicallyProDebt's Lessons Learned from Planning Technical Debt Strategically
ProDebt's Lessons Learned from Planning Technical Debt StrategicallyQAware GmbH
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkeconst
 
Technical lag in npm and docker ecosystems
Technical lag in npm and docker ecosystemsTechnical lag in npm and docker ecosystems
Technical lag in npm and docker ecosystemsAhmed Zerouali
 
Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...
Keynote VST2020 (Workshop on  Validation, Analysis and Evolution of Software ...Keynote VST2020 (Workshop on  Validation, Analysis and Evolution of Software ...
Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...University of Antwerp
 
Measuring Your Code
Measuring Your CodeMeasuring Your Code
Measuring Your CodeNate Abele
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAhmed Zerouali
 
In cluster open source testing framework - Microservices Meetup
In cluster open source testing framework - Microservices MeetupIn cluster open source testing framework - Microservices Meetup
In cluster open source testing framework - Microservices MeetupNeil Gehani
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesTao Xie
 
Periodic Table of Agile Principles and Practices
Periodic Table of Agile Principles and PracticesPeriodic Table of Agile Principles and Practices
Periodic Table of Agile Principles and PracticesJérôme Kehrli
 
Recent Research in Search Based Software Testing
Recent Research in Search Based Software TestingRecent Research in Search Based Software Testing
Recent Research in Search Based Software Testingjfrchicanog
 
Agile Development in a Regulated Environment
Agile Development in a Regulated EnvironmentAgile Development in a Regulated Environment
Agile Development in a Regulated EnvironmentTechWell
 
36x48_new_modelling_cloud_infrastructure
36x48_new_modelling_cloud_infrastructure36x48_new_modelling_cloud_infrastructure
36x48_new_modelling_cloud_infrastructureWashington Garcia
 
Slow, Flaky and Legacy Tests: FTFY - Our New Testing Strategy at Net-A-Porter...
Slow, Flaky and Legacy Tests: FTFY - Our New Testing Strategy at Net-A-Porter...Slow, Flaky and Legacy Tests: FTFY - Our New Testing Strategy at Net-A-Porter...
Slow, Flaky and Legacy Tests: FTFY - Our New Testing Strategy at Net-A-Porter...Sauce Labs
 
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINAL
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINALJun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINAL
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINALAlex Tarra
 
Software Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software EngineeringSoftware Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software EngineeringTao Xie
 
QRS16: NOTICE: A Framework for Non-functional Testing of Compilers
QRS16: NOTICE: A Framework for Non-functional Testing of CompilersQRS16: NOTICE: A Framework for Non-functional Testing of Compilers
QRS16: NOTICE: A Framework for Non-functional Testing of CompilersMohamed BOUSSAA
 
Technical Lag in Software Ecosystems
Technical Lag in Software EcosystemsTechnical Lag in Software Ecosystems
Technical Lag in Software EcosystemsAhmed Zerouali
 
Scientific Software: Sustainability, Skills & Sociology
Scientific Software: Sustainability, Skills & SociologyScientific Software: Sustainability, Skills & Sociology
Scientific Software: Sustainability, Skills & SociologyNeil Chue Hong
 

Similar to Analyzing Technical Lag in Open-Source Software (20)

On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
 
ProDebt's Lessons Learned from Planning Technical Debt Strategically
ProDebt's Lessons Learned from Planning Technical Debt StrategicallyProDebt's Lessons Learned from Planning Technical Debt Strategically
ProDebt's Lessons Learned from Planning Technical Debt Strategically
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
 
Technical lag in npm and docker ecosystems
Technical lag in npm and docker ecosystemsTechnical lag in npm and docker ecosystems
Technical lag in npm and docker ecosystems
 
Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...
Keynote VST2020 (Workshop on  Validation, Analysis and Evolution of Software ...Keynote VST2020 (Workshop on  Validation, Analysis and Evolution of Software ...
Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...
 
Measuring Your Code
Measuring Your CodeMeasuring Your Code
Measuring Your Code
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package Dependencies
 
In cluster open source testing framework - Microservices Meetup
In cluster open source testing framework - Microservices MeetupIn cluster open source testing framework - Microservices Meetup
In cluster open source testing framework - Microservices Meetup
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and Challenges
 
Periodic Table of Agile Principles and Practices
Periodic Table of Agile Principles and PracticesPeriodic Table of Agile Principles and Practices
Periodic Table of Agile Principles and Practices
 
Recent Research in Search Based Software Testing
Recent Research in Search Based Software TestingRecent Research in Search Based Software Testing
Recent Research in Search Based Software Testing
 
Agile Development in a Regulated Environment
Agile Development in a Regulated EnvironmentAgile Development in a Regulated Environment
Agile Development in a Regulated Environment
 
36x48_new_modelling_cloud_infrastructure
36x48_new_modelling_cloud_infrastructure36x48_new_modelling_cloud_infrastructure
36x48_new_modelling_cloud_infrastructure
 
Slow, Flaky and Legacy Tests: FTFY - Our New Testing Strategy at Net-A-Porter...
Slow, Flaky and Legacy Tests: FTFY - Our New Testing Strategy at Net-A-Porter...Slow, Flaky and Legacy Tests: FTFY - Our New Testing Strategy at Net-A-Porter...
Slow, Flaky and Legacy Tests: FTFY - Our New Testing Strategy at Net-A-Porter...
 
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINAL
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINALJun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINAL
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINAL
 
20101026 ASAP Seminar
20101026 ASAP Seminar20101026 ASAP Seminar
20101026 ASAP Seminar
 
Software Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software EngineeringSoftware Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software Engineering
 
QRS16: NOTICE: A Framework for Non-functional Testing of Compilers
QRS16: NOTICE: A Framework for Non-functional Testing of CompilersQRS16: NOTICE: A Framework for Non-functional Testing of Compilers
QRS16: NOTICE: A Framework for Non-functional Testing of Compilers
 
Technical Lag in Software Ecosystems
Technical Lag in Software EcosystemsTechnical Lag in Software Ecosystems
Technical Lag in Software Ecosystems
 
Scientific Software: Sustainability, Skills & Sociology
Scientific Software: Sustainability, Skills & SociologyScientific Software: Sustainability, Skills & Sociology
Scientific Software: Sustainability, Skills & Sociology
 

More from Ahmed Zerouali

Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...Ahmed Zerouali
 
Analysis And Observations Of The Evolution Of Testing Library Usage
Analysis And Observations Of The Evolution Of Testing Library UsageAnalysis And Observations Of The Evolution Of Testing Library Usage
Analysis And Observations Of The Evolution Of Testing Library UsageAhmed Zerouali
 
On Popularity and Quality Metrics of npm Packages
On Popularity and Quality Metrics of npm PackagesOn Popularity and Quality Metrics of npm Packages
On Popularity and Quality Metrics of npm PackagesAhmed Zerouali
 
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...Ahmed Zerouali
 
A multi-dimensional analysis of technical lag in Debian-based Docker images
A multi-dimensional analysis of technical lag in Debian-based Docker imagesA multi-dimensional analysis of technical lag in Debian-based Docker images
A multi-dimensional analysis of technical lag in Debian-based Docker imagesAhmed Zerouali
 
Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20Ahmed Zerouali
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAhmed Zerouali
 
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...Ahmed Zerouali
 
ConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software ContainersConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software ContainersAhmed Zerouali
 
Technical Lag in Docker Containers
Technical Lag in Docker ContainersTechnical Lag in Docker Containers
Technical Lag in Docker ContainersAhmed Zerouali
 
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java ProjectsAnalyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java ProjectsAhmed Zerouali
 
An Empirical Comparison of the Development History of CloudStack and Eucalyptus
An Empirical Comparison of the Development History of CloudStack and EucalyptusAn Empirical Comparison of the Development History of CloudStack and Eucalyptus
An Empirical Comparison of the Development History of CloudStack and EucalyptusAhmed Zerouali
 
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java ProjectsAnalyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java ProjectsAhmed Zerouali
 

More from Ahmed Zerouali (13)

Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
 
Analysis And Observations Of The Evolution Of Testing Library Usage
Analysis And Observations Of The Evolution Of Testing Library UsageAnalysis And Observations Of The Evolution Of Testing Library Usage
Analysis And Observations Of The Evolution Of Testing Library Usage
 
On Popularity and Quality Metrics of npm Packages
On Popularity and Quality Metrics of npm PackagesOn Popularity and Quality Metrics of npm Packages
On Popularity and Quality Metrics of npm Packages
 
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
 
A multi-dimensional analysis of technical lag in Debian-based Docker images
A multi-dimensional analysis of technical lag in Debian-based Docker imagesA multi-dimensional analysis of technical lag in Debian-based Docker images
A multi-dimensional analysis of technical lag in Debian-based Docker images
 
Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHub
 
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
 
ConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software ContainersConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software Containers
 
Technical Lag in Docker Containers
Technical Lag in Docker ContainersTechnical Lag in Docker Containers
Technical Lag in Docker Containers
 
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java ProjectsAnalyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
 
An Empirical Comparison of the Development History of CloudStack and Eucalyptus
An Empirical Comparison of the Development History of CloudStack and EucalyptusAn Empirical Comparison of the Development History of CloudStack and Eucalyptus
An Empirical Comparison of the Development History of CloudStack and Eucalyptus
 
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java ProjectsAnalyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
 

Recently uploaded

Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Anthony Dahanne
 
SoftTeco - Software Development Company Profile
SoftTeco - Software Development Company ProfileSoftTeco - Software Development Company Profile
SoftTeco - Software Development Company Profileakrivarotava
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfRTS corp
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...OnePlan Solutions
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 

Recently uploaded (20)

Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024
 
SoftTeco - Software Development Company Profile
SoftTeco - Software Development Company ProfileSoftTeco - Software Development Company Profile
SoftTeco - Software Development Company Profile
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 

Analyzing Technical Lag in Open-Source Software

  • 1. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems 1 16:00 Ahmed Zerouali Public PhD Defense “A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems”
  • 2. A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Presented by: Ahmed Zerouali Advisor: Dr. Tom Mens Public PhD Defense Software Engineering Lab, Université de Mons - Belgium, 4 September 2019 Jury: Dr. Olivier Delgrange Dr. Alexandre Decan Dr. Jesus Gonzalez-Barahona Dr. Alexander Serebrenik
  • 3. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Belgian Excellence of Science Research Project 2018- 2021 https://secoassist.github.io/ 3
  • 4. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Background 4
  • 5. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Focus IssuesUp-to-date 5
  • 6. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Focus Don’t updateUpdate How can we help software developers to decide when and why they should update 6 ?
  • 7. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Published papers 7
  • 8. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag 8
  • 9. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical lag > Background Technical lag¹: the increasing difference between deployed software packages and the ideal available upstream packages. ¹ Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is." IFIP International Conference on Open Source Systems. Springer, Cham, 2017. ➢ Ideal: stability, security, functionality, recency, etc. ➢ Difference: version updates, bugs, vulnerabilities, lines of code, commits, etc. 9
  • 10. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical lag > Background Credits: https://exploring-data.com/vis/npm-packages-dependencies/ +20M dependencies 10
  • 11. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical lag > Background package.json 11
  • 12. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical lag > Background 12 Semantic Versioning Examples: 0.0.1, 1.0.0, 1.2.3, 1.2.3-beta
  • 13. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical lag > Background Other: *, ==1.2.3, >1.2.3, <1.2.3, 1.2.x, 1.x.x 13
  • 14. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical lag > Example 14 1.0.1 3.6.0 * 1.2.0 allowed 4.0.0 ^1.0.0 ^1.0.0 = [ 1.0.0, 2.0.0 [ dependent package P required package D up-to-date dependency
  • 15. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical lag > Example 15 1.0.1 1.2.0 2.0.1 3.6.0 4.0.0 2.0.0 * ^1.0.0 = [ 1.0.0, 2.0.0 [ allowed 4.1.0 missing updates dependent package P required package D outdated ^1.0.0 dependency
  • 16. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical lag > Example 16
  • 17. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Followed research approach Qualitative analysis: surveys and interviews Tooling Quantitative analysis Technical lag formal framework Mixed-methods approach 17
  • 18. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Qualitative analysis: surveys and interviews Tooling Quantitative analysis Mixed-methods approach Technical lag formal framework 18
  • 19. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems A Framework for Technical Lag > Qualitative analysis Semi-structured Interviews: ➢ 5 software practitioners ➢ Place: FOSDEM 2019 ➢ Highly educated interviewees with an average of 10 years of experience 19 Technical Lag is important, especially if we mix between the benefits of updating and the effort needed to do that.
  • 20. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems A Framework for Technical Lag > Qualitative analysis Online surveys: ➢ 17 candidates (from facebook groups) ➢ Highly educated interviewees with an average of 3 years of experience MCQ: What would be the most appropriate (ideal) version of a software library to use? 20 ★ Most stable (14) ★ Latest available (9) ★ Most documented (7) ★ Most secure (5)
  • 21. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Qualitative analysis: surveys and interviews Tooling Quantitative analysis Mixed-methods approach Technical lag formal framework 21
  • 22. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical lag 22 ∆ version ∆ time ∆ bugs ∆ vulnerabilities
  • 23. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems A Framework for Technical Lag ● is a set of component releases ● is a set of possible lag values ● ideal : → is a function returning the “ideal” component release ● delta : x → is a function computing the difference between two component releases ● agg : is a function aggregating the results of a set of lags 23
  • 24. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems A Framework for Technical Lag 24 Given a technical lag framework , we define: Aggregated Technical lag Technical lag Let be a set of components, then:
  • 25. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Qualitative analysis: surveys and interviews Tooling Quantitative analysis Mixed-methods approach Technical lag formal framework 25
  • 26. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems A Framework for Technical Lag > Framework Instantiation 26
  • 27. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in npm Packages 27
  • 28. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems 28 Technical Lag in npm Packages Time-based instantiation of : ➢ Ideal: Highest available version ➢ Delta: Time Lag = date(ideal) - date(used) ➢ Aggregation: Max
  • 29. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems 29 Technical Lag in npm Packages Version-based instantiation of : ➢ Ideal: Highest available version ➢ Delta: Version lag = (∆Major, ∆Minor, ∆Patch) ➢ Aggregation: Sum
  • 30. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems 30 Technical Lag in npm Packages > Time-based instantiation 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependent package Technical lag time lag = date(2.0.1) - date(1.1.0) Required package
  • 31. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems 31 Technical Lag in npm Packages > Version-based instantiation 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependent package Technical lag 1 minor time lag = date(2.0.1) - date(1.1.0) Required package
  • 32. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems 32 Technical Lag in npm Packages > Version-based instantiation 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependent package Technical lag 1 minor time lag = date(2.0.1) - date(1.1.0) 1 major Required package
  • 33. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems 33 Technical Lag in npm Packages > Version-based instantiation 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependent package Technical lag 1 minor time lag = date(2.0.1) - date(1.1.0) version lag = (1 major, 1 minor ,1 patch) 1 major 1 patch Required package
  • 34. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in npm Packages > Example Time-based technical lag for the package debug: - ideal (2.6.9) = 3.1.0 - time_lag(2.6.9) = 26-09-2017 - 22-09-2017 = 4 days - version_lag(2.6.9) = (1,1,1) 34
  • 35. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in npm Packages > Example Time-based technical lag for the package ms: - time_lag(2.0.0) = 198 days 35
  • 36. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in npm Packages > Example Aggregated Time-based technical lag for the package release youtube-player@5.5.0: - time_lag(debug@2.6.9) = 4 days - time_lag(ms@2.0.0) = 198 days ➔ agglag({debug@2.6.9, ms@2.0.0}) = max (4 days, 198 days) = 198 days 36
  • 37. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in npm Packages New package releases have an increased technical lag. Technical lag is induced by version constraints Time lag induced by direct dependencies in npm package releases: 37
  • 38. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in npm Packages Time lag induced by transitive runtime dependencies in npm package releases: Technical lag is accumulated from a level to another in the dependency tree. 38
  • 39. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in npm applications
  • 40. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in npm applications Time lag induced by direct dependencies in GitHub applications: Technical lag in GitHub applications is higher than in npm package releases 40
  • 41. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Docker Containers 41
  • 42. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in Docker Containers > Background 42 ● Containers are isolated bundles of software packages ● Docker is one of the main tools for containerisation ● DockerHub is the largest repository for container images
  • 43. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in Docker Containers > Background 43 What are the biggest barriers to putting containers in a production environment? - ClusterHQ
  • 44. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in Docker Containers > Background 44
  • 45. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in Docker Containers > Focus 45
  • 46. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in Docker Containers > Background 1.0.1 1.1.0 2.0.01.2.1 2.1.0 Docker container C Technical lag technical lag = ∆ Versions (freshness) ∆ Vulnerabilities (security) ∆ Bugs (stability) Ideal Version deployed container Included Package version Available releases of a Debian package 46
  • 47. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in Docker Containers > Software Freshness The majority of packages in Debian containers is up-to-date... … but most of the images contain outdated packages. How outdated are images? IDEAL = LATEST 47
  • 48. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in Docker Containers > Software Freshness Outdated Debian packages in Docker containers induce a median version lag of 1 version. What is the version lag induced by the used Debian package releases? IDEAL = LATEST 48
  • 49. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in Docker Containers > Software Security The number of vulnerabilities depends on the Debian release, and is moderately correlated with the number of outdated packages in a container. 49
  • 50. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in Docker Containers > Software Security Few packages (2.5%) need to be downgraded in order to have the most secure version. Can we reduce security lag in DockerHub container images? IDEAL = Most Secure 50
  • 51. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in Docker Containers > Survey 51
  • 52. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in Docker Containers 52 1 out of 3 depending on a vulnerable npm package never update their dependency and remain vulnerable A. Decan et al. “On the impact of security vulnerabilities in the npm package dependency network”, MSR 2018. "37% of websites include a JavaScript library with a known open source vulnerability” T. Lauinger et al. "Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web", NDSS 2017. So what about Docker containers having npm packages? Security vulnerabilities in npm JavaScript
  • 53. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Technical Lag in Docker Containers 53 ★ Old Node images might be missing many updates, including one major update. ★ All official Node-based images have vulnerable npm packages, with an average of 16 security vulnerabilities per image. ★ Older images are more likely to have more vulnerabilities.
  • 54. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Qualitative analysis: surveys and interviews Tooling Quantitative analysis Mixed-methods approach Technical lag formal framework 54
  • 55. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems ConPan: A tool to analyze packages in software containers > Existing tools 55
  • 56. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems (*): https://github.com/neglectos/ConPan ConPan(*): “CONtainer Packages ANalyzer” ConPan: A tool to analyze packages in software containers > Overview 56
  • 57. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Example: $ conpan -p debian -c google/mysql -d ~/ConPan/data/debian/ ConPan: A tool to analyze packages in software containers > From the CLI 57
  • 58. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems ConPan: A tool to analyze packages in software containers > From the API 58
  • 59. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems ConPan: A tool to analyze packages in software containers > From the API 59
  • 60. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems ConPan: A tool to analyze packages in software containers > From the API 60
  • 61. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Summary and Outlook 61
  • 62. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Summary 62
  • 63. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Future Work ● Other instantiations of the technical lag ○ Effort needed to reduce the technical lag ● Extend and enhance ConPan ● Cross ecosystems comparison ● Promote technical lag to be used by software developers 63
  • 64. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems Conclusion The technical lag could help open source software developers and deployers to keep their software in a healthy shape. 64
  • 65. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems https://github.com/neglectos/PhD_Dissertation
  • 66. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems 66 Evolution of Dependency constraints in npm packages - Caret (^) usage is increasing over time. - Caret introduction coincides with Major version lag increase.
  • 67. PhD Thesis A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems 67 The usage of strict constraint is much higher in external applications Evolution of Dependency constraints in GitHub applications