Technical lag in npm and docker ecosystems

1. Technical Lag in npm and Docker Ecosystems Ahmed Zerouali SoHeal Workshop, co-located with ICSE Gothenburg, Sweden - May 27, 2018

2. /background

3. /background Not updateUpdate “If I go there will be trouble, And if I stay it will be double, So come on and let me know: Should I Stay Or Should I Go? ” The Clash

4. /background Technical lag*: the increasing diﬀerence between deployed software packages and the ideal available upstream packages Measurement: version updates, bugs, vulnerabilities, line of code, commits, etc. (*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is." IFIP International Conference on Open Source Systems. Springer, Cham, 2017. Gold standard: stability, security, functionality, etc.

5. /background Example: diﬀerent kinds of “gold standards” for Debian Gold standard Scenario Candidate Stability Isolated system, stable functionality Debian Stable Functionality Cloud application Latest upstream Security Reused containers Stable upstream

6. /background Credits: https://exploring-data.com/vis/npm-packages-dependencies/

7. /Aim & case studies - npm packages : the whole registry - Docker containers based on Debian: 7,380 Goal: Analyze technical lag of software ecosystems.

8. /method /technical lag - Measurement = version updates, time - version lag : version updates diﬀerence - time lag: time diﬀerence - Gold standard = being up to date.

9. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag = date(latest) - date(used) - version lag = (∆Major, ∆Minor, ∆Patch)

10. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag (D)= date(2.1.0) - date(1.1.0)

11. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag 1 minor - time lag (D)= date(2.1.0) - date(1.1.0)

12. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag (D)= date(2.1.0) - date(1.1.0) 1 minor 1 major

13. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag 1 minor 1 major 1 patch - time lag (D)= date(2.1.0) - date(1.1.0) - version lag (D) = (1,1,1)

14. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 * ^1.0.0 ^2.0.0 ^1.0.0 = [ 1.0.0, 2.0.0 [ allowed

15. /method /semantic versioning Other: *, ==1.2.3, >1.2.3, <1.2.3, 1.2.x, 1.x.x

16. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 * ^1.0.0 ^2.0.0 ^1.0.0 = [ 1.0.0, 2.0.0 [ allowed

17. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [

18. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag = 0 * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [

19. /results /npm packages For direct dependencies npm package: P Dependencies Direct

20. /results /npm packages - Time las is increasing over time. - More than 500K packages with about 4M package releases and 46M dependencies. For direct dependencies

21. /results /npm packages - Development dependencies have slightly more version lag than runtime dependencies For direct dependencies

22. /results /npm packages - Caret (^) usage is increasing over time. - Caret introduction coincides with Major version lag increase. For direct dependencies

23. /results /npm external applications - Technical lag is higher in external applications. - more than 600k repositories (6.2M dependencies) For direct dependencies

24. /results /npm external applications For direct dependencies - The usage of strict constraint is much higher in external applications

25. /results /npm packages npm package: P Dependencies For transitive dependencies

26. /results /npm packages For transitive dependencies Time Lag Version lag

27. /results /Docker containers

28. /method /technical lag in Docker 1.0.1 1.1.0 2.0.01.2.1 2.1.0 Installed package: D Technical lag technical lag (D) = ∆Versions ∆Vulnerabilities ∆Bugs Ideal Version deployed container Included Package version

29. /results /Docker The majority of packages in Debian containers is up-to-date.

30. /results /Docker - Outdated Debian packages in Docker containers induce a median of version lag of 1 version.

31. /results /Docker

32. /conclusion - Technical lag can be a measurement of software health. - TL can be a proxy for the eﬀort needed to deploy the ideal version.

33. Thank you

Technical lag in npm and docker ecosystems

You are reading a preview.

Technical lag in npm and docker ecosystems

More Related Content

More from Ahmed Zerouali

Featured

Related Books

Related Audiobooks