Successfully reported this slideshow.

Technical lag in npm and docker ecosystems

0

Share

Upcoming SlideShare
Icsr2018
Icsr2018
Loading in …3
×
1 of 33
1 of 33

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Technical lag in npm and docker ecosystems

  1. 1. Technical Lag in npm and Docker Ecosystems Ahmed Zerouali SoHeal Workshop, co-located with ICSE Gothenburg, Sweden - May 27, 2018
  2. 2. /background
  3. 3. /background Not updateUpdate “If I go there will be trouble, And if I stay it will be double, So come on and let me know: Should I Stay Or Should I Go? ” The Clash
  4. 4. /background Technical lag*: the increasing difference between deployed software packages and the ideal available upstream packages Measurement: version updates, bugs, vulnerabilities, line of code, commits, etc. (*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is." IFIP International Conference on Open Source Systems. Springer, Cham, 2017. Gold standard: stability, security, functionality, etc.
  5. 5. /background Example: different kinds of “gold standards” for Debian Gold standard Scenario Candidate Stability Isolated system, stable functionality Debian Stable Functionality Cloud application Latest upstream Security Reused containers Stable upstream
  6. 6. /background Credits: https://exploring-data.com/vis/npm-packages-dependencies/
  7. 7. /Aim & case studies - npm packages : the whole registry - Docker containers based on Debian: 7,380 Goal: Analyze technical lag of software ecosystems.
  8. 8. /method /technical lag - Measurement = version updates, time - version lag : version updates difference - time lag: time difference - Gold standard = being up to date.
  9. 9. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag = date(latest) - date(used) - version lag = (∆Major, ∆Minor, ∆Patch)
  10. 10. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag (D)= date(2.1.0) - date(1.1.0)
  11. 11. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag 1 minor - time lag (D)= date(2.1.0) - date(1.1.0)
  12. 12. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag (D)= date(2.1.0) - date(1.1.0) 1 minor 1 major
  13. 13. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag 1 minor 1 major 1 patch - time lag (D)= date(2.1.0) - date(1.1.0) - version lag (D) = (1,1,1)
  14. 14. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 * ^1.0.0 ^2.0.0 ^1.0.0 = [ 1.0.0, 2.0.0 [ allowed
  15. 15. /method /semantic versioning Other: *, ==1.2.3, >1.2.3, <1.2.3, 1.2.x, 1.x.x
  16. 16. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 * ^1.0.0 ^2.0.0 ^1.0.0 = [ 1.0.0, 2.0.0 [ allowed
  17. 17. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
  18. 18. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag = 0 * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
  19. 19. /results /npm packages For direct dependencies npm package: P Dependencies Direct
  20. 20. /results /npm packages - Time las is increasing over time. - More than 500K packages with about 4M package releases and 46M dependencies. For direct dependencies
  21. 21. /results /npm packages - Development dependencies have slightly more version lag than runtime dependencies For direct dependencies
  22. 22. /results /npm packages - Caret (^) usage is increasing over time. - Caret introduction coincides with Major version lag increase. For direct dependencies
  23. 23. /results /npm external applications - Technical lag is higher in external applications. - more than 600k repositories (6.2M dependencies) For direct dependencies
  24. 24. /results /npm external applications For direct dependencies - The usage of strict constraint is much higher in external applications
  25. 25. /results /npm packages npm package: P Dependencies For transitive dependencies
  26. 26. /results /npm packages For transitive dependencies Time Lag Version lag
  27. 27. /results /Docker containers
  28. 28. /method /technical lag in Docker 1.0.1 1.1.0 2.0.01.2.1 2.1.0 Installed package: D Technical lag technical lag (D) = ∆Versions ∆Vulnerabilities ∆Bugs Ideal Version deployed container Included Package version
  29. 29. /results /Docker The majority of packages in Debian containers is up-to-date.
  30. 30. /results /Docker - Outdated Debian packages in Docker containers induce a median of version lag of 1 version.
  31. 31. /results /Docker
  32. 32. /conclusion - Technical lag can be a measurement of software health. - TL can be a proxy for the effort needed to deploy the ideal version.
  33. 33. Thank you

×