Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Technical lag in npm and docker ecosystems

7 views

Published on

This was given in SoHeal workshop co-located with ICSE 2018

Published in: Science
  • Login to see the comments

  • Be the first to like this

Technical lag in npm and docker ecosystems

  1. 1. Technical Lag in npm and Docker Ecosystems Ahmed Zerouali SoHeal Workshop, co-located with ICSE Gothenburg, Sweden - May 27, 2018
  2. 2. /background
  3. 3. /background Not updateUpdate “If I go there will be trouble, And if I stay it will be double, So come on and let me know: Should I Stay Or Should I Go? ” The Clash
  4. 4. /background Technical lag*: the increasing difference between deployed software packages and the ideal available upstream packages Measurement: version updates, bugs, vulnerabilities, line of code, commits, etc. (*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is." IFIP International Conference on Open Source Systems. Springer, Cham, 2017. Gold standard: stability, security, functionality, etc.
  5. 5. /background Example: different kinds of “gold standards” for Debian Gold standard Scenario Candidate Stability Isolated system, stable functionality Debian Stable Functionality Cloud application Latest upstream Security Reused containers Stable upstream
  6. 6. /background Credits: https://exploring-data.com/vis/npm-packages-dependencies/
  7. 7. /Aim & case studies - npm packages : the whole registry - Docker containers based on Debian: 7,380 Goal: Analyze technical lag of software ecosystems.
  8. 8. /method /technical lag - Measurement = version updates, time - version lag : version updates difference - time lag: time difference - Gold standard = being up to date.
  9. 9. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag = date(latest) - date(used) - version lag = (∆Major, ∆Minor, ∆Patch)
  10. 10. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag (D)= date(2.1.0) - date(1.1.0)
  11. 11. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag 1 minor - time lag (D)= date(2.1.0) - date(1.1.0)
  12. 12. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag (D)= date(2.1.0) - date(1.1.0) 1 minor 1 major
  13. 13. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag 1 minor 1 major 1 patch - time lag (D)= date(2.1.0) - date(1.1.0) - version lag (D) = (1,1,1)
  14. 14. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 * ^1.0.0 ^2.0.0 ^1.0.0 = [ 1.0.0, 2.0.0 [ allowed
  15. 15. /method /semantic versioning Other: *, ==1.2.3, >1.2.3, <1.2.3, 1.2.x, 1.x.x
  16. 16. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 * ^1.0.0 ^2.0.0 ^1.0.0 = [ 1.0.0, 2.0.0 [ allowed
  17. 17. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
  18. 18. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag = 0 * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
  19. 19. /results /npm packages For direct dependencies npm package: P Dependencies Direct
  20. 20. /results /npm packages - Time las is increasing over time. - More than 500K packages with about 4M package releases and 46M dependencies. For direct dependencies
  21. 21. /results /npm packages - Development dependencies have slightly more version lag than runtime dependencies For direct dependencies
  22. 22. /results /npm packages - Caret (^) usage is increasing over time. - Caret introduction coincides with Major version lag increase. For direct dependencies
  23. 23. /results /npm external applications - Technical lag is higher in external applications. - more than 600k repositories (6.2M dependencies) For direct dependencies
  24. 24. /results /npm external applications For direct dependencies - The usage of strict constraint is much higher in external applications
  25. 25. /results /npm packages npm package: P Dependencies For transitive dependencies
  26. 26. /results /npm packages For transitive dependencies Time Lag Version lag
  27. 27. /results /Docker containers
  28. 28. /method /technical lag in Docker 1.0.1 1.1.0 2.0.01.2.1 2.1.0 Installed package: D Technical lag technical lag (D) = ∆Versions ∆Vulnerabilities ∆Bugs Ideal Version deployed container Included Package version
  29. 29. /results /Docker The majority of packages in Debian containers is up-to-date.
  30. 30. /results /Docker - Outdated Debian packages in Docker containers induce a median of version lag of 1 version.
  31. 31. /results /Docker
  32. 32. /conclusion - Technical lag can be a measurement of software health. - TL can be a proxy for the effort needed to deploy the ideal version.
  33. 33. Thank you

×