Technical Lag in Software Ecosystems
0 likes
views
This presentation was given at the BENEVOL 2019 workshop in Brussels. Abstract: Reusable Open Source Software (OSS) components for major programming languages are available in package repositories. Developers rely on package management tools to automate deployments, specifying which package releases satisfy the needs of their applications. However, these specifications may lead to deploying package releases that are outdated or otherwise undesirable because they do not include bug fixes, security fixes, or new functionality. In contrast, automatically updating to a more recent release may introduce incompatibility issues. To capture this delicate balance, we formalise a generic framework of technical lag, a concept that quantifies to which extent a deployed collection of components is outdated with respect to the ideal deployment. The framework can be used to assess and reduce the outdatedness, vulnerability and bugginess of software deployments, software projects, software containers and reusable software libraries. We argue that such a metric is very relevant for assessing the health of software (eco)systems, and should be used.
Recommended
Technical Lag in Software Ecosystems
- Technical Lag in Software Ecosystems Ahmed Zerouali The 18th Belgium-Netherlands Software Evolution Workshop November 28-29, 2019 - VUB, Brussels 1
- 2
- /background Credits: libraries.io 3
- /background Not updateUpdate “If I go there will be trouble, And if I stay it will be double, So come on and let me know: Should I Stay Or Should I Go? ” The Clash 4
- /background Technical lag*: the difference between deployed software packages and the ideal available packages. 1.0.1 1.2.0 2.0.12.0.0 2.1.0 Technical lag Deployed Ideal Releases of a used software 5
- /background Measurement: bugs, vulnerabilities, version updates, line of code, commits, etc. Gold standard/IDEAL: stability, security, functionality, etc. 6
- /example up-to-date 1.0.1 3.6.0 1.2.0 4.0.0 allowed dependent package P required package D 7
- /example outdated 1.0.1 1.2.0 2.0.1 3.6.0 4.0.0 2.0.0 allowed 4.1.0 missing updates dependent package P required package D 8
- /example package.json 9
- /dependency network Credits: https://exploring-data.com/vis/npm-packages-dependencies/ 10
- /dependency tree Credits: https://exploring-data.com/vis/npm-packages-dependencies/ 11
- /technical lag framework ● is a set of component releases ● is a set of possible lag values ● ideal : → is a function returning the “ideal” component release ● delta : x → is a function computing the difference between two component releases ● agg : is a function aggregating the results of a set of lags 12
- /technical lag framework Given a technical lag framework , we define: Technical lag Aggregated Technical lag Let D C be a set of components, then: 13
- /case studies - npm packages : the whole registry - Debian-based Docker images Goal: Analyze technical lag in software ecosystems. 14
- /results /npm packages - npm packages have a median version lag of 14 versions (2 majors, 2 minors , 10 patches) - Technical lag is increasing over time. - Version constraints (e.g, ^1.0.0), are the main reason behind the technical lag. - Development dependencies have slightly more technical lag than runtime dependencies For direct dependencies versions 15
- /results /npm applications For direct dependencies Time lag induced by direct dependencies in GitHub applications: Technical lag in GitHub applications is higher than in npm package releases 16
- /results /Docker images - Debian packages have a median version lag of 1 version - Debian-based images have a median version lag of 6 versions. - Technical lag depends on the Debian version used in the image - Different dimensions of technical lag are complementary 17
- /conclusion - The technical lag could help open source software developers and deployers to keep their software in a healthy shape. - TL can be a proxy for the effort needed to deploy the ideal version. 18