Download to read offline
![5
There [is] no
such thing as
a free lunch
“ ”](https://image.slidesharecdn.com/buildlicensing-141103121732-conversion-gate02/85/Tracing-Software-Build-Processes-to-Uncover-License-Compliance-Inconsistencies-A-Retrospective-11-320.jpg)
![5
There [is] no
such thing as
a free lunch
“ ” An Empirical Study of
Build Maintenance
Effort
S. McIntosh, B. Adams,
T. H. D. Nguyen,
Y. Kamei, A. E. Hassan
[ICSE 2011]
Up to 27% of
source changes
are accompanied
by build changes](https://image.slidesharecdn.com/buildlicensing-141103121732-conversion-gate02/85/Tracing-Software-Build-Processes-to-Uncover-License-Compliance-Inconsistencies-A-Retrospective-12-320.jpg)
Uploaded byShane McIntosh
Tracing Software Build Processes to Uncover License Compliance Inconsistencies: A Retrospective
This document discusses using build systems to uncover license compliance inconsistencies. It describes how build systems can be traced to construct dependency graphs and annotate components with license information. An empirical study found the approach accurately discovered inconsistencies with 88-100% precision and 98-100% recall. The technique prompted code changes in two systems within a few days to resolve license issues uncovered.
More Related Content
Similar to Tracing Software Build Processes to Uncover License Compliance Inconsistencies: A Retrospective
Tracing Software Build Processes to Uncover License Compliance Inconsistencies: A Retrospective
- 1. Tracing Software Build Processesto Uncover License Compliance Inconsistencies Shane McIntosh Sander van der Burg Eelco Dolstra Julius Davies Daniel M. Germán Armijn Hemel Tjaldur Software Governance Solutions @shane_mcintosh
- 2. Source code What is abuild system?
- 3. Source code Deliverable What is abuild system?
- 4. .tex .c .cc .o .o .dvi .a .exe .pdf .deb Build systems describehow sources are translated into deliverables 3
- 5. Continuous Integration: Enabled bythe build system 4 .c .mk
- 6. Continuous Integration: Enabled bythe build system Commit 4 Commit 9719cf0 .c .mk
- 7. Continuous Integration: Enabled bythe build system Commit 4 Build Commit 9719cf0 .c .mk
- 8. Continuous Integration: Enabled bythe build system Commit 4 Build Test Commit 9719cf0 .c .mk
- 9. Continuous Integration: Enabled bythe build system Commit 4 Build Test Report Commit 9719cf0 wassuccessfullyintegrated Commit 9719cf0 .c .mk
- 10. Continuous Integration: Enabled bythe build system Commit 4 Build Test Report Commit 9719cf0 wassuccessfullyintegrated Commit 9719cf0 .c .mk
- 11. 5 There [is] no suchthing as a free lunch “ ”
- 12. 5 There [is] no suchthing as a free lunch “ ” An Empirical Study of Build Maintenance Effort S. McIntosh, B. Adams, T. H. D. Nguyen, Y. Kamei, A. E. Hassan [ICSE 2011] Up to 27% of source changes are accompanied by build changes
- 13.
- 14.
- 15. 6 Maintenance overhead Build technology andmaintenance .c .mk? Source-build co-change
- 16. 6 Maintenance overhead Build logic cloning Buildtechnology and maintenance .c .mk? Source-build co-change
- 17. 6 Execution overhead Maintenance overhead Buildlogic cloning Build technology and maintenance .c .mk? Source-build co-change
- 18. 6 Execution overhead Maintenance overhead Buildlogic cloning Build technology and maintenance .c .mk? Source-build co-change Build hotspot detection
- 19. 6 Execution overhead Maintenance overhead Buildlogic cloning Build technology and maintenance .c .mk? Source-build co-change Powerful hotspot indicators Build hotspot detection
- 20. 6 Execution overhead Maintenance overhead Buildlogic cloning Build technology and maintenance .c .mk? Source-build co-change Powerful hotspot indicators Build hotspot detection Build systems also contain useful information!
- 21. Reusable components arereleased under different license terms 7
- 22. Reusable components arereleased under different license terms 7 Apache Public License
- 23. Failure to complywith license terms can lead to costly legal issues 8
- 24. Failure to complywith license terms can lead to costly legal issues 8
- 25. Failure to complywith license terms can lead to costly legal issues 8
- 26. 9 Which source files areenabled? Ensuring license compliance with reused components .c.c.c.c
- 27. 9 Which source files areenabled? Ensuring license compliance with reused components .c.c.c .c
- 28. 9 Which source files areenabled? Which components are used? Ensuring license compliance with reused components .c.c.c .c
- 29. 9 Which source files areenabled? Which components are used? How are they combined? Ensuring license compliance with reused components .c.c.c .c Static link Dynamic link
- 30. 9 Which source files areenabled? Which components are used? How are they combined? Ensuring license compliance with reused components .c.c.c .c Static link Dynamic link The build system can answer these questions!
- 31. We use systemtracing to discover build dependencies Build process 10 Trace log
- 32. OS kernel open() We usesystem tracing to discover build dependencies Build process 10 read() write() close() Trace log
- 33. Trace log We mine buildtraces to construct a concrete build dependency graph patchelf.ccelf.h patchelf.o patchelf /usr/bin/patchelf libstdc++ 11
- 34. Trace log We mine buildtraces to construct a concrete build dependency graph patchelf.ccelf.h patchelf.o patchelf /usr/bin/patchelf g++ libstdc++ g++ install 11
- 35. patchelf.ccelf.h patchelf.o patchelf /usr/bin/patchelf g++ libstdc++ g++ install Annotate build graphnodes with license information using Ninka 12
- 36. patchelf.ccelf.h patchelf.o patchelf /usr/bin/patchelf g++ libstdc++ g++ install Annotate build graphnodes with license information using Ninka 12
- 37. Inconsistency introduced! patchelf.ccelf.h patchelf.o patchelf /usr/bin/patchelf g++ libstdc++ g++ install Annotate build graphnodes with license information using Ninka 12
- 38.
- 39.
- 40.
- 41.
- 42. 14 Measuring the accuracy ofour CBDG approach Included .c.c.c.c Excluded
- 43. 14 Measuring the accuracy ofour CBDG approach Included .c.c.c .cExcluded
- 44. 14 Measuring the accuracy ofour CBDG approach Included .c.c .c .cExcluded Delete
- 45. 14 Measuring the accuracy ofour CBDG approach Included .c.c .c .cExcluded Delete Execute build
- 46. 14 Broken means true positive Measuringthe accuracy of our CBDG approach Included .c.c .c .cExcluded Delete Execute build
- 47. 14 Clean means false positive Brokenmeans true positive Measuring the accuracy of our CBDG approach Included .c.c .c .cExcluded Delete Execute build
- 48. 14 Clean means false positive Brokenmeans true positive Measuring the accuracy of our CBDG approach Included .c.c .c .cExcluded Delete Execute build .c
- 49. 14 Clean means false positive Brokenmeans true positive Measuring the accuracy of our CBDG approach Included .c.c .c .cExcluded Delete Execute build Execute build .c
- 50. 14 Clean means false positive Brokenmeans true positive Measuring the accuracy of our CBDG approach Included .c.c .c .cExcluded Delete Execute build Broken means false negative Execute build .c
- 51. 14 Clean means false positive Brokenmeans true positive Measuring the accuracy of our CBDG approach Included .c.c .c .cExcluded Delete Execute build Clean means true negative Broken means false negative Execute build .c
- 52.
- 53. Bugs filed usingour approach on multi-licensed packages FFmpeg License was updated within 3 days + 16
- 54. Bugs filed usingour approach on multi-licensed packages FFmpeg License was updated within 3 days + CUPS + Offending files were removed within 2 days 16
- 55.