Is my software ecosystem healthy? It depends!Tom Mens
QUATIC 2020 keynote presentation by Tom Mens (University of Mons) on dependency-related health issues in software ecosystems and research advances to address such health issues. Part of the presented research has been conducted as part of the Belgian SECO-ASSIST Excellence of Science Research Project.
On backporting practices in package dependency networksTom Mens
Presentation at FOSDEM 2022 Composition and Dependency Management DevRoom of empirical research on backporting practices in package dependency networks, published in the IEEE Transactions in Software Engineering in 2021 (https://doi.org/10.1109/TSE.2021.3112204)
Joint work by Alexandre Decan, Tom Mens; Ahmed Zeourali, Coen De Roover as part of the Belgian Excellence of Science research project SECOASSIST (https://secoassist.github.io)
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Fasten Project
FASTEN was presented in the Devroom on Dependency Management at FOSDEM 2021. Presentation Abstract: The goal of the EU project FASTEN is being able to perform a more sophisticated analysis of security-vulnerability propagation, licensing compliance, and dependency risk profiles (among others) by relying on the call-level dependency network of the whole software ecosystem. We outline the purpose and structure of the project, and present some preliminary results.
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsTom Mens
Presentation by Tom Mens at PackagingCon 2021 on Wednesday 10 November 2021.
Abstract: Semantic versioning (semver) is a commonly accepted open source practice, used by many package management systems to inform whether new package releases introduce possibly backward incompatible changes. Maintainers depending on such packages can use this practice to reduce the risk of breaking changes in their own packages by specifying version constraints on their dependencies. Depending on the amount of control a package maintainer desires to assert over her package dependencies, these constraints can range from very permissive to very restrictive. We empirically compared the evolution of semver compliance in four package management systems: Cargo, npm, Packagist and Rubygems. We discuss to what extent ecosystem-specific characteristics influence the degree of semver compliance, and we suggest to develop tools adopting the wisdom of the crowds to help package maintainers decide which type of version constraints they should impose on their dependencies.
We also studied to which extent the packages distributed by these package managers are still using a 0.y.z release, suggesting less stable and immature packages. We explore the effect of such "major zero" packages on semantic versioning adoption.
Our findings shed insight in some important differences between package managers with respect to package versioning policies.
Our empirical results have been published in two peer-reviewed academic journals: the IEEE Transactions in Software Engineering (https://doi.org/10.1109/TSE.2019.2918315) and Elsevier Science of Computer Programming (https://doi.org/10.1016/j.scico.2021.102656).
Achknowledgments: Research conducted in the context of the SECOASSIST "Excellence of Science" Research Project.
Evolving Software Ecosystems: Health and beyondeconst
Software evolves over time and several challenges arise concerning both the technical artefacts produced during development, as well as the developer community that maintains these artefacts. Evolution challenges become even more prominent in software ecosystems (SECOs), which are large collections of interdependent software packages/projects that share a common technological platform and that are maintained by large online communities of contributors. SECOs are subject to changes at an ever-increasing pace, thus facing health and longevity issues. In this talk, we will present our current research on SECO evolution and health, for both the technical and social aspects of SECOs. On the one hand, we will present our work on package dependency issues in SECOs throughout their evolution. On the other hand, we will present a socio-technical analysis of SECOs, studying aspects such as contributor abandonment. We will conclude our talk by presenting our future research agenda.
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
This talk "Comparing dependency management issues across packaging ecosystems" was presented by Tom Mens, from Software Engineering Lab, University of Mons, Belgium, at FOSDEM 2020 during the Devroom Session "Dependency Management".
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
Presentation by Tom Mens of SANER 2019 paper that was awarded as best paper. The topic concerns Docker containers, and more in particular the relation between outdated packages, technical lag, security vulnerabilities and bugs.
Is my software ecosystem healthy? It depends!Tom Mens
QUATIC 2020 keynote presentation by Tom Mens (University of Mons) on dependency-related health issues in software ecosystems and research advances to address such health issues. Part of the presented research has been conducted as part of the Belgian SECO-ASSIST Excellence of Science Research Project.
On backporting practices in package dependency networksTom Mens
Presentation at FOSDEM 2022 Composition and Dependency Management DevRoom of empirical research on backporting practices in package dependency networks, published in the IEEE Transactions in Software Engineering in 2021 (https://doi.org/10.1109/TSE.2021.3112204)
Joint work by Alexandre Decan, Tom Mens; Ahmed Zeourali, Coen De Roover as part of the Belgian Excellence of Science research project SECOASSIST (https://secoassist.github.io)
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Fasten Project
FASTEN was presented in the Devroom on Dependency Management at FOSDEM 2021. Presentation Abstract: The goal of the EU project FASTEN is being able to perform a more sophisticated analysis of security-vulnerability propagation, licensing compliance, and dependency risk profiles (among others) by relying on the call-level dependency network of the whole software ecosystem. We outline the purpose and structure of the project, and present some preliminary results.
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsTom Mens
Presentation by Tom Mens at PackagingCon 2021 on Wednesday 10 November 2021.
Abstract: Semantic versioning (semver) is a commonly accepted open source practice, used by many package management systems to inform whether new package releases introduce possibly backward incompatible changes. Maintainers depending on such packages can use this practice to reduce the risk of breaking changes in their own packages by specifying version constraints on their dependencies. Depending on the amount of control a package maintainer desires to assert over her package dependencies, these constraints can range from very permissive to very restrictive. We empirically compared the evolution of semver compliance in four package management systems: Cargo, npm, Packagist and Rubygems. We discuss to what extent ecosystem-specific characteristics influence the degree of semver compliance, and we suggest to develop tools adopting the wisdom of the crowds to help package maintainers decide which type of version constraints they should impose on their dependencies.
We also studied to which extent the packages distributed by these package managers are still using a 0.y.z release, suggesting less stable and immature packages. We explore the effect of such "major zero" packages on semantic versioning adoption.
Our findings shed insight in some important differences between package managers with respect to package versioning policies.
Our empirical results have been published in two peer-reviewed academic journals: the IEEE Transactions in Software Engineering (https://doi.org/10.1109/TSE.2019.2918315) and Elsevier Science of Computer Programming (https://doi.org/10.1016/j.scico.2021.102656).
Achknowledgments: Research conducted in the context of the SECOASSIST "Excellence of Science" Research Project.
Evolving Software Ecosystems: Health and beyondeconst
Software evolves over time and several challenges arise concerning both the technical artefacts produced during development, as well as the developer community that maintains these artefacts. Evolution challenges become even more prominent in software ecosystems (SECOs), which are large collections of interdependent software packages/projects that share a common technological platform and that are maintained by large online communities of contributors. SECOs are subject to changes at an ever-increasing pace, thus facing health and longevity issues. In this talk, we will present our current research on SECO evolution and health, for both the technical and social aspects of SECOs. On the one hand, we will present our work on package dependency issues in SECOs throughout their evolution. On the other hand, we will present a socio-technical analysis of SECOs, studying aspects such as contributor abandonment. We will conclude our talk by presenting our future research agenda.
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
This talk "Comparing dependency management issues across packaging ecosystems" was presented by Tom Mens, from Software Engineering Lab, University of Mons, Belgium, at FOSDEM 2020 during the Devroom Session "Dependency Management".
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
Presentation by Tom Mens of SANER 2019 paper that was awarded as best paper. The topic concerns Docker containers, and more in particular the relation between outdated packages, technical lag, security vulnerabilities and bugs.
Presentation by Tom Mens at FOSDEM21 (Free Open Source Developers Meeting, February 2021). Published in Science of Computer Programming, August 2021.
https://doi.org/10.1016/j.scico.2021.102656
Abstract: When developing open source software end-user applications or reusable software packages, developers depend on software packages distributed through package managers such as npm, Packagist, Cargo, RubyGems. In addition to this, empirical evidence has shown that these package managers adhere to a large extent to semantic versioning principles. Packages that are still in major version zero are considered unstable according to semantic versioning, as some developers consider such packages as immature, still being under initial development.
This presentation reports on large-scale empirical evidence on the use of dependencies towards 0.y.z versions in four different software package distributions: Cargo, npm, Packagist and RubyGems. We study to which extent packages get stuck in the zero version space, never crossing the psychological barrier of major version zero. We compare the effect of the policies and practices of package managers on this phenomenon. We do not reveal the results of our findings in this abstract yet, as it would spoil the fun of the presentation.
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskDevOps.com
Have you considered what truly separates accidental vulnerabilities in open source from intentionally malicious releases? Although often grouped together as "vulnerabilities", malicious open source components are very different, right from their very creation through to the way you mitigate and remediate them as an end user. The past 12 months saw a record-breaking time for detection of malicious components in the world's most popular package registries.
Join Rhys Arkins, Director of Product at WhiteSource, as he will discuss:
The key differences between accidental vulnerabilities and malicious releases,
How to manage the risk for each type of vulnerability,
Lessons learned from the most interesting malicious packages spotted during 2019.
Socio-Technical Analysis of Software Ecosystem HealthTom Mens
Presentation of joint research by Tom Mens, Bram Adams and Josianne Marsan as part of the SECOHealth research project. Presented during BENEVOL software evolution research seminar in Antwerp, Belgium, 4-5 December 2017. We presents the research goals and preliminary research results of the interdisciplinary research project SECOHealth, an ongoing collaboration between research teams of Polytechnique Montreal (Canada), the University of Mons (Belgium) and Laval University (Canada). SECOHealth aims to contribute to research and practice in software engineering by delivering a validated interdisciplinary scientific methodology and a catalog of guidelines and recommendation tools for improving software ecosystem health.
AWS live hack: Docker + Snyk Container on AWSEric Smalling
Slides from session 3 of the Snyk AWS live hack series
Dec 15, 2021 with Eric Smalling, Dev Advocate at Snyk, and Peter McKee, Head of Dev Relations & Community at Docker.
With open source software being used these days in enterprises both large and small, the path to faster code is clear. But you need to weight the open source adoption against the risks. In embedded software, risk can equate to late releases, over-budget projects, and in some cases, casualties to life and limb. It’s a classic risk versus reward scenario. Are you confident your embedded developers know how to estimate the risks? In this presentation, Rod Cope discusses the most effective uses of open source software; how to avoid license risk; and reduce critical safety and security issues. Those involved in developing embedded software will have the right understanding, can ask the right questions, and leverage OSS to gain the most while risking the least.
Adversary Driven Defense in the Real WorldJames Wickett
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
Black Clouds and Silver Linings in Node.js Security - Liran Tal Snyk OWASP Gl...Liran Tal
With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how to mitigate them to build secure JavaScript and Node.js applications.
The Internet industry is undergoing a fundamental change as it transitions from IPv4 to IPv6. These slides are from the June 2011 webcast which provided an overview of IPv6 Threats, recommendations on how to stay protected during the transition to IPv6 as well as information on what Commtouch is doing to ensure its solutions are IPv6 compliant.
The webcast features Commtouch security experts Asaf Greiner and Gabriel M. Mizrahi. You can view the webcast on the Commtouch Slideshare page.
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
Many free security testing tools are available, but finding ones that meet your needs and work in your environment can involve substantial time and effort. Especially when you are just starting out with security testing, finding reputable tools that do what you need is not easy. And installing them correctly just to evaluate them can be prohibitively time consuming. Kali Linux is a free Linux distribution with hundreds of security testing and auditing tools installed. Gene Gotimer gives an overview of Kali Linux, ways to effectively use it, and a survey of the tools available. Although Kali Linux is primarily intended for professional penetration testers, it provides great convenience and value to developers and software testers who may be getting started in security testing. Gene demonstrates some of the simplest tools to help jumpstart your web application security testing practices.
On the health of the npm packaging ecosystemTom Mens
Presentation at DrupalCamp 2018 (Ghent) by Tom Mens (University of Mons) about lessons learned and guidelines based on a historical empirical analysis of the npm JavaScript packaging ecosystem, and the impact of technical problems in its package dependency network. This work is part of the SECOHealth and SECO-ASSIST research projects, co-financed by the FNRS-FRS.
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
This talk reports on our findings based on multiple empirical studies that we have conducted to understand different aspects of dependency management and their practical implications. This includes:
* the outdatedness of package dependencies, the transitive impact of such "technical lag", and its relation to the presence of bugs and security vulnerabilities.
* the impact of using either more permissive or more restrictive version contraints on dependencies.
* the virtues and limitations of being compliant to semantic versioning, a common policy to inform dependents whether new releases of software packages introduce possibly backward incompatible changes.
* the impact of specific characteristics, policies and tools used by the packaging ecosystem and its supporting community on all of the above.
The contents of the talk is primarily based on the following peer-reviewed scientific articles:
* What do package dependencies tell us about semantic versioning? Alexandre Decan, Tom Mens. IEEE Transactions on Software Engineering, 2019. https://doi.org/10.1109/TSE.2019.2918315
* An empirical comparison of dependency network evolution in seven software packaging ecosystems. Alexandre Decan, Tom Mens, Philippe Grosjean. Empirical Software Engineering 24(1):381-416, 2019. https://doi.org/10.1007/s10664-017-9589-y
* A formal framework for measuring technical lag in component repositories and its application to npm. Ahmed Zerouali, Tom Mens, Jesus Gonzalez‐Barahona, Alexandre Decan, Eleni Constantinou, Gregorio Robles. Journal of Software: Evolution and Process 31(8), 2019. https://doi.org/10.1002/smr.2157
* On the Impact of Security Vulnerabilities in the npm Package Dependency Network. Alexandre Decan, Tom Mens, Eleni Constantinou. International Conference on Mining Software Repositories, 2018. https://doi.org/10.1145/3196398.3196401
* On the Evolution of Technical Lag in the npm Package Dependency Network. Alexandre Decan, Tom Mens, Eleni Constantinou. International Conference on Software Maintenance and Evolution, 2018. https://doi.org/10.1109/ICSME.2018.00050
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
Invited presentation at Concordia University (Montreal, Canada) by Eleni Constantinou and Tom Mens on recent research about the socio-technical health issues in software package management ecosystems.
Abstract: The large majority of today’s software is relying on open software software components. Such components are typically distributed through package managers for a wide variety of programming languages, and developed and maintained through online distributed software development services like GitHub. Software component repositories are perceived as software ecosystems that constitute complex and evolving socio-technical software dependency networks. Because of their complexity and evolution, these ecosystems tend to suffer from a wide variety of software health issues that can be either technical or social in nature. Examples of such issues include the ecosystem fragility due to exponential growth and transitive dependencies; the abundance of outdated, unmaintained or obsolete software components; the prolonged presence of unfixed bugs and security vulnerabilities; the abandonment or high turnover of key contributors, suboptimal collaboration between contributors, and many more. This presentation will report on our past and ongoing empirical research that studies such health factors within and across different software packaging ecosystems (such as npm, RubyGems, Cargo, CRAN, CPAN). We provide empirical evidence of some of the health problems, compare their presence across different ecosystems, and suggest ways to reduce their potential impact by providing concrete guidelines and tools. The presented research Is being conducted by researchers of the Software Engineering Lab at the University of Mons in the context of two ongoing projects SECOHealth and SECO-ASSIST, aiming to analyse and improve the health of software ecosystems.
Presentation by Tom Mens at FOSDEM21 (Free Open Source Developers Meeting, February 2021). Published in Science of Computer Programming, August 2021.
https://doi.org/10.1016/j.scico.2021.102656
Abstract: When developing open source software end-user applications or reusable software packages, developers depend on software packages distributed through package managers such as npm, Packagist, Cargo, RubyGems. In addition to this, empirical evidence has shown that these package managers adhere to a large extent to semantic versioning principles. Packages that are still in major version zero are considered unstable according to semantic versioning, as some developers consider such packages as immature, still being under initial development.
This presentation reports on large-scale empirical evidence on the use of dependencies towards 0.y.z versions in four different software package distributions: Cargo, npm, Packagist and RubyGems. We study to which extent packages get stuck in the zero version space, never crossing the psychological barrier of major version zero. We compare the effect of the policies and practices of package managers on this phenomenon. We do not reveal the results of our findings in this abstract yet, as it would spoil the fun of the presentation.
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskDevOps.com
Have you considered what truly separates accidental vulnerabilities in open source from intentionally malicious releases? Although often grouped together as "vulnerabilities", malicious open source components are very different, right from their very creation through to the way you mitigate and remediate them as an end user. The past 12 months saw a record-breaking time for detection of malicious components in the world's most popular package registries.
Join Rhys Arkins, Director of Product at WhiteSource, as he will discuss:
The key differences between accidental vulnerabilities and malicious releases,
How to manage the risk for each type of vulnerability,
Lessons learned from the most interesting malicious packages spotted during 2019.
Socio-Technical Analysis of Software Ecosystem HealthTom Mens
Presentation of joint research by Tom Mens, Bram Adams and Josianne Marsan as part of the SECOHealth research project. Presented during BENEVOL software evolution research seminar in Antwerp, Belgium, 4-5 December 2017. We presents the research goals and preliminary research results of the interdisciplinary research project SECOHealth, an ongoing collaboration between research teams of Polytechnique Montreal (Canada), the University of Mons (Belgium) and Laval University (Canada). SECOHealth aims to contribute to research and practice in software engineering by delivering a validated interdisciplinary scientific methodology and a catalog of guidelines and recommendation tools for improving software ecosystem health.
AWS live hack: Docker + Snyk Container on AWSEric Smalling
Slides from session 3 of the Snyk AWS live hack series
Dec 15, 2021 with Eric Smalling, Dev Advocate at Snyk, and Peter McKee, Head of Dev Relations & Community at Docker.
With open source software being used these days in enterprises both large and small, the path to faster code is clear. But you need to weight the open source adoption against the risks. In embedded software, risk can equate to late releases, over-budget projects, and in some cases, casualties to life and limb. It’s a classic risk versus reward scenario. Are you confident your embedded developers know how to estimate the risks? In this presentation, Rod Cope discusses the most effective uses of open source software; how to avoid license risk; and reduce critical safety and security issues. Those involved in developing embedded software will have the right understanding, can ask the right questions, and leverage OSS to gain the most while risking the least.
Adversary Driven Defense in the Real WorldJames Wickett
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
Black Clouds and Silver Linings in Node.js Security - Liran Tal Snyk OWASP Gl...Liran Tal
With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how to mitigate them to build secure JavaScript and Node.js applications.
The Internet industry is undergoing a fundamental change as it transitions from IPv4 to IPv6. These slides are from the June 2011 webcast which provided an overview of IPv6 Threats, recommendations on how to stay protected during the transition to IPv6 as well as information on what Commtouch is doing to ensure its solutions are IPv6 compliant.
The webcast features Commtouch security experts Asaf Greiner and Gabriel M. Mizrahi. You can view the webcast on the Commtouch Slideshare page.
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
Many free security testing tools are available, but finding ones that meet your needs and work in your environment can involve substantial time and effort. Especially when you are just starting out with security testing, finding reputable tools that do what you need is not easy. And installing them correctly just to evaluate them can be prohibitively time consuming. Kali Linux is a free Linux distribution with hundreds of security testing and auditing tools installed. Gene Gotimer gives an overview of Kali Linux, ways to effectively use it, and a survey of the tools available. Although Kali Linux is primarily intended for professional penetration testers, it provides great convenience and value to developers and software testers who may be getting started in security testing. Gene demonstrates some of the simplest tools to help jumpstart your web application security testing practices.
On the health of the npm packaging ecosystemTom Mens
Presentation at DrupalCamp 2018 (Ghent) by Tom Mens (University of Mons) about lessons learned and guidelines based on a historical empirical analysis of the npm JavaScript packaging ecosystem, and the impact of technical problems in its package dependency network. This work is part of the SECOHealth and SECO-ASSIST research projects, co-financed by the FNRS-FRS.
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
This talk reports on our findings based on multiple empirical studies that we have conducted to understand different aspects of dependency management and their practical implications. This includes:
* the outdatedness of package dependencies, the transitive impact of such "technical lag", and its relation to the presence of bugs and security vulnerabilities.
* the impact of using either more permissive or more restrictive version contraints on dependencies.
* the virtues and limitations of being compliant to semantic versioning, a common policy to inform dependents whether new releases of software packages introduce possibly backward incompatible changes.
* the impact of specific characteristics, policies and tools used by the packaging ecosystem and its supporting community on all of the above.
The contents of the talk is primarily based on the following peer-reviewed scientific articles:
* What do package dependencies tell us about semantic versioning? Alexandre Decan, Tom Mens. IEEE Transactions on Software Engineering, 2019. https://doi.org/10.1109/TSE.2019.2918315
* An empirical comparison of dependency network evolution in seven software packaging ecosystems. Alexandre Decan, Tom Mens, Philippe Grosjean. Empirical Software Engineering 24(1):381-416, 2019. https://doi.org/10.1007/s10664-017-9589-y
* A formal framework for measuring technical lag in component repositories and its application to npm. Ahmed Zerouali, Tom Mens, Jesus Gonzalez‐Barahona, Alexandre Decan, Eleni Constantinou, Gregorio Robles. Journal of Software: Evolution and Process 31(8), 2019. https://doi.org/10.1002/smr.2157
* On the Impact of Security Vulnerabilities in the npm Package Dependency Network. Alexandre Decan, Tom Mens, Eleni Constantinou. International Conference on Mining Software Repositories, 2018. https://doi.org/10.1145/3196398.3196401
* On the Evolution of Technical Lag in the npm Package Dependency Network. Alexandre Decan, Tom Mens, Eleni Constantinou. International Conference on Software Maintenance and Evolution, 2018. https://doi.org/10.1109/ICSME.2018.00050
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
Invited presentation at Concordia University (Montreal, Canada) by Eleni Constantinou and Tom Mens on recent research about the socio-technical health issues in software package management ecosystems.
Abstract: The large majority of today’s software is relying on open software software components. Such components are typically distributed through package managers for a wide variety of programming languages, and developed and maintained through online distributed software development services like GitHub. Software component repositories are perceived as software ecosystems that constitute complex and evolving socio-technical software dependency networks. Because of their complexity and evolution, these ecosystems tend to suffer from a wide variety of software health issues that can be either technical or social in nature. Examples of such issues include the ecosystem fragility due to exponential growth and transitive dependencies; the abundance of outdated, unmaintained or obsolete software components; the prolonged presence of unfixed bugs and security vulnerabilities; the abandonment or high turnover of key contributors, suboptimal collaboration between contributors, and many more. This presentation will report on our past and ongoing empirical research that studies such health factors within and across different software packaging ecosystems (such as npm, RubyGems, Cargo, CRAN, CPAN). We provide empirical evidence of some of the health problems, compare their presence across different ecosystems, and suggest ways to reduce their potential impact by providing concrete guidelines and tools. The presented research Is being conducted by researchers of the Software Engineering Lab at the University of Mons in the context of two ongoing projects SECOHealth and SECO-ASSIST, aiming to analyse and improve the health of software ecosystems.
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Project
Georgios Gousios, Professor at TUDelft Software Engineering Research Group and FASTEN Project and Scientific Coordinator, offered this Dependancy Management synthesis to 30 GitHub professionals incl. remote attendees on April 17, 2019 before discussing potential collaborations. More: https://www.fasten-project.eu/view/Events/
On the evolution of technical lag in the npm package dependency networkeconst
Presentation slides of ICSME 2018 article, co-authored by Alexandre Decan, Tom Mens and Eleni Constantinou from University of Mons, Belgium. Research carried out as part of the SECOHealth and SECO-ASSIST research projects. Abstract: Software packages developed and distributed through package managers extensively depend on other packages. These dependencies are regularly updated, for example to add new features, resolve bugs or fix security issues. In order to take full advantage of the benefits of this type of reuse, developers should keep their dependencies up to date by relying on the latest releases. In practice, however, this is not always possible, and packages lag behind with respect to the latest version of their dependencies. This phenomenon is described as technical lag in the literature. In this paper, we perform an empirical study of technical lag in the npm dependency network by investigating its evolution for over 1.4M releases of 120K packages and 8M dependencies between these releases. We explore how technical lag increases over time, taking into account the release type and the use of package dependency constraints. We also discuss how technical lag can be reduced by relying on the semantic versioning policy.
How to increase the technical health of your software?Tom Mens
Presentation by Prof. Tom Mens (University of Mons) about the relation between, and guidelines for increasing, the internal and external technical debt and technical health of software. This talk was presented at the Business and Technology Club of the Infopole Cluster TIC in Gosselies (Belgium) on 19 February 2019. The ideas presented are partly based on research conducted in the context of the FRNS-FWO co-financed "Excellence of Science" Research Project SECO-ASSIST (http://secoassist.github.io)
An Empirical Analysis of Technical Lag in npm Package DependenciesAhmed Zerouali
Software library packages are constantly evolving and increasing in number. Not updating to the latest available release of dependent libraries may negatively affect software development by not benefiting from new functionality, vulnerability and bug fixes available in more recent versions. On the other hand, automatically updating to the latest release may introduce incompatibility issues. We introduce a technical lag metric for dependencies in package networks, in order to assess how outdated a software package is compared to the latest available releases of its dependencies. We empirically analyse the package update practices and technical lag for the npm distribution of JavaScript packages. Our results show a strong presence of technical lag caused by the specific use of dependency constraints, indicating a reluctance to update dependencies to avoid backward incompatible changes
On the evolution of technical lag in the npm package dependency networkTom Mens
Presentation at the International Conference on Software Maintenance and Evolution (ICSME2018), Madrid, Spain, 28 September 2018. Joint research by Alexandre Decan, Eleni Constantinou, Tom Mens at the Software Engineering Lab of the University of Mons. Research conducted in the context of the SECOHealth and SECO-ASSIST research projects (https://secohealth.github.io, https://secoassist.github.io)
We empirically analyse the context of technical lag in the JavaScript npm package dependency network to assess to which extent npm software packages and their dependencies are outdated.
[Context:] Technical leverage is the ratio between dependencies (other people's code) and own codes of a software package. It has been shown to be useful to characterize the Java ecosystem and there are also studies on the NPM ecosystem available. [Objective:] By using this metric we aim to analyze the Python ecosystem, how it evolves, and how secure it is, as a developer would perceive it when deciding to adopt or update (or not) a library. [Method:] We collect a dataset of the top 600 Python packages (corresponding to 21,205 versions) and used a number of innovative approaches for its analysis including the use of a two-part statistical model to deal with excess zeros, a mathematical closed formulation to estimate vulnerabilities that we confirm with bootstrapping on the actual dataset. [Results:] Small Python package versions have a median technical leverage of 6.9x their own code, while bigger package versions rely on dependencies code a tenth of their own (median leverage of 0.1). In terms of evolution, Python packages tend to have stable technical leverage through their evolution (once highly leveraged, always leveraged). On security, the chance of getting a safe package version when choosing a package is actually better than previous research has shown based on the ratio of safe package versions in the ecosystem. [Conclusions:] Python packages ship a lot of other people's code and tend to keep doing so. However, developers will have a good chance to choose a safe package version.
Socio-Technical Empirical Comparison of Software Package EcosystemsTom Mens
Keynote presentation by Tom Mens during 3rd Madrilenian Seminar on Empirical Software Engineering (URJC, Madrid, Spain, 31 October 2017). We report on ongoing and published empirical research on socio-technical analysis of software ecosystem health issues. This work is part of the interuniversity research project SECOHealth (www.secohealth.org).
The presentation was
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Tom Mens
Presentation by Tom Mens of joint work with Alexandre Decan (University of Mons) at the SATTOSE 2017 research seminar in Madrid (7 June 2017).
Abstract: We carry out a quantitative empirical comparison of the macro-level evolution of software packaging ecosystems for a multitude of different programming languages. We report on the most important observed differences and commonalities in the evolution of their package dependency networks. We hypothesise that the observed commonalities emerge due to the ecosystem scale and complexity. Inspired by Lehman’s laws of software evolution, we seek evidence for a series of empirically observable “laws of software ecosystem evolution”.
DEVOPS & THE DEATH AND REBIRTH OF CHILDHOOD INNOCENCEDrupalCamp Kyiv
Remember when the internet was pure and unspoiled? In our innocence we saw the promise of renewal of the world through connecting, sharing, and creating online. We became developers and hackers because we wanted to understand how things work, to take them apart, and build quirky (and sometimes useful) things just for the pleasure of it.
In the earliest decades of the Internet Epoch the Internet was a playground. We happily coded directly on production systems. And it was fine, as many Great Things were created. But the Internet has matured, and has now become Big Business. Developers have matured too, and good thing they did! So many people now rely on what we’ve built, for security, for privacy, for the paycheck at the end of the month. We matter.
Maturity has come at a price though, and deploying well tested code into complex applications with polyglot teams working with heterogeneous stacks, all while maintaining compliance with GDPR, HIPAA, PCI, etc. has taken all of the childhood innocence out of the web. Now even the simplest website seems like Hard Work.
In this talk I will show how we can, and should, regain our joyful demeanor, how we can use the maturity of the most innovative tools around us to start hacking like crazy again. Without regressing on agility, testing, compliance, scalability or robustness. I use the metaphor of childhood innocence to explain how the complexity of modern cloud computing, in combination with increasing quality expectations and compliancy, has curtailed the creative freedom of developers, and as a whole, organisational motivation.
Together with a lack of resources and idea time, this leads to lower and slower product innovation. We are, however, at the brink of a paradigm shift in cloud computing that will give developers and hackers their mojo again. This talk will zoom into the key elements of this paradigm shift, and provide an overview of the basic concepts and operational practices of the new age of developer innocence.
https://drupalcampkyiv.org/node/81
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Tom Mens
Presentation at CHAOSSCon Europe 2020 about the generic technical lag software measurement framework. Technical lag measures the increasing difference between deployed software components and the ideal upstream software components.
For more information, see https://doi.org/10.1002/smr.2157
This presentation was given at the BENEVOL 2019 workshop in Brussels.
Abstract:
Reusable Open Source Software (OSS) components for major programming languages are available in package repositories. Developers rely on package management tools to automate deployments, specifying which package releases satisfy the needs of their applications. However, these specifications may lead to deploying package releases that are outdated or otherwise undesirable because they do not include bug fixes, security fixes, or new functionality. In contrast, automatically updating to a more recent release may introduce incompatibility issues. To capture this delicate balance, we formalise a generic framework of technical lag, a concept that quantifies to which extent a deployed collection of components is outdated with respect to the ideal deployment. The framework can be used to assess and reduce the outdatedness, vulnerability and bugginess of software deployments, software projects, software containers and reusable software libraries. We argue that such a metric is very relevant for assessing the health of software (eco)systems, and should be used.
Enhancing Developer Productivity with Code ForensicsTechWell
Imagine an engineering system that could evaluate developer performance, recognize rushed check-ins, and use that data to speed up development. “Congratulations Jane. You know this code well. No check-in test gate for you.” Anthony Voellm shares how behavioral analysis and developer assessments can be applied to improve productivity. This approach was motivated by today's test systems, tools, and processes that are all designed around the premise that “all developers are created equal.” Studies have shown developer error rates can vary widely and have a number of root causes—the mindset of the developer at the time the code was written, experience level, amount of code in a check-in, complexity of the code, and much more. With Digital Code Forensics, a set of metrics that can evaluate developers, Anthony demonstrates how even modest applications of this approach can speed up development. Discover and use the cutting edge of engineering productivity.
On the topology of package dependency networks: A comparison of programming l...Tom Mens
This presentation is joint work by Alexandre Decan, Tom Mens and Maelick Claes (Software Engineering Lab, COMPLEXYS research institute, University of Mons). It was presented by Maelick during the International Workshop on Software Ecosystem Architectures (WEA 2016) in Copenhagen, on 29 November 2016.
Abstract of the accompanying paper (DOI 10.1145/1235):
Package-based software ecosystems are composed of thousands of interdependent software packages. Many empirical studies have focused on software packages belonging to a single software ecosystem, and suggest to generalise the results to more ecosystems. We claim that such a generalisation is not always possible, because the technical structure of software ecosystems can be very different, even if these ecosystems belong to the same domain. We confirm this claim through a study of three big and popular package-based programming language ecosystems: R’s CRAN archive network, Python’s PyPI distribution, and JavaScript’s NPM package manager. We study and compare the structure of their package dependency graphs and reveal some important differences that may make it difficult to generalise the findings of one ecosystem to another one.
A follow-up on this work can be found in the SANER 2017 paper by the same authors, entitled "An Empirical Comparison of Dependency Issues in OSS Packaging Ecosystems”
Similar to On the fragility of open source software packaging ecosystems (20)
Keynote talk targeted to PhD students, during the BENEVOL 2023 research seminar (focused on software evolution) in Nijmegen, 27 November 2023, by Tom Mens (full professor in software engineering at University of Mons, Belgium). The keynote aims to provide tips, tricks and practical advice on how to become successful as a PhD student.
Recognising bot activity in collaborative software developmentTom Mens
Presentation by Natarajan Chidambaram during the International ICSE Workshop on Bots in Software Engineering (BotSE 2023) in Australia. Joint work with Mehdi Golzadeh, Tom Mens, Alexandre Decan of the Software Engineering Lab of the University of Mons and with Eleni Constantinou.
A Dataset of Bot and Human Activities in GitHubTom Mens
Presentation at the IEEE International Conference on Mining Software Repositories (MSR 2023) by Natarajan Chidambaram (Software Engineering Lab, University of Mons, Belgium) of a dataset of bot and human activities extracted from GitHub
In this presentation we explore how the CI/CD landscape on GitHub has evolved since the introduction of GitHub Actions. This presentation is based on several peer-reviewed articles published in 2022 and 2023.
Nurturing the Software Ecosystems of the FutureTom Mens
In January 2018, four Software Engineering research groups located in different Belgian Universities launched a five year research project to nurture the software ecosystems of the future. We assembled a diverse team of about a dozen researchers and embarked on an exciting journey leading to a rich and diverse suite of papers, tools and datasets. Halfway into the project the corona pandemic intervened, but despite several months of lockdown, we succeeded in increasing inter-university collaboration. In this paper we share our achievements so that the BENEVOL community may benefit from our experience.
Comment programmer un robot en 30 minutes?Tom Mens
Comment apprendre à programmer un robot en 30 minutes? Atelier organisé par Tom Mens (en collaboration avec Pierre Zielinski, Gauvain Devillez et Sebastien Bonte) lors des Journées Math-Sciences du Printemps des Sciences 2022 à l'Université de Mons
On the rise and fall of CI services in GitHubTom Mens
Presentation of SANER 2022 conference article "On the rise and fall of CI services in GitHub" by Mehdi Golzadeh (co-authored with Alexandre Decan and Tom Mens).
Evaluating a bot detection model on git commit messagesTom Mens
Detecting the presence of bots in distributed software development activity is very important in order to prevent bias in socio-technical empirical studies. In previous work, we proposed a classification model to detect bots in GitHub repositories based on the pull request and issue comments of GitHub accounts. The current study generalises the approach to git contributors based on their commit messages. We train and evaluate the classification model on a large dataset of 6,922 git contributors. The original model based on pull request and issue comments obtained a precision of 0.77 on this dataset, whereas retraining the classification model on git commit messages increased the precision to 0.80. As a proof-of-concept, we implemented this model in BoDeGiC, an open source command-line tool to detect bots in git repositories.
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Tom Mens
Presentation by Mehdi Golzadeh (Software Engineering Lab, University of Mons) of an article published at the 2nd International ICSE Workshop on Bots In Software Engineering (BotSE). See https://doi.org/10.1145/3387940.3391503
Abstract: Many empirical studies focus on socio-technical activity in social coding platforms such as GitHub, for example to study the onboarding, abandonment, productivity and collaboration among team members. Such studies face the difficulty that GitHub activity can also be generated automatically by bots of a different nature. It therefore becomes imperative to distinguish such bots from human users. We propose an automated approach to detect bots in GitHub pull request activity. Relying on the assumption that bots contain repetitive message patterns in their pull request comments, we analyse the similarity between multiple messages from the same GitHub identity, using a clustering method that combines the Jaccard and Levenshtein distance. We empirically evaluate our approach by analysing 20,090 comments of 250 users and 42 bots in 1,262 GitHub repositories. Our results show that the method is able to clearly separate bots from human users.
This presentation reports on the research results achieved in the context of the interuniversity interdisciplinary research project SECOHealth "Vers une méthodologie et analyse socio-technique interdisciplinaire de la santé des écosystèmes logiciels" co-financed by FRS-FNRS Belgium and FRQ (FRSC - FRNT, Québec) with principal investigators Tom Mens (UMONS), Bram Adams (Polytechnique Montréal) and Josianne Marsan (Université Laval).
Introduction to the research seminar on empirical analysis of open source software ecosystems, organised by the SECO-ASSIST "excellence of science" research project, on September 4th, 2019 at the University of Mons, Belgium. With invited presentations by Alexander Serebrenik, Jesus Gonzalez-Barahona, Dario Di Nucci and Henrique Nucci. The seminar concludes with the public PhD defense of Ahmed Zerouali (supervised by Tom Mens) on the topic of "A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems"
ConPan: Analysing Packages Installed in Docker ContainersTom Mens
Demonstration of the ConPan tool for analysing outdated packages and their security vulnerabilities in Docker containers. Developed by Ahmed Zerouali, Software Engineering Lab, University of Mons. In collaboration with Universidad Rey Juan Carlos and Bitergia, Madrid, Spain. Presented by Tom Mens at the MSR 2019 International Conference on Mining Software Repositories, May 2019, Montréal, Canada.
On the diversity of software popularity metrics: An empirical study of npmTom Mens
Presentation by Prof. Tom Mens (University of Mons) of an ERA-track paper at SANER 2019, the International Conference on Software Analysis, Evolution and Reengineering (Hangzhou, China, February 2019).
Abstract: Software systems often leverage on open source software libraries to reuse functionalities. Such libraries are readily available through software package managers like npm for JavaScript. Due to the huge amount of packages available in such package distributions, developers often decide to rely on or contribute to a software package based on its popularity. Moreover, it is a common practice for researchers to depend on popularity metrics for data sampling and choosing the right candidates for their studies. However, the meaning of popularity is relative and can be defined and measured in a diversity of ways, that might produce different outcomes even when considered for the same studies. In this paper, we show evidence of how different is the meaning of popularity in software engineering research. Moreover, we empirically analyse the relationship between different software popularity measures. As a case study, for a large dataset of 175k npm packages, we computed and extracted 9 different popularity metrics from three open source tracking systems: libraries.io, npmjs.com and GitHub. We found that indeed popularity can be measured with different unrelated metrics, each metric can be defined within a specific context. This indicates a need for a generic framework that would use a portfolio of popularity metrics drawing from different concepts.
Acknowledgments: This work was partially supported by the EU Research FP (H2020-MSCA-ITN-2014-642954, Seneca), the Spanish Government (TIN2014-59400-R, SobreVision), the Excellence of Science Project SECO-Assist (O015718F, FWO - Vlaanderen and F.R.S.-FNRS).
"Software Ecosystem Health" lightning talkTom Mens
A 5-minute lightning talk at CHAOSSCon Europe (Brussels, 1 February 2019), presenting our recent activities around software ecosystem health, as part of the SECOHealth (secohealth.github.io) and SECO-ASSIST (secoassist.github.io) collaborative research projects.
On the impact of security vulnerabilities in the npm package dependency networkTom Mens
Presentation slides of MSR 2018 article, co-authored by Alexandre Decan, Tom Mens and Eleni Constantinou from University of Mons, Belgium. Research carried out as part of the SECOHealth and SECO-ASSIST research projects. Abstract: Security vulnerabilities are among the most pressing problems in open source software package libraries. It may take a long time to discover and fix vulnerabilities in packages. In addition, vul- nerabilities may propagate to dependent packages, making them vulnerable too. This paper presents an empirical study of nearly 400 security reports over a 6-year period in the npm dependency network containing over 610k JavaScript packages. Taking into account the severity of vulnerabilities, we analyse how and when these vulnerabilities are discovered and fixed, and to which extent they affect other packages in the packaging ecosystem in presence of dependency constraints. We report our findings and provide guidelines for package maintainers and tool developers to improve the process of dealing with security issues.
SoHeal 2018 Welcome Slides: First International Workshop on Software HealthTom Mens
These slides introduce the First International Workshop on Software Health (SoHeal 2018), co-located with the International Conference on Software Engineering (ICSE 2018) in Gothenburg, Denmark. Co-organisers are Bram Adams, Tom Mens, Eleni Constantinou and Gregorio Robles. See https://soheal.github.io for the workshop details.
Big Data Analytics of Software Ecosystem Health: Presentation during INFORTECH Scientific Day (23 May 2018) by Professor Tom Mens. The talk reports on ongoing research of the Software Engineering Lab of the University of Mons (UMONS) on health aspects of evolving software ecosystems. This research was conducted in collaboration with postdoctoral researchers Alexandre Decan and Eleni Constantinou, as well as the external partners of two ongoing research projects: SECOHealth (https://secohealth.github.io) and the Excellence of Science research project SECO-ASSIST (https://secoassist.github.io).
La santé des écosystèmes des logiciels open sourceTom Mens
Dans cette présentation je parle des travaux de recherche en cours par le Service de Génie Logiciel (Département d'Informatique, Faculté de Sciences) de l'Université de Mons (Belgique) sur l'évolution et la santé des écosystèmes logiciels, dans le cadre de deux projets de recherche interuniversitaires SECOHealth (2017-2019) et le projet Excellence of Science SECO-ASSIST (2018-2021). Ces projets sont effectués en partenariat avec d'autres universités au Québec (Canada) et en Belgique.
Toxic effects of heavy metals : Lead and Arsenicsanjana502982
Heavy metals are naturally occuring metallic chemical elements that have relatively high density, and are toxic at even low concentrations. All toxic metals are termed as heavy metals irrespective of their atomic mass and density, eg. arsenic, lead, mercury, cadmium, thallium, chromium, etc.
Salas, V. (2024) "John of St. Thomas (Poinsot) on the Science of Sacred Theol...Studia Poinsotiana
I Introduction
II Subalternation and Theology
III Theology and Dogmatic Declarations
IV The Mixed Principles of Theology
V Virtual Revelation: The Unity of Theology
VI Theology as a Natural Science
VII Theology’s Certitude
VIII Conclusion
Notes
Bibliography
All the contents are fully attributable to the author, Doctor Victor Salas. Should you wish to get this text republished, get in touch with the author or the editorial committee of the Studia Poinsotiana. Insofar as possible, we will be happy to broker your contact.
Phenomics assisted breeding in crop improvementIshaGoswami9
As the population is increasing and will reach about 9 billion upto 2050. Also due to climate change, it is difficult to meet the food requirement of such a large population. Facing the challenges presented by resource shortages, climate
change, and increasing global population, crop yield and quality need to be improved in a sustainable way over the coming decades. Genetic improvement by breeding is the best way to increase crop productivity. With the rapid progression of functional
genomics, an increasing number of crop genomes have been sequenced and dozens of genes influencing key agronomic traits have been identified. However, current genome sequence information has not been adequately exploited for understanding
the complex characteristics of multiple gene, owing to a lack of crop phenotypic data. Efficient, automatic, and accurate technologies and platforms that can capture phenotypic data that can
be linked to genomics information for crop improvement at all growth stages have become as important as genotyping. Thus,
high-throughput phenotyping has become the major bottleneck restricting crop breeding. Plant phenomics has been defined as the high-throughput, accurate acquisition and analysis of multi-dimensional phenotypes
during crop growing stages at the organism level, including the cell, tissue, organ, individual plant, plot, and field levels. With the rapid development of novel sensors, imaging technology,
and analysis methods, numerous infrastructure platforms have been developed for phenotyping.
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...Ana Luísa Pinho
Functional Magnetic Resonance Imaging (fMRI) provides means to characterize brain activations in response to behavior. However, cognitive neuroscience has been limited to group-level effects referring to the performance of specific tasks. To obtain the functional profile of elementary cognitive mechanisms, the combination of brain responses to many tasks is required. Yet, to date, both structural atlases and parcellation-based activations do not fully account for cognitive function and still present several limitations. Further, they do not adapt overall to individual characteristics. In this talk, I will give an account of deep-behavioral phenotyping strategies, namely data-driven methods in large task-fMRI datasets, to optimize functional brain-data collection and improve inference of effects-of-interest related to mental processes. Key to this approach is the employment of fast multi-functional paradigms rich on features that can be well parametrized and, consequently, facilitate the creation of psycho-physiological constructs to be modelled with imaging data. Particular emphasis will be given to music stimuli when studying high-order cognitive mechanisms, due to their ecological nature and quality to enable complex behavior compounded by discrete entities. I will also discuss how deep-behavioral phenotyping and individualized models applied to neuroimaging data can better account for the subject-specific organization of domain-general cognitive systems in the human brain. Finally, the accumulation of functional brain signatures brings the possibility to clarify relationships among tasks and create a univocal link between brain systems and mental functions through: (1) the development of ontologies proposing an organization of cognitive processes; and (2) brain-network taxonomies describing functional specialization. To this end, tools to improve commensurability in cognitive science are necessary, such as public repositories, ontology-based platforms and automated meta-analysis tools. I will thus discuss some brain-atlasing resources currently under development, and their applicability in cognitive as well as clinical neuroscience.
DERIVATION OF MODIFIED BERNOULLI EQUATION WITH VISCOUS EFFECTS AND TERMINAL V...Wasswaderrick3
In this book, we use conservation of energy techniques on a fluid element to derive the Modified Bernoulli equation of flow with viscous or friction effects. We derive the general equation of flow/ velocity and then from this we derive the Pouiselle flow equation, the transition flow equation and the turbulent flow equation. In the situations where there are no viscous effects , the equation reduces to the Bernoulli equation. From experimental results, we are able to include other terms in the Bernoulli equation. We also look at cases where pressure gradients exist. We use the Modified Bernoulli equation to derive equations of flow rate for pipes of different cross sectional areas connected together. We also extend our techniques of energy conservation to a sphere falling in a viscous medium under the effect of gravity. We demonstrate Stokes equation of terminal velocity and turbulent flow equation. We look at a way of calculating the time taken for a body to fall in a viscous medium. We also look at the general equation of terminal velocity.
Seminar of U.V. Spectroscopy by SAMIR PANDASAMIR PANDA
Spectroscopy is a branch of science dealing the study of interaction of electromagnetic radiation with matter.
Ultraviolet-visible spectroscopy refers to absorption spectroscopy or reflect spectroscopy in the UV-VIS spectral region.
Ultraviolet-visible spectroscopy is an analytical method that can measure the amount of light received by the analyte.
On the fragility of open source software packaging ecosystems
1. Tom Mens
Software Engineering Lab
Faculty of Sciences
tom.mens@umons.ac.be
@tom_mens
On the fragility of open source
software packaging ecosystems
2. Directed by Tom Mens
Department of Computer Science
Faculty of Sciences
tom.mens@umons.ac.be
http://informatique.umons.ac.be
Software Engineering Lab
6. What is a software packaging ecosystem?
A collection of interdependent software packages that are
developed and distributed by a large community of software
developers
• Distributed development, e.g., through git
• Social coding, e.g., through GitHub
• Package distribution through dedicated package managers
• Ecosystem-specific versioning and release policies
7. OS Package manager Logo
macOS MacPorts, Homebrew
Linux dpkg, apt, RPM, pacman
Windows winget, Windows Store, Chocolatey
Android Play Store
iOS App Store
ROS rospkg
Packaging ecosystems can be
for a specific operating system
8. Language Package manager #packages Logo
JavaScript npm >1.4M
PHP Packagist >0.33M
Python PyPI >0.26K
.NET NuGet >0.22M
Java Maven >0.19K
Ruby RubgyGems >0.16M
Cargo (Rust), CPAN (Perl), CRAN (R), NuGet (.NET), Hackage (Haskell), …
Packaging ecosystems can be
for a specific programming language
9. Project #packages Logo
Eclipse >40M
Wordpress >67K
Atom >13K
Emacs >5K
…
Packaging ecosystems can be
for a specific (open source) project / community
10. Libraries.io monitors 7,387,590 open source packages
across 37 different package managers
https://libraries.io (20 May 2020)
11. Why are packaging ecosystems fragile?
• Rapid ecosystem evolution and growth
• Bugs
• Security vulnerabilities
• Backward incompatibilities
• Abandoned or unmaintained packages
• Deprecated packages
• Incompatible or prohibited licences
• Suboptimal release and update policies
• Insufficient social diversity
• Social conflicts
• …
13. Dependency Hell
Dependency issues
• Too many direct and transitive
dependencies
• Broken dependencies due to
backward incompatibilities
• Co-installability problems
• Incompatible licences
• Deprecated dependencies
“Technical lag” due to outdated
dependencies
24. Research Questions Raised
For maintainers of dependent packages:
• (When) should I upgrade the version of my dependency?
• How to manage/avoid explosive growth of dependencies?
• How to avoid depending on fragile packages?
• How to deal with breaking changes?
• How to decide which (alternative) package to depend upon?
• How to migrate to alternative packages?
25. Research Questions Raised
For maintainers of required packages:
• How to assess impact through transitive dependents?
• E.g. propagation of security vulnerabilities and their fixes
• How to inform dependents of bugs and security vulnerabilities?
• When and how to release backward incompatible changes?
• When and how to decide to deprecate a package (release)?
• When to declare a package as being stable?
• How to attract contributors and avoid abandonment?
26. Research Questions Raised
For ecosystem managers:
• How to identify fragile packages?
• Which of those fragile packages have a high ecosystem-wide
impact?
• How to compare fragility between ecosystems?
• How to reduce fragility over time?
27. Characterising the evolution of
software packaging ecosystems
Observation: Fast package dependency network growth
in two years
Packaging
ecosystem
#packages
(2018-01)
#packages
(2020-01)
% growth #deps
(2018-01)
#deps
(2020-01)
% growth
npm 630K 1.218K 93% 19.0M 48.7M 156%
RubyGems 141K 180K 28% 1.92M 2.40M 25%
Packagist 121K 155K 28% 2.17M 4.73M 118%
Cargo 13K 35K 169% 257K 796K 210%
28. Characterising the evolution of
software packaging ecosystems
830K packages – 5.8M package versions – 20.5M dependencies (April 2017)
An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging
Ecosystems
A Decan, T. Mens, Ph. Grosjean (2019) Empirical Software Engineering 24(1)
29. Fast growth
Package dependency networks grow exponentially in terms of
number of packages and/or dependencies
Fastest growth for npm
Slowest growth for CRAN
30. Continuing change
• Number of package updates grows over time
• >50% of package releases are updated within 2 months
• Required and young packages are updated more frequently
2012 2013 2014 2015 2016 2017
100
101
102
103
104
105
106
number of updates (log)
cargo
cpan
cran
npm
nuget
packagist
rubygems
Fastest growth for npm
Slowest growth for CRAN
31. 2012 2013 2014 2015 2016 2017
0
50
100
150
200
250
300
350
400
cargo
cpan
cran
npm
nuget
packagist
rubygems
Increasingly connected
• Highly connected network, containing 60% to 80% of all packages
• Pareto principle: A stable minority (20%) of required packages collect
over 80% of all reverse dependencies
Reusability index: Maximal value n such that there exist n
required packages having at least n dependent packages.
Fastest growth for npm
32. Ecosystem fragility due to
transitive dependencies
March 2016
November 2010
Unexpected removal of
left-pad caused > 2% of all
packages to become uninstallable
(> 5,400 packages)
Release 0.5.0 of i18n broke dependent package
ActiveRecord that was transitively required by
>5% of all packages
33. Many deep transitive dependencies
• Fragile packages may have a very high transitive impact
• Over 50% of top-level packages have a deep dependency
graph
2012 2013 2014 2015 2016 2017
0
50
100
150
200
250
300
number of packages
cargo
cpan
cran
npm
nuget
packagist
rubygems
Number of packages that are transitively
required by at least 5% of all packages.
1 2 3 4 5 6+
0.0
0.1
0.2
0.3
0.4
0.5
proportion of toplevel packages
cargo
1 2 3 4 5 6+
cpan
1 2 3 4 5 6+
cran
1 2 3 4 5 6+
npm
1 2 3 4 5 6+
nuget
1 2 3 4 5 6+
packagist
1 2 3 4 5 6+
rubygems
Transitive dependency depth
of top-level packages
34. Many outdated dependencies
Should package maintainers upgrade their
dependencies to more recent versions?
😀 Upgrades benefit from bug and security fixes
😀 Upgrading allows to use new features
😢 Upgrading requires effort
😢 Upgrading may introduce breaking changes
35. Measuring Technical Lag
Technical lag measures how outdated a package or dependency
is w.r.t. the “ideal” situation
where “ideal” = “most recent”;
“most secure”;
”least bugs”;
“most stable”;
“most compatible”; …
A formal framework for measuring technical lag in component repositories
– and its application to npm
A Zerouali, T Mens, et al. (2019) J. Software Evolution and Process
Technical lag in software compilations: Measuring how outdated a software deployment is
J Gonzalez-Barahona, P Sherwood, G Robles, D Izquierdo (2017)
IFIP International Conference on Open Source Systems. Springer
36. Technical Lag - Example
Time-based measurement of technical lag
(ideal = most recent release; delta = time difference)
1.0.1 1.1.0 2.0.01.2.0 2.0.1
deployed package
upstream package
Time lag
date(2.0.1) - date(1.1.0)
37. Technical Lag - Example
Version-based measurement of technical lag
(ideal = highest release; delta = version difference)
1.0.1 1.1.0 2.0.12.0.0 1.2.0
deployed
package
1 major
upstream package
1 patch
Version lag
1 major + 1 patch
38. Technical Lag - Example
Vulnerability-based measurement of technical lag
(ideal = least vulnerable release; delta = #vulnerabilities)
1.0.1 1.1.0 2.0.01.2.0 2.0.1
deployed
package
upstream package
Security lag
1 vulnerability fix behind
39. Technical Lag - Example
Bug-based measurement of technical lag
(ideal = least known bugs; delta = #known bugs)
1.0.1 1.1.0 2.0.0
deployed
package
upstream package
1.2.0 2.0.1
Dependency needs to be downgraded to be
able to use most stable version…
Bug lag
1 more bug than
most stable version
40. Technical Lag - Example
Bug-based measurement of technical lag
(ideal = least known bugs; delta = #known bugs)
1.0.1 1.1.0 2.0.0
deployed
package
upstream package
1.2.0 2.0.1
An empirical study of dependency downgrades in the npm ecosystem.
F Roseiro Côgo, G Ansaldi Oliva, A E Hassan (2019) IEEE Transactions on Software Engineering
On the evolution of technical lag in the npm package dependency network.
A Decan, T Mens, E Constantinou (2018) IEEE Int’l Conf. Software Maintenance and Evolution
41. Technical Lag
Do semantic versioning and dependency constraints
play a role?
major minor patch
3 9 2
Breaking
changes
Backwards
compatible
changes
Bug fixes
Most
permissive
Most
Restrictive
42. Technical Lag in npm
ht
• 1 out of 3 dependents never update their dependency
• Outdatedness is related to the type of dependency constraint being used
Strict constraints represent about 20% of all dependencies,
but about 33% of all outdated dependencies
All
runtime dependencies
Outdated
runtime dependencies
43. Technical Lag in npm
By making dependency constraints “semver-compliant”, the proportion
of releases suffering from technical lag could be reduced by >17%
“What if” analysis:
44. Semantic versioning
To which extent do software packaging ecosystems
enable/adhere to semantic versioning?
What do package dependencies tell us about semantic versioning?
A Decan, T Mens (2019) IEEE Transactions on Software Engineering
46. Semantic versioning
Proportion of dependency constraints
(for package releases ≥1.0.0) that are
semver-compliant, more permissive, or more restrictive
(based on January 2018 dataset from libraries.io)
47. Semantic versioning
To which extent do software packaging ecosystems
enable/adhere to semantic versioning?
• Cargo, npm and Packagist are mostly semver-compliant.
• All considered ecosystems become more compliant over time.
• More than 16% of the constraints in npm, Packagist
and Rubygems are restrictive, preventing automatic adoption of
backward compatible upgrades
48. Abandoned packages
• Will continue to increase their lag
• Will not incorporate fixes of bugs or vulnerabilities in their
dependencies, even if those fixes exist
How to reduce the risk of abandoned packages?
• By forecasting future commit activity of its contributors
GAP: Forecasting commit activity in git projects
A Decan, E Constantinou, T Mens, H Rocha (2020) Journal on Systems and Software
49. Abandoned packages
Forecasting future commit activity of git contributors
• Based on a probabistic model of future days of activity
pip install git+https://github.com/AlexandreDecan/gap
50. Conclusion
Packaging ecosystems are affected by “fragile
dependency” issues
• Many and deep transitive dependencies
• Fast growth and continuing change
• Outdated or deprecated dependencies
• Breaking changes
• Unmaintained pakages
51. Conclusion
Tools and policies can help to mitigate these issues
• Measuring, monitoring and updating fragile
dependencies and contributor abandonment
• Supporting semantic versioning
• Supporting transitive dependencies
• Automating selection of and migration to alternative
packages