SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python ecosystem lessons learned
[Context:] Technical leverage is the ratio between dependencies (other people's code) and own codes of a software package. It has been shown to be useful to characterize the Java ecosystem and there are also studies on the NPM ecosystem available. [Objective:] By using this metric we aim to analyze the Python ecosystem, how it evolves, and how secure it is, as a developer would perceive it when deciding to adopt or update (or not) a library. [Method:] We collect a dataset of the top 600 Python packages (corresponding to 21,205 versions) and used a number of innovative approaches for its analysis including the use of a two-part statistical model to deal with excess zeros, a mathematical closed formulation to estimate vulnerabilities that we confirm with bootstrapping on the actual dataset. [Results:] Small Python package versions have a median technical leverage of 6.9x their own code, while bigger package versions rely on dependencies code a tenth of their own (median leverage of 0.1). In terms of evolution, Python packages tend to have stable technical leverage through their evolution (once highly leveraged, always leveraged). On security, the chance of getting a safe package version when choosing a package is actually better than previous research has shown based on the ratio of safe package versions in the ecosystem. [Conclusions:] Python packages ship a lot of other people's code and tend to keep doing so. However, developers will have a good chance to choose a safe package version.
Recommended
Recommended
More Related Content
Similar to SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python ecosystem lessons learned
Similar to SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python ecosystem lessons learned (20)
More from South Tyrol Free Software Conference
More from South Tyrol Free Software Conference (20)
Recently uploaded
Recently uploaded (20)
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python ecosystem lessons learned
- 1. Technical Leverage in The Python Ecosystem: Lessons Learned Ranindya Paramitha · Fabio Massacci SFSCon 2023 · Bolzano, November 10-11, 2023 The South Tyrol Free Software Conference 2023 Published in the Journal of Empirical Software Engineering (EMSE) DOI: 10.1007/s10664-023-10355-2
- 2. Software, then and now
- 3. Software, then and now Nowadays: • Developers use FOSS (Free Open source software) as building blocks • Fraction of homegrown code as low as 5% for industry software (Source SAP) • Dependency code = 4x own code as industry average (Source BlackDuck)
- 4. Technical leverage: learning from finance, now
- 5. Technical leverage: learning from finance, now
- 6. Finance Technical leverage: learning from finance, now
- 7. Finance Software Technical leverage: learning from finance, now
- 8. Previous work in Java (Massacci & Pashchenko, ICSE’21) Big libs Small libs Own code in lines of code (log-scale) Direct leverage (log-scale)
- 9. Previous work in Java (Massacci & Pashchenko, ICSE’21) Big libs Small libs Own code in lines of code (log-scale) Direct leverage (log-scale) org.springframework:spring-aspects:3.0.5 Own size: 1K LoC
- 10. Previous work in Java (Massacci & Pashchenko, ICSE’21) Big libs Small libs Own code in lines of code (log-scale) Direct leverage (log-scale) org.springframework:spring-aspects:3.0.5 Own size: 1K LoC Tech leverage: 417.74
- 11. Previous work in Java (Massacci & Pashchenko, ICSE’21) Big libs Small libs Own code in lines of code (log-scale) Direct leverage (log-scale) org.springframework:spring-aspects:3.0.5 Own size: 1K LoC Io.netty:netty-all:4.0.56 Own size: 175K LoC Tech leverage: 417.74
- 12. Previous work in Java (Massacci & Pashchenko, ICSE’21) Big libs Small libs Own code in lines of code (log-scale) Direct leverage (log-scale) org.springframework:spring-aspects:3.0.5 Own size: 1K LoC Io.netty:netty-all:4.0.56 Own size: 175K LoC Tech leverage: 417.74 Tech leverage: 7.43
- 13. Previous work in Java (Massacci & Pashchenko, ICSE’21) Big libs Small libs Own code in lines of code (log-scale) Direct leverage (log-scale) org.springframework:spring-aspects:3.0.5 Own size: 1K LoC Io.netty:netty-all:4.0.56 Own size: 175K LoC Tech leverage: 417.74 Tech leverage: 7.43 How about in another ecosystem? How is the evolution of technical leverage?
- 14. RQ1: How is technical leverage distribution in the Python ecosystem? As in Java, Python developers also tend to ship a lot of other people's code (RQ1)
- 15. RQ1: How is technical leverage distribution in the Python ecosystem? As in Java, Python developers also tend to ship a lot of other people's code (RQ1) LESSON LEARNED Understanding what else will come along when a package is adopted is key to assessing its level of uncontrollable risk.
- 16. RQ2: How does the technical leverage metric change when we move to newer versions in a package? If you are highly leveraged, you will stay so.
- 17. RQ2: How does the technical leverage metric change when we move to newer versions in a package? If you are highly leveraged, you will stay so. LESSON LEARNED Once a package has been adopted, the level of uncontrollable risk is unlikely to change over time Good News If the risk was consciously accepted Otherwise → Bad News
- 18. RQ2: How does the technical leverage metric change when we move to newer versions in a package? If you are highly leveraged, you will stay so. LESSON LEARNED Once a package has been adopted, the level of uncontrollable risk is unlikely to change over time Good News If the risk was consciously accepted Otherwise → Bad News
- 19. RQ3: Does technical leverage capture the risk of having vulns?
- 20. RQ3: Does technical leverage capture the risk of having vulns? The probability of choosing a safe package version is higher than the proportion in the ecosystem.
- 21. RQ3: Does technical leverage capture the risk of having vulns? The probability of choosing a safe package version is higher than the proportion in the ecosystem. LESSON LEARNED Making statistics based on versions is good for claiming to have done a ‘large case study’ but is not representative of the reality on the field. Good News Life can be better than researchers depict it.
- 22. RQ3: Does technical leverage capture the risk of having vulns? The probability of choosing a safe package version is higher than the proportion in the ecosystem. LESSON LEARNED Making statistics based on versions is good for claiming to have done a ‘large case study’ but is not representative of the reality on the field. Good News Life can be better than researchers depict it.
- 23. Technical Leverage in The Python Ecosystem: Lessons Learned Ranindya Paramitha · Fabio Massacci RQ1: How is technical leverage distribution in the Python ecosystem? RQ2: How does the technical leverage metric change when we move to newer versions in a package? RQ3: Does technical leverage capture the risk of having vulns? MY WEB
- 24. PARTICIPATE IN OUR EXPERIMENT! “Do you think it is an Ethical Decision?” Some questions on an example from the ACM Code of Ethics and professional conduct • Your participation is voluntary. • The QR code will redirect you to an online survey. • The aim of the study is to find out how people think about ethical decisions in security. • The data is collected anonymously and will be used for research purposes. • It will take you approximately 5-10 minutes