Gail Murphy, profile picture
Uploaded byGail Murphy
PDF, PPTX2,330 views

Software Supply Chains

Forward relationships (35% of pairs) involve users seeking help or requesting features from library maintainers, while backward relationships (30% of pairs) indicate existing communities between projects. The remaining 35% have both forward and backward interactions as users contribute to libraries and libraries later update code in user projects. Generally, the more popular the library, the less likely developers are to get involved socially. While social interactions precede technical dependencies 39% of the time, most interactions in those cases are short-lived, and interactions typically take a long time when technical dependencies come first.

Embed presentation

Download as PDF, PPTX
Gail Murphy
 Univ. of British Columbia Tasktop Technologies
 Software Supply Chains @gail_murphy Photo copyright Wierink/Shutterstock With exception of pictures and icons
2 ○ ○○ ○ ○○ ○ ○ ○ iPhone Supply Chain Source: Supply Chain 24/7, 09/14 California:
 Design TI:
 Touchscreen Micron:
 Flash memory Cirrus Logic:
 Audio Murata:
 Bluetooth/
 Wifi Infineon:
 Phone network Dialog Semiconductors:
 Power mngmt Samsung:
 Processors ST
 Microelectronics:
 Accelerometers/
 Gysroscope
3 Software Supply Chains Loose Tight
4 Loose Software Supply Chain component
 requests 17.2B suppliers total 
 components >105K >834K 2014: Central Repository of Java open source components 2015 State of the Software: Supply Chain Report (Sonatype)
5 Tight Software Supply Chain
6 All is good?
7 Outline Reality: Loose Supply Chain Naïve View Reality: Tight Supply Chain „ ä "
8 Open Problems Key points: (re)use is not free controlled transparency Caveats: challenges over solutions "
Naïve View
10 specialized excellence lower costs higher quality 
 Supply Chain: suppliers, parts, manufacturers, finished goods… Naïve View
11 Software Supply Chain Spectrum Naïve View Loose Tight Bouncy Castle
 used >> 10K organizations
12Naïve View Loose (vast) majority of developers are part of a software supply chain suppliers components YOU! software
13Naïve View Loose suppliers total 
 components >105K >834K central repository GitHub project dependences
14Naïve View Loose build products (and other components) faster
 higher-quality components low cost to (re)use ongoing updates { { { {
15Naïve View Tight multiple tiers of contractually-obligated suppliers Boeing General Electric Hydro-Aire
16Naïve View Tight higher-quality components on-time production lower overall product cost { { {
17 Software Supply Chains Loose Tight faster, better, cheaper open closed
Reality View:
 
 Loose Supply Chain Photo copyright Gniot/Shutterstock
19Reality View / Loose Supply Chain Two Parts Social S Quality Q
20Reality View / Loose Supply Chain Social Implications of OSS Library Use S How often does the use of an OSS library lead to a social link between projects? Do social contributions occur before or after a dependence is introduced on a library? What kind of social contributions occur? #1 #2 #3 Palyart and Murphy, 2015, under review
21 Terminology Reality View / Loose Supply Chain S A B technical dependence social interactions issue comments pull request commit Palyart and Murphy, 2015, under review user
 project/ repository library
 project/ repository
22 Data Reality View / Loose Supply Chain S 23,059 - not a fork - public - forked at least twice - use Maven 17,900 - depend on GitHub 1,227 - high confidence in 
 correct library dependences 1,409 - > 20 issues - issues > 5% pull requests - handle account deletions =1,125 GitHub repos Palyart and Murphy, 2015, under review
23 Data Reality View / Loose Supply Chain S A B Library / Date Technical Link Dev / Date / Contrib issue comments pull request commit Social Link Palyart and Murphy, 2015, under review
24 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink Palyart and Murphy, 2015, under review
25 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that often have a social link (28%) Palyart and Murphy, 2015, under review
26 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that sometimes have a social link (23%) Palyart and Murphy, 2015, under review
27 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that rarely have a social link (49%) Palyart and Murphy, 2015, under review
28 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink generally…
 the more popular the library, 
 the less likely developers of a user project are to get involved Palyart and Murphy, 2015, under review
29 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S A B Technical Link Social Link in only 61% of pairs, 
 did technical precede social Palyart and Murphy, 2015, under review
30 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S Palyart and Murphy, 2015, under review July August September October November in 39% of pairs, social preceded technical social before technical http://www.cs.ubc.ca/~mpalyart/stc_timeline/
31 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays social before technical 
 most interactions within a few months
 
 technical before social
 
 more interactions span a longer time time to involvement Palyart and Murphy, 2015, under review 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions
32 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays social before technical 
 either short involvement or
 quite long
 
 technical before social
 
 most involvement under 5 days duration of involvement Palyart and Murphy, 2015, under review 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions
1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions 33 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S social before technical 
 more contributions, stronger
 communities?
 
 technical before social
 
 mostly < 10 contributions number of contributions 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions Palyart and Murphy, 2015, under review 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays
34 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions when social before technical (39%)…
 
 more often closely tied to technical and often more contributions when technical before social (61%)… may take a long time for interaction and then the interactions are often quick
 Palyart and Murphy, 2015, under review
35 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Forward User Library 35% of pairs seeking help, feature requests, pull requests Palyart and Murphy, 2015, under review
36 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Backward User Library 30% of pairs existing social community between projects Palyart and Murphy, 2015, under review
37 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Forward & Backward User Library 35% of pairs user developers contribute to library library developers later do pull-request to user project to update library Palyart and Murphy, 2015, under review
38 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only # developers # social contributions Palyart and Murphy, 2015, under review
39 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only Palyart and Murphy, 2015, under review involvement time
40 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only # developers # social contributions Palyart and Murphy, 2015, under review more backward social contributions than expected and their presence indicates a strong social link
 involvement time
41 Loose Software Supply Chain Reality View / Loose Supply Chain often a social cost to using a library more often than expected cost to being a library
42Reality / Tight Supply Chain Two Parts Social S Quality Q
43Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q component
 requests 17.2B suppliers total 
 components >105K >834K 2014: Central Repository of Java open source components 2015 State of the Software: Supply Chain Report (Sonatype) constant updating ~ 3.5 times / yr
44Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q Almost too Big to Fail, Geer and Corman, USENIX 2014 A B direct (1-hop) only 41% of vulnerable dependencies remediated mean-time-to-repair of these was 390 days CVSS level 10 - still 224 days to repair B’
45Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q CVE-2013-2251
 CVSS 9.3
 Exploitability 10 since identification… 4,076 organizations have downloaded the vulnerable component 179,050 times 2015 State of the Software: Supply Chain Report (Sonatype)
46Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q CVE-2007-6721
 CVSS 10
 Exploitability 10 since identification… 11,236 organizations have downloaded the vulnerable component 214,484 times 2015 State of the Software: Supply Chain Report (Sonatype)
47Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q 2015 State of the Software: Supply Chain Report (Sonatype) 7.5% 66% of 240,757 component downloads by large financial or technology firms in 2014… were of known defective part and or those with a defective part, the defects were older than 2013
48 Loose Software Supply Chain Reality View / Loose Supply Chain (re)use is not free social and upgrade costs to use
Reality View: Tight Supply
 Chain Photo copyright Gniot/Shutterstock
50Reality / Tight Supply Chain Two Parts Social S Quality Q
51 Tight Software Supply Chain Reality / Tight Supply Chains S contractual agreement contractual agreement
52 Tight Software Supply Chain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire S contractual agreement contractual agreement
53 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement restricted information flow restricted information flow
54 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement Req Change #2 Req Change #1 Test Result #3
55 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement Req Change #2 Req Change #1 Test Result #3
56 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement
57 Communication Reality / Tight Supply Chains S Doors
 RTC HP Quality Center Blueprint RTC HP Quality Center VersionOne Eclipse HP Quality Center
58 Communication Reality / Tight Supply Chains S Doors
 RTC HP Quality Center Blueprint RTC HP Quality Center VersionOne Eclipse HP Quality Center Schema Mappings Schema Mappings
59 Tight Software Supply Chain Reality View / Loose Supply Chain need tools to facilitate appropriate communication
60Reality / Tight Supply Chain Two Parts Social S Quality Q
61 Tight Software Supply Chain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire Q ability to verify the brake software wasn’t built in
62 Tight Software Supply Chain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire Q full transparency
 full opacity
63 Tight Software Supply Chain Reality / Tight Supply Chains Q controlled transparency balance need to share with protection of intellectual property
Open
 Problems Illustration copyright Ai825/Shutterstock
65Open Problems Loose Software Supply Chains 
 
 
 assess when a component upgrade is needed? 
 
 lower the cost of quality and security upgrades? 
 
 
 measure
 and predict
 social cost of
 component use? 
 
 
 
 
 
 determine when backward social
 contributions are
 needed? can we…. ä ä ä ä
66Open Problems Tight Software Supply Chains 
 
 
 
 
 cost-effectively manage multi-tiered supply chains? 
 
 effectively handle arrangements of tight and loose supply chains? 
 
 
 automatically apply IP filters to information exchange? 
 
 
 provide white-box information without revealing secret sauce? can we…. ä ä ä ä
Illustration copyright Nenov Brothers Images /Shutterstock
68Summary Thanks to many post-docs, students and industrial collaborators over the years for their insights.
 
 Thanks to NECSIS colleagues (particularly Jo Atlee, Marsha Chechik and Mark Lawford)
 for conversations. Thanks to Sonatype for an analysis of the Central Repository. Marc Palyart Mik Kersten Dave West
69Summary Software Supply Chains Naïve Better, faster, cheaper Loose Supply Chain Reuse is not free Tight Supply Chain Controlled transparencyNaïve Tight Loose Open Open Problems Technical and ecosystem
70Summary Software Supply Chains “supply chain” conjures up thoughts of organized, managed flows for software supply chains, the reality is different (chaotic? brittle?) (re)use is not free controlled transparency @gail_murphy Loose Tight Photo copyright Wierink/Shutterstock
71Summary Software Supply Chains “supply chain” conjures up thoughts of organized, managed flows for software supply chains, the reality is different (chaotic? brittle?) (re)use is not free controlled transparency @gail_murphy Loose Tight Photo copyright Wierink/Shutterstock
Gail Murphy
 Univ. of British Columbia Tasktop Technologies
 Software Supply Chains @gail_murphy Photo copyright Wierink/Shutterstock With exception of pictures and icons

More Related Content

PDF
Tech Adoption and Strategy for Innovation & Growth
byaccenture
 
PDF
Consumer privacy in retail
byDeloitte United States
 
PDF
Strategy Study 2014 | A.T. Kearney
byKearney
 
PDF
Digital transformation in transport and logistics
byPostNL België
 
PPTX
MGI: From poverty to empowerment: India’s imperative for jobs, growth, and ef...
byMcKinsey & Company
 
PDF
Recommendation System Explained
byCrossing Minds
 
PPTX
Recommender systems for E-commerce
byAlexander Konduforov
 
PDF
Microsoft to Acquire LinkedIn: Overview for Investors
byMicrosoft
 
Tech Adoption and Strategy for Innovation & Growth
byaccenture
 
Consumer privacy in retail
byDeloitte United States
 
Strategy Study 2014 | A.T. Kearney
byKearney
 
Digital transformation in transport and logistics
byPostNL België
 
MGI: From poverty to empowerment: India’s imperative for jobs, growth, and ef...
byMcKinsey & Company
 
Recommendation System Explained
byCrossing Minds
 
Recommender systems for E-commerce
byAlexander Konduforov
 
Microsoft to Acquire LinkedIn: Overview for Investors
byMicrosoft
 

What's hot

PDF
How data drives spotify
byAli Sarrafi
 
PPT
Impact of Digital on Supply Chain
byAyantan Sikdar, CSCP
 
PDF
TMT Outlook 2017: A new wave of advances offer opportunities and challenges
byDeloitte United States
 
PPTX
online grocery store
byharshad_shah
 
PDF
Learning to Rank for Recommender Systems - ACM RecSys 2013 tutorial
byAlexandros Karatzoglou
 
PDF
Decoding the digital consumer, bcg
byRetailers Association of India
 
PPTX
Deep dive into LangChain integration with Neo4j.pptx
byTomazBratanic1
 
PDF
Booz Allen Hamilton and Market Connections: C4ISR Survey Report
byBooz Allen Hamilton
 
PDF
Ling Shou Tong: Alibaba’s Next Innovative Disruptor?
byaccenture
 
PDF
The best digital transformation frameworks in 2020
byrun_frictionless
 
PDF
PwC's Global Technology IPO Review -- Q1 2015
byPwC
 
PPTX
Tradeshift, Hackett Group & sharedserviceslink - P2P Webinar
byTradeshift
 
PDF
Australia: Taking Bigger Steps | A.T. Kearney
byKearney
 
PPTX
Movie lens recommender systems
byKapil Garg
 
PDF
Recommendation engines
byGeorgian Micsa
 
PPT
Recommendation system for ecommerce
byTu Pham
 
PDF
State of the Cloud 2023
byBessemer Venture Partners
 
PDF
A roadmap to omnichannel championship
byOpenbravo
 
PDF
How To Build A Presentation Like A Hand Grenade.pdf
byOje Ojeaga
 
PDF
The Decade to Deliver: A Call to Business Action
byaccenture
 
How data drives spotify
byAli Sarrafi
 
Impact of Digital on Supply Chain
byAyantan Sikdar, CSCP
 
TMT Outlook 2017: A new wave of advances offer opportunities and challenges
byDeloitte United States
 
online grocery store
byharshad_shah
 
Learning to Rank for Recommender Systems - ACM RecSys 2013 tutorial
byAlexandros Karatzoglou
 
Decoding the digital consumer, bcg
byRetailers Association of India
 
Deep dive into LangChain integration with Neo4j.pptx
byTomazBratanic1
 
Booz Allen Hamilton and Market Connections: C4ISR Survey Report
byBooz Allen Hamilton
 
Ling Shou Tong: Alibaba’s Next Innovative Disruptor?
byaccenture
 
The best digital transformation frameworks in 2020
byrun_frictionless
 
PwC's Global Technology IPO Review -- Q1 2015
byPwC
 
Tradeshift, Hackett Group & sharedserviceslink - P2P Webinar
byTradeshift
 
Australia: Taking Bigger Steps | A.T. Kearney
byKearney
 
Movie lens recommender systems
byKapil Garg
 
Recommendation engines
byGeorgian Micsa
 
Recommendation system for ecommerce
byTu Pham
 
State of the Cloud 2023
byBessemer Venture Partners
 
A roadmap to omnichannel championship
byOpenbravo
 
How To Build A Presentation Like A Hand Grenade.pdf
byOje Ojeaga
 
The Decade to Deliver: A Call to Business Action
byaccenture
 

Viewers also liked

PPTX
Apple supply chain analysis
byNitin Maurya (MBA, MS-SCM)
 
PPTX
Supply chain of Apple
byShankar Subramanian
 
PPTX
Apple supply chain management
byAvinash Kaur
 
PPTX
Apple logistics
byXelal
 
PPTX
Apple Inc Marketin And Distribution Strategy
byPailan School of International Stidies
 
PPTX
Apple supply chain management
byAnil Bharti
 
PPT
Apple Supply Chain Mgmt
byLloyd Soans
 
PPTX
Distribution strategy of APPLE products
byJinu P Varghese
 
Apple supply chain analysis
byNitin Maurya (MBA, MS-SCM)
 
Supply chain of Apple
byShankar Subramanian
 
Apple supply chain management
byAvinash Kaur
 
Apple logistics
byXelal
 
Apple Inc Marketin And Distribution Strategy
byPailan School of International Stidies
 
Apple supply chain management
byAnil Bharti
 
Apple Supply Chain Mgmt
byLloyd Soans
 
Distribution strategy of APPLE products
byJinu P Varghese
 

Similar to Software Supply Chains

PDF
Uo march2015 talk
byPatricia Hswe
 
PDF
Implications of Open Source Software Use (or Let's Talk Open Source)
byGail Murphy
 
PDF
Oslc for owf think tank on open forges
bySteve Speicher
 
PDF
What Open Source Is and How Your Nonprofit Can Benefit
byTechSoup
 
PDF
Building the Social Library Online - OLA Superconference
byMeredith Farkas
 
PDF
Virtual Enquiry Project Presentation
byScottish Library & Information Council (SLIC), CILIP in Scotland (CILIPS)
 
PPTX
Linking Software: citations, roles, references and more
byRepository Fringe
 
PDF
SFScon16 - Simon Phipps: “Open Source Umbrellas for Europe”
bySouth Tyrol Free Software Conference
 
PPTX
Research Software Sustainability takes a Village
byCarole Goble
 
PPTX
The Foundations of Digital Research
byNeil Chue Hong
 
PDF
Practical Open Source Software for Libraries (part 1)
byNicole C. Engard
 
PDF
The Connected Republic 2.0: New Possibilities & New Value for the Public Sector
bytheconnectedrepublic
 
ODP
Open Source: Freedom and Community
byNicole C. Engard
 
PDF
Libraries & Open Source: Freedom and Community
byNicole C. Engard
 
PPT
TiB 2010 - Palestra TechSoup Global
bySeminário TiB 2010
 
PPT
Florianopolis tsg preso final
byPortal Voluntários Online
 
PDF
Koha - Open Source Library Management Software
byrajivkumarmca
 
PDF
KOHA - Open Source Library Management Software
byrajivkumarmca
 
PPTX
Communicating trust, enabling criticism
byNeil Chue Hong
 
PDF
Introduction to Open Source for Libraries
byNicole C. Engard
 
Uo march2015 talk
byPatricia Hswe
 
Implications of Open Source Software Use (or Let's Talk Open Source)
byGail Murphy
 
Oslc for owf think tank on open forges
bySteve Speicher
 
What Open Source Is and How Your Nonprofit Can Benefit
byTechSoup
 
Building the Social Library Online - OLA Superconference
byMeredith Farkas
 
Virtual Enquiry Project Presentation
byScottish Library & Information Council (SLIC), CILIP in Scotland (CILIPS)
 
Linking Software: citations, roles, references and more
byRepository Fringe
 
SFScon16 - Simon Phipps: “Open Source Umbrellas for Europe”
bySouth Tyrol Free Software Conference
 
Research Software Sustainability takes a Village
byCarole Goble
 
The Foundations of Digital Research
byNeil Chue Hong
 
Practical Open Source Software for Libraries (part 1)
byNicole C. Engard
 
The Connected Republic 2.0: New Possibilities & New Value for the Public Sector
bytheconnectedrepublic
 
Open Source: Freedom and Community
byNicole C. Engard
 
Libraries & Open Source: Freedom and Community
byNicole C. Engard
 
TiB 2010 - Palestra TechSoup Global
bySeminário TiB 2010
 
Florianopolis tsg preso final
byPortal Voluntários Online
 
Koha - Open Source Library Management Software
byrajivkumarmca
 
KOHA - Open Source Library Management Software
byrajivkumarmca
 
Communicating trust, enabling criticism
byNeil Chue Hong
 
Introduction to Open Source for Libraries
byNicole C. Engard
 

More from Gail Murphy

PDF
Architecting-Flow-in-SE.pdf
byGail Murphy
 
PDF
The (Un) Expected Impact of Tools in Software Evolution
byGail Murphy
 
PDF
Icsme 2021-keynote-creating-usable-and-useful-software-tools
byGail Murphy
 
PDF
Is software engineering research addressing software engineering problems?
byGail Murphy
 
PDF
Developing Effective Software Productively
byGail Murphy
 
PDF
Making Effective, Useful Software Development Tools
byGail Murphy
 
PDF
The Need for Context in Software Engineering
byGail Murphy
 
PDF
Beyond DevOps: Finding Value through Requirements
byGail Murphy
 
PDF
Impactful SE Research: Some Do's and More Don'ts
byGail Murphy
 
PDF
The Elusive Nature of Context: Why We Need It and Were We Might Find It
byGail Murphy
 
PDF
Human-centric Software Development Tools
byGail Murphy
 
PDF
Is Continuous Adoption in Software Engineering Achievable and Desirable?
byGail Murphy
 
PDF
Acm productivity-webinar-2016-slides
byGail Murphy
 
PDF
Getting to Flow in Software Development (ASWEC 2014 Keynote)
byGail Murphy
 
PDF
The Human Element
byGail Murphy
 
PDF
What is Software Development Productivity Anyway?
byGail Murphy
 
Architecting-Flow-in-SE.pdf
byGail Murphy
 
The (Un) Expected Impact of Tools in Software Evolution
byGail Murphy
 
Icsme 2021-keynote-creating-usable-and-useful-software-tools
byGail Murphy
 
Is software engineering research addressing software engineering problems?
byGail Murphy
 
Developing Effective Software Productively
byGail Murphy
 
Making Effective, Useful Software Development Tools
byGail Murphy
 
The Need for Context in Software Engineering
byGail Murphy
 
Beyond DevOps: Finding Value through Requirements
byGail Murphy
 
Impactful SE Research: Some Do's and More Don'ts
byGail Murphy
 
The Elusive Nature of Context: Why We Need It and Were We Might Find It
byGail Murphy
 
Human-centric Software Development Tools
byGail Murphy
 
Is Continuous Adoption in Software Engineering Achievable and Desirable?
byGail Murphy
 
Acm productivity-webinar-2016-slides
byGail Murphy
 
Getting to Flow in Software Development (ASWEC 2014 Keynote)
byGail Murphy
 
The Human Element
byGail Murphy
 
What is Software Development Productivity Anyway?
byGail Murphy
 

Recently uploaded

PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
PDF
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
PDF
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
PPTX
Installing Python in Visual Studio Code
bydabydcatahanibmcom
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
PPTX
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
PDF
Mastering Zero-Allocation Parsers: A Deep Dive into High-Performance C#
byVineet Sharma
 
PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
Installing Python in Visual Studio Code
bydabydcatahanibmcom
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
Mastering Zero-Allocation Parsers: A Deep Dive into High-Performance C#
byVineet Sharma
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 

Software Supply Chains

  • 1.
    Gail Murphy
 Univ. ofBritish Columbia Tasktop Technologies
 Software Supply Chains @gail_murphy Photo copyright Wierink/Shutterstock With exception of pictures and icons
  • 2.
    2 ○ ○○ ○ ○○ ○ ○ ○ iPhone SupplyChain Source: Supply Chain 24/7, 09/14 California:
 Design TI:
 Touchscreen Micron:
 Flash memory Cirrus Logic:
 Audio Murata:
 Bluetooth/
 Wifi Infineon:
 Phone network Dialog Semiconductors:
 Power mngmt Samsung:
 Processors ST
 Microelectronics:
 Accelerometers/
 Gysroscope
  • 3.
  • 4.
    4 Loose Software SupplyChain component
 requests 17.2B suppliers total 
 components >105K >834K 2014: Central Repository of Java open source components 2015 State of the Software: Supply Chain Report (Sonatype)
  • 5.
  • 6.
  • 7.
    7 Outline Reality: Loose SupplyChain Naïve View Reality: Tight Supply Chain „ ä "
  • 8.
    8 Open Problems Key points: (re)useis not free controlled transparency Caveats: challenges over solutions "
  • 9.
  • 10.
    10 specialized excellence lower costs higherquality 
 Supply Chain: suppliers, parts, manufacturers, finished goods… Naïve View
  • 11.
    11 Software Supply ChainSpectrum Naïve View Loose Tight Bouncy Castle
 used >> 10K organizations
  • 12.
    12Naïve View Loose (vast) majorityof developers are part of a software supply chain suppliers components YOU! software
  • 13.
    13Naïve View Loose suppliers total 
 components >105K>834K central repository GitHub project dependences
  • 14.
    14Naïve View Loose build products(and other components) faster
 higher-quality components low cost to (re)use ongoing updates { { { {
  • 15.
    15Naïve View Tight multiple tiersof contractually-obligated suppliers Boeing General Electric Hydro-Aire
  • 16.
    16Naïve View Tight higher-quality components on-timeproduction lower overall product cost { { {
  • 17.
    17 Software Supply Chains LooseTight faster, better, cheaper open closed
  • 18.
  • 19.
    19Reality View /Loose Supply Chain Two Parts Social S Quality Q
  • 20.
    20Reality View /Loose Supply Chain Social Implications of OSS Library Use S How often does the use of an OSS library lead to a social link between projects? Do social contributions occur before or after a dependence is introduced on a library? What kind of social contributions occur? #1 #2 #3 Palyart and Murphy, 2015, under review
  • 21.
    21 Terminology Reality View /Loose Supply Chain S A B technical dependence social interactions issue comments pull request commit Palyart and Murphy, 2015, under review user
 project/ repository library
 project/ repository
  • 22.
    22 Data Reality View /Loose Supply Chain S 23,059 - not a fork - public - forked at least twice - use Maven 17,900 - depend on GitHub 1,227 - high confidence in 
 correct library dependences 1,409 - > 20 issues - issues > 5% pull requests - handle account deletions =1,125 GitHub repos Palyart and Murphy, 2015, under review
  • 23.
    23 Data Reality View /Loose Supply Chain S A B Library / Date Technical Link Dev / Date / Contrib issue comments pull request commit Social Link Palyart and Murphy, 2015, under review
  • 24.
    24 #1 - Howoften does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink Palyart and Murphy, 2015, under review
  • 25.
    25 #1 - Howoften does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that often have a social link (28%) Palyart and Murphy, 2015, under review
  • 26.
    26 #1 - Howoften does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that sometimes have a social link (23%) Palyart and Murphy, 2015, under review
  • 27.
    27 #1 - Howoften does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that rarely have a social link (49%) Palyart and Murphy, 2015, under review
  • 28.
    28 #1 - Howoften does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink generally…
 the more popular the library, 
 the less likely developers of a user project are to get involved Palyart and Murphy, 2015, under review
  • 29.
    29 #2 - Whendo social contributions occur related to library use? Reality View / Loose Supply Chain S A B Technical Link Social Link in only 61% of pairs, 
 did technical precede social Palyart and Murphy, 2015, under review
  • 30.
    30 #2 - Whendo social contributions occur related to library use? Reality View / Loose Supply Chain S Palyart and Murphy, 2015, under review July August September October November in 39% of pairs, social preceded technical social before technical http://www.cs.ubc.ca/~mpalyart/stc_timeline/
  • 31.
    31 #2 - Whendo social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays social before technical 
 most interactions within a few months
 
 technical before social
 
 more interactions span a longer time time to involvement Palyart and Murphy, 2015, under review 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions
  • 32.
    32 #2 - Whendo social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays social before technical 
 either short involvement or
 quite long
 
 technical before social
 
 most involvement under 5 days duration of involvement Palyart and Murphy, 2015, under review 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions
  • 33.
    1 10 100 1000 10000 Social before technicalTechnical before social Numberofcontributions 33 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S social before technical 
 more contributions, stronger
 communities?
 
 technical before social
 
 mostly < 10 contributions number of contributions 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions Palyart and Murphy, 2015, under review 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays
  • 34.
    34 #2 - Whendo social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions when social before technical (39%)…
 
 more often closely tied to technical and often more contributions when technical before social (61%)… may take a long time for interaction and then the interactions are often quick
 Palyart and Murphy, 2015, under review
  • 35.
    35 #3 - Whatkind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Forward User Library 35% of pairs seeking help, feature requests, pull requests Palyart and Murphy, 2015, under review
  • 36.
    36 #3 - Whatkind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Backward User Library 30% of pairs existing social community between projects Palyart and Murphy, 2015, under review
  • 37.
    37 #3 - Whatkind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Forward & Backward User Library 35% of pairs user developers contribute to library library developers later do pull-request to user project to update library Palyart and Murphy, 2015, under review
  • 38.
    38 #3 - Whatkind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only # developers # social contributions Palyart and Murphy, 2015, under review
  • 39.
    39 #3 - Whatkind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only Palyart and Murphy, 2015, under review involvement time
  • 40.
    40 #3 - Whatkind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only # developers # social contributions Palyart and Murphy, 2015, under review more backward social contributions than expected and their presence indicates a strong social link
 involvement time
  • 41.
    41 Loose Software SupplyChain Reality View / Loose Supply Chain often a social cost to using a library more often than expected cost to being a library
  • 42.
    42Reality / TightSupply Chain Two Parts Social S Quality Q
  • 43.
    43Reality View /Loose Supply Chain Quality Implications of OSS Library Use Q component
 requests 17.2B suppliers total 
 components >105K >834K 2014: Central Repository of Java open source components 2015 State of the Software: Supply Chain Report (Sonatype) constant updating ~ 3.5 times / yr
  • 44.
    44Reality View /Loose Supply Chain Quality Implications of OSS Library Use Q Almost too Big to Fail, Geer and Corman, USENIX 2014 A B direct (1-hop) only 41% of vulnerable dependencies remediated mean-time-to-repair of these was 390 days CVSS level 10 - still 224 days to repair B’
  • 45.
    45Reality View /Loose Supply Chain Quality Implications of OSS Library Use Q CVE-2013-2251
 CVSS 9.3
 Exploitability 10 since identification… 4,076 organizations have downloaded the vulnerable component 179,050 times 2015 State of the Software: Supply Chain Report (Sonatype)
  • 46.
    46Reality View /Loose Supply Chain Quality Implications of OSS Library Use Q CVE-2007-6721
 CVSS 10
 Exploitability 10 since identification… 11,236 organizations have downloaded the vulnerable component 214,484 times 2015 State of the Software: Supply Chain Report (Sonatype)
  • 47.
    47Reality View /Loose Supply Chain Quality Implications of OSS Library Use Q 2015 State of the Software: Supply Chain Report (Sonatype) 7.5% 66% of 240,757 component downloads by large financial or technology firms in 2014… were of known defective part and or those with a defective part, the defects were older than 2013
  • 48.
    48 Loose Software SupplyChain Reality View / Loose Supply Chain (re)use is not free social and upgrade costs to use
  • 49.
    Reality View: Tight Supply
 Chain Photocopyright Gniot/Shutterstock
  • 50.
    50Reality / TightSupply Chain Two Parts Social S Quality Q
  • 51.
    51 Tight Software SupplyChain Reality / Tight Supply Chains S contractual agreement contractual agreement
  • 52.
    52 Tight Software SupplyChain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire S contractual agreement contractual agreement
  • 53.
    53 Communication Reality / TightSupply Chains S contractual agreement contractual agreement restricted information flow restricted information flow
  • 54.
    54 Communication Reality / TightSupply Chains S contractual agreement contractual agreement Req Change #2 Req Change #1 Test Result #3
  • 55.
    55 Communication Reality / TightSupply Chains S contractual agreement contractual agreement Req Change #2 Req Change #1 Test Result #3
  • 56.
    56 Communication Reality / TightSupply Chains S contractual agreement contractual agreement
  • 57.
    57 Communication Reality / TightSupply Chains S Doors
 RTC HP Quality Center Blueprint RTC HP Quality Center VersionOne Eclipse HP Quality Center
  • 58.
    58 Communication Reality / TightSupply Chains S Doors
 RTC HP Quality Center Blueprint RTC HP Quality Center VersionOne Eclipse HP Quality Center Schema Mappings Schema Mappings
  • 59.
    59 Tight Software SupplyChain Reality View / Loose Supply Chain need tools to facilitate appropriate communication
  • 60.
    60Reality / TightSupply Chain Two Parts Social S Quality Q
  • 61.
    61 Tight Software SupplyChain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire Q ability to verify the brake software wasn’t built in
  • 62.
    62 Tight Software SupplyChain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire Q full transparency
 full opacity
  • 63.
    63 Tight Software SupplyChain Reality / Tight Supply Chains Q controlled transparency balance need to share with protection of intellectual property
  • 64.
  • 65.
    65Open Problems Loose SoftwareSupply Chains 
 
 
 assess when a component upgrade is needed? 
 
 lower the cost of quality and security upgrades? 
 
 
 measure
 and predict
 social cost of
 component use? 
 
 
 
 
 
 determine when backward social
 contributions are
 needed? can we…. ä ä ä ä
  • 66.
    66Open Problems Tight SoftwareSupply Chains 
 
 
 
 
 cost-effectively manage multi-tiered supply chains? 
 
 effectively handle arrangements of tight and loose supply chains? 
 
 
 automatically apply IP filters to information exchange? 
 
 
 provide white-box information without revealing secret sauce? can we…. ä ä ä ä
  • 67.
  • 68.
    68Summary Thanks to manypost-docs, students and industrial collaborators over the years for their insights.
 
 Thanks to NECSIS colleagues (particularly Jo Atlee, Marsha Chechik and Mark Lawford)
 for conversations. Thanks to Sonatype for an analysis of the Central Repository. Marc Palyart Mik Kersten Dave West
  • 69.
    69Summary Software Supply Chains Naïve Better,faster, cheaper Loose Supply Chain Reuse is not free Tight Supply Chain Controlled transparencyNaïve Tight Loose Open Open Problems Technical and ecosystem
  • 70.
    70Summary Software Supply Chains “supplychain” conjures up thoughts of organized, managed flows for software supply chains, the reality is different (chaotic? brittle?) (re)use is not free controlled transparency @gail_murphy Loose Tight Photo copyright Wierink/Shutterstock
  • 71.
    71Summary Software Supply Chains “supplychain” conjures up thoughts of organized, managed flows for software supply chains, the reality is different (chaotic? brittle?) (re)use is not free controlled transparency @gail_murphy Loose Tight Photo copyright Wierink/Shutterstock
  • 72.
    Gail Murphy
 Univ. ofBritish Columbia Tasktop Technologies
 Software Supply Chains @gail_murphy Photo copyright Wierink/Shutterstock With exception of pictures and icons