SlideShare a Scribd company logo

How magic is zero? An Empirical Analysis of Initial Development Releases in Software Package Distributions

Tom Mens
Tom Mens

1. 0.y.z packages are highly prevalent, contributing to 90% of packages in some distributions even though documentation states they are for initial development. 2. It generally takes a few months for packages to reach ≥1.0.0 but 20% take over a year, suggesting packages get stuck in 0.y.z. 3. 0.y.z packages are updated slightly more frequently but the difference is negligible, and there is little practical difference in how 0.y.z and ≥1.0.0 packages are used.

Science
1 of 17
How Magic Is Zero? An Empirical Analysis of Initial Development Releases in Software Package Distributions Software Engineering Lab Faculty of Sciences Alexandre Decan Tom Mens 3rd International Workshop on Software Health – July 2020 secoassist.github.io
SoHeal 2020 - How Magic Is Zero? 0.2 Software package distributions • Tens of thousands of interdependent package releases • Distributed through dedicated package managers • Ecosystem-specific versioning and release policies 12/2018 Cargo npm Packagist language Rust JavaScript PHP packages 21K 880K 141K releases 113K ~6M ~1M dependencies 433K ~27M ~3M
Semantic versioning of package releases Most permissive Most Restrictive major minor patch 3 9 2 Breaking changes Backwards compatible changes Bug fixes 0.3 SoHeal 2020 - How Magic Is Zero? Version number mainly used to signal backwards compatibility Dependent packages can use constraints to remain up-to-date
SoHeal 2020 - How Magic Is Zero? 0.4 Packages with major version 0 Packages have different levels of maturity Popular convention: 0.y.z initial development releases ≥ 1.0.0 stable and production-ready releases How Magic is 0?
SoHeal 2020 - How Magic Is Zero? 0.5 Zero can be misleading 0.y.z « not production-ready » ? axios version 0.19.2 42 releases 946 commits >200 contributors ~10M weekly downloads 36K dependent npm packages Used by 2.6M GitHub projects ≥1.0.0 « mature and stable » ? zerokit-web-sdk version 4.0.6 5 releases 16 commits single developer no longer maintained…
SoHeal 2020 - How Magic Is Zero? 0.6 Zero can be confusing Semantic versioning « Major version zero is for initial development. Anything may change at any time. The public API should not be considered stable. » Cargo « Cargo bakes in the concept of Semantic Versioning, so make sure you follow some basic rules: 1. Before you reach 1.0.0, anything goes, but if you make breaking changes, increment the minor version. » NPM (node-semver) « Many authors treat a 0.x version as if the x were the major ‘’breaking change’’ indicator. » Packagist « The ^ operator […] sticks closer to semantic versioning, and will always allow non-breaking updates. […] For pre-1.0 versions it also acts with safety in mind and treats ^0.3 as ≥0.3.0 <0.4.0. » Ecosystem-specific rules, policies and conventions for 0.y.z releases
SoHeal 2020 - How Magic Is Zero? 0.7 Zero can be confusing What Do Package Dependencies Tell Us about Semantic Versioning? A Decan, T Mens (2019) IEEE Transactions on Software Engineering
SoHeal 2020 - How Magic Is Zero? 0.8 Zero can be magical Maintainers of npm even recommend to avoid 0.y.z since « semver spec is weirdly magical about 0.y.z versions, and we cannot ever hope to get everyone to believe what the correct interpretation of 0.y.z versions are » Magic zero even gave rise to the satirical 0-ver versioning policy « Your software’s major version should never exceed the first and most important number in computing: zero » — https://0ver.org/ « An easily spottable plague of an absolute majority of Haskell packages is that they get stuck in the 0.x.x version space, thus forever retaining that “beta” feeling even if the package’s API remains stable for years and has dependencies counted by thousands » — Haskell subreddit … even if documentation states that « Packages with a zero major version provide the same contractual guarantees as versions released with a non-zero major version »
SoHeal 2020 - How Magic Is Zero? 0.9 How magic is zero? 1. How prevalent are 0.y.z package releases? 2. How long does it take for a package to reach a ≥1.0.0 release? 3. Are 0.y.z releases updated more frequently than ≥1.0.0 releases? 4. Are 0.y.z package releases used by other packages? 5. How permissive are dependency constraints towards 0.y.z releases?
SoHeal 2020 - How Magic Is Zero? 0.10 How prevalent are 0.y.z packages? evolution of the number of packages with latest release 0.y.z Many 0.y.z packages • 9 out of 10 in Cargo • 1 out of 3 in npm • 1 out of 5 in packagist ≥ 90% of them were active in 2018!
SoHeal 2020 - How Magic Is Zero? 0.11 How long does it take to reach ≥1.0.0? Not all packages have a ≥1.0.0 release: For those who do: • A majority of them took a few months and a few updates • One out of five took more than one year • One out of ten took even more than two years « packages get stuck in the 0.y.z version space » Less than one out of ten packages went from 0.y.z to ≥1.0.0
SoHeal 2020 - How Magic Is Zero? 0.12 Are 0.y.z releases updated more frequently? average time between consecutive releases 0.y.z packages are updated slightly more frequently than ≥1.0.0 statistically confirmed but small to negligible effect size « major version zero is all about rapid development »
SoHeal 2020 - How Magic Is Zero? 0.13 Are 0.y.z releases used by other packages? Many 0.y.z packages are required by ≥ 1.0.0 packages. « if your software is used in production, it should probably already be 1.0.0 » « if you have a stable API on which users have come to depend, you should be 1.0.0 » « anything may change at any time [and] the public API should not be considered stable » Many ≥1.0.0 packages are relying on 0.y.z packages.
SoHeal 2020 - How Magic Is Zero? 0.14 How permissive are dependency constraints towards 0.y.z packages? « Major version zero (0.y.z) is for initial development. Anything may change at any time. The public API should not be considered stable. » proportion of dependency constraints accepting at most patches, minor or major releases Dependencies on 0.y.z packages assume patches to be compatible. → more permissive than semver!
SoHeal 2020 - How Magic Is Zero? 0.15 Summary 1. How prevalent are 0.y.z packages? 0.y.z are prevalent in all three considered distributions, even contributing to 90% of all packages in Cargo 2. How long does it take for a 0.y.z package to reach a ≥1.0.0 release? Packages get stuck in the 0.y.z version space; only 10% went to ≥1.0.0 It generally takes a few months, but ~20% took more than a year 3. Are 0.y.z releases updated more frequently than ≥1.0.0 releases? Slightly more, but statistical difference is small to negligible 4. Are 0.y.z package releases required by other packages? No practical difference between 0.y.z and ≥1.0.0. 5. How permissive are dependency constraints towards 0.y.z packages? Packages adopt a policy that is more permissive than semver Backwards compatibility is assumed for patches in 0.y.z
SoHeal 2020 - How Magic Is Zero? 1.0 Conclusions • The popular belief that 0 versions are for initial development does not appear true. We observed little difference between how 0.y.z and ≥1.0.0 releases behave in practice. • Versioning rules and conventions are confusing, reinforcing the artificial psychological barrier of the 1.0.0 release. • Semver is not strictly followed by the package maintainers → this deviation should be made explicit → the semver policy should be adapted • There is no fundamental reason to consider that 0.y.z releases do not fulfil the same contracts or promises as ≥1.0.0 releases.
Questions ?

Recommended

Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
Tom Mens
 
Evolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondEvolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyond
econst
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Tom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networks
Tom Mens
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
Tom Mens
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
Tom Mens
 
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Fasten Project
 
Socio-Technical Analysis of Software Ecosystem Health
Socio-Technical Analysis of Software Ecosystem HealthSocio-Technical Analysis of Software Ecosystem Health
Socio-Technical Analysis of Software Ecosystem Health
Tom Mens
 

Recommended

Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
Tom Mens
 
Evolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondEvolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyond
econst
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Tom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networks
Tom Mens
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
Tom Mens
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
Tom Mens
 
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Fasten Project
 
Socio-Technical Analysis of Software Ecosystem Health
Socio-Technical Analysis of Software Ecosystem HealthSocio-Technical Analysis of Software Ecosystem Health
Socio-Technical Analysis of Software Ecosystem Health
Tom Mens
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
Tom Mens
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
DevOps.com
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
WhiteSource
 
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
The Linux Foundation
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
Talent Agile @ Avanade
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in Shape
DevOps.com
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in Shape
DevOps.com
 
How enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceHow enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open source
Rogue Wave Software
 
Mergebase dont-let-vulns-run-wild
Mergebase dont-let-vulns-run-wildMergebase dont-let-vulns-run-wild
Mergebase dont-let-vulns-run-wild
JaredHarris18
 
HBaseCon 2015 General Session: State of HBase
HBaseCon 2015 General Session: State of HBaseHBaseCon 2015 General Session: State of HBase
HBaseCon 2015 General Session: State of HBase
HBaseCon
 
Can end user apps also be open source? OW2online'20, June 2020
Can end user apps also be open source? OW2online'20, June 2020Can end user apps also be open source? OW2online'20, June 2020
Can end user apps also be open source? OW2online'20, June 2020
OW2
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
James Wickett
 
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
Gene Kim
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
All You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source SoftwareAll You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source Software
Javier Perez
 
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
Ahmed Zerouali
 
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebula Project
 
Open Source Support
Open Source SupportOpen Source Support
Open Source Support
Sébastien Grimonet
 
Triton + Docker, July 2015
Triton + Docker, July 2015Triton + Docker, July 2015
Triton + Docker, July 2015
Casey Bisson
 
When is free not free: The true costs of open source
When is free not free: The true costs of open sourceWhen is free not free: The true costs of open source
When is free not free: The true costs of open source
Rogue Wave Software
 
How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD student
Tom Mens
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software development
Tom Mens
 

More Related Content

Similar to How magic is zero? An Empirical Analysis of Initial Development Releases in Software Package Distributions

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
Tom Mens
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
DevOps.com
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
WhiteSource
 
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
The Linux Foundation
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in Shape
DevOps.com
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in Shape
DevOps.com
 
Can end user apps also be open source? OW2online'20, June 2020
Can end user apps also be open source? OW2online'20, June 2020Can end user apps also be open source? OW2online'20, June 2020
Can end user apps also be open source? OW2online'20, June 2020
OW2
 
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebula Project
 

Similar to How magic is zero? An Empirical Analysis of Initial Development Releases in Software Package Distributions (20)

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
 
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in Shape
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in Shape
 
How enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceHow enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open source
 
Mergebase dont-let-vulns-run-wild
Mergebase dont-let-vulns-run-wildMergebase dont-let-vulns-run-wild
Mergebase dont-let-vulns-run-wild
 
HBaseCon 2015 General Session: State of HBase
HBaseCon 2015 General Session: State of HBaseHBaseCon 2015 General Session: State of HBase
HBaseCon 2015 General Session: State of HBase
 
Can end user apps also be open source? OW2online'20, June 2020
Can end user apps also be open source? OW2online'20, June 2020Can end user apps also be open source? OW2online'20, June 2020
Can end user apps also be open source? OW2online'20, June 2020
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
 
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
All You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source SoftwareAll You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source Software
 
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
 
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
 
Open Source Support
Open Source SupportOpen Source Support
Open Source Support
 
Triton + Docker, July 2015
Triton + Docker, July 2015Triton + Docker, July 2015
Triton + Docker, July 2015
 
When is free not free: The true costs of open source
When is free not free: The true costs of open sourceWhen is free not free: The true costs of open source
When is free not free: The true costs of open source
 

More from Tom Mens

Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
Tom Mens
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Tom Mens
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)
Tom Mens
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npm
Tom Mens
 

More from Tom Mens (20)

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD student
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software development
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHub
 
The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the Future
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHub
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research Achievements
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminar
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker Containers
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npm
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystem
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
 

Recently uploaded

GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
Lokesh Kothari
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Sérgio Sacani
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
Sérgio Sacani
 
Seismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptxSeismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptx
AlMamun560346
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Lokesh Kothari
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
PirithiRaju
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
PirithiRaju
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
Sapana Sha
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disks
Sérgio Sacani
 
Kochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRL
Kochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRLKochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRL
Kochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRL
kantirani197
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Sérgio Sacani
 
Botany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfBotany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdf
Sumit Kumar yadav
 

Recently uploaded (20)

GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
 
Seismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptxSeismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptx
 
Botany krishna series 2nd semester Only Mcq type questions
Botany krishna series 2nd semester Only Mcq type questionsBotany krishna series 2nd semester Only Mcq type questions
Botany krishna series 2nd semester Only Mcq type questions
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disks
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​
 
Zoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdfZoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdf
 
Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)
 
Chemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdfChemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdf
 
Forensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdfForensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdf
 
Kochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRL
Kochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRLKochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRL
Kochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRL
 
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceuticsPulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)
 
Botany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfBotany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdf
 

How magic is zero? An Empirical Analysis of Initial Development Releases in Software Package Distributions

  • 1. How Magic Is Zero? An Empirical Analysis of Initial Development Releases in Software Package Distributions Software Engineering Lab Faculty of Sciences Alexandre Decan Tom Mens 3rd International Workshop on Software Health – July 2020 secoassist.github.io
  • 2. SoHeal 2020 - How Magic Is Zero? 0.2 Software package distributions • Tens of thousands of interdependent package releases • Distributed through dedicated package managers • Ecosystem-specific versioning and release policies 12/2018 Cargo npm Packagist language Rust JavaScript PHP packages 21K 880K 141K releases 113K ~6M ~1M dependencies 433K ~27M ~3M
  • 3. Semantic versioning of package releases Most permissive Most Restrictive major minor patch 3 9 2 Breaking changes Backwards compatible changes Bug fixes 0.3 SoHeal 2020 - How Magic Is Zero? Version number mainly used to signal backwards compatibility Dependent packages can use constraints to remain up-to-date
  • 4. SoHeal 2020 - How Magic Is Zero? 0.4 Packages with major version 0 Packages have different levels of maturity Popular convention: 0.y.z initial development releases ≥ 1.0.0 stable and production-ready releases How Magic is 0?
  • 5. SoHeal 2020 - How Magic Is Zero? 0.5 Zero can be misleading 0.y.z « not production-ready » ? axios version 0.19.2 42 releases 946 commits >200 contributors ~10M weekly downloads 36K dependent npm packages Used by 2.6M GitHub projects ≥1.0.0 « mature and stable » ? zerokit-web-sdk version 4.0.6 5 releases 16 commits single developer no longer maintained…
  • 6. SoHeal 2020 - How Magic Is Zero? 0.6 Zero can be confusing Semantic versioning « Major version zero is for initial development. Anything may change at any time. The public API should not be considered stable. » Cargo « Cargo bakes in the concept of Semantic Versioning, so make sure you follow some basic rules: 1. Before you reach 1.0.0, anything goes, but if you make breaking changes, increment the minor version. » NPM (node-semver) « Many authors treat a 0.x version as if the x were the major ‘’breaking change’’ indicator. » Packagist « The ^ operator […] sticks closer to semantic versioning, and will always allow non-breaking updates. […] For pre-1.0 versions it also acts with safety in mind and treats ^0.3 as ≥0.3.0 <0.4.0. » Ecosystem-specific rules, policies and conventions for 0.y.z releases
  • 7. SoHeal 2020 - How Magic Is Zero? 0.7 Zero can be confusing What Do Package Dependencies Tell Us about Semantic Versioning? A Decan, T Mens (2019) IEEE Transactions on Software Engineering
  • 8. SoHeal 2020 - How Magic Is Zero? 0.8 Zero can be magical Maintainers of npm even recommend to avoid 0.y.z since « semver spec is weirdly magical about 0.y.z versions, and we cannot ever hope to get everyone to believe what the correct interpretation of 0.y.z versions are » Magic zero even gave rise to the satirical 0-ver versioning policy « Your software’s major version should never exceed the first and most important number in computing: zero » — https://0ver.org/ « An easily spottable plague of an absolute majority of Haskell packages is that they get stuck in the 0.x.x version space, thus forever retaining that “beta” feeling even if the package’s API remains stable for years and has dependencies counted by thousands » — Haskell subreddit … even if documentation states that « Packages with a zero major version provide the same contractual guarantees as versions released with a non-zero major version »
  • 9. SoHeal 2020 - How Magic Is Zero? 0.9 How magic is zero? 1. How prevalent are 0.y.z package releases? 2. How long does it take for a package to reach a ≥1.0.0 release? 3. Are 0.y.z releases updated more frequently than ≥1.0.0 releases? 4. Are 0.y.z package releases used by other packages? 5. How permissive are dependency constraints towards 0.y.z releases?
  • 10. SoHeal 2020 - How Magic Is Zero? 0.10 How prevalent are 0.y.z packages? evolution of the number of packages with latest release 0.y.z Many 0.y.z packages • 9 out of 10 in Cargo • 1 out of 3 in npm • 1 out of 5 in packagist ≥ 90% of them were active in 2018!
  • 11. SoHeal 2020 - How Magic Is Zero? 0.11 How long does it take to reach ≥1.0.0? Not all packages have a ≥1.0.0 release: For those who do: • A majority of them took a few months and a few updates • One out of five took more than one year • One out of ten took even more than two years « packages get stuck in the 0.y.z version space » Less than one out of ten packages went from 0.y.z to ≥1.0.0
  • 12. SoHeal 2020 - How Magic Is Zero? 0.12 Are 0.y.z releases updated more frequently? average time between consecutive releases 0.y.z packages are updated slightly more frequently than ≥1.0.0 statistically confirmed but small to negligible effect size « major version zero is all about rapid development »
  • 13. SoHeal 2020 - How Magic Is Zero? 0.13 Are 0.y.z releases used by other packages? Many 0.y.z packages are required by ≥ 1.0.0 packages. « if your software is used in production, it should probably already be 1.0.0 » « if you have a stable API on which users have come to depend, you should be 1.0.0 » « anything may change at any time [and] the public API should not be considered stable » Many ≥1.0.0 packages are relying on 0.y.z packages.
  • 14. SoHeal 2020 - How Magic Is Zero? 0.14 How permissive are dependency constraints towards 0.y.z packages? « Major version zero (0.y.z) is for initial development. Anything may change at any time. The public API should not be considered stable. » proportion of dependency constraints accepting at most patches, minor or major releases Dependencies on 0.y.z packages assume patches to be compatible. → more permissive than semver!
  • 15. SoHeal 2020 - How Magic Is Zero? 0.15 Summary 1. How prevalent are 0.y.z packages? 0.y.z are prevalent in all three considered distributions, even contributing to 90% of all packages in Cargo 2. How long does it take for a 0.y.z package to reach a ≥1.0.0 release? Packages get stuck in the 0.y.z version space; only 10% went to ≥1.0.0 It generally takes a few months, but ~20% took more than a year 3. Are 0.y.z releases updated more frequently than ≥1.0.0 releases? Slightly more, but statistical difference is small to negligible 4. Are 0.y.z package releases required by other packages? No practical difference between 0.y.z and ≥1.0.0. 5. How permissive are dependency constraints towards 0.y.z packages? Packages adopt a policy that is more permissive than semver Backwards compatibility is assumed for patches in 0.y.z
  • 16. SoHeal 2020 - How Magic Is Zero? 1.0 Conclusions • The popular belief that 0 versions are for initial development does not appear true. We observed little difference between how 0.y.z and ≥1.0.0 releases behave in practice. • Versioning rules and conventions are confusing, reinforcing the artificial psychological barrier of the 1.0.0 release. • Semver is not strictly followed by the package maintainers → this deviation should be made explicit → the semver policy should be adapted • There is no fundamental reason to consider that 0.y.z releases do not fulfil the same contracts or promises as ≥1.0.0 releases.