SlideShare ist ein Scribd-Unternehmen logo

Measuring Technical Lag in Software Deployments (CHAOSScon 2020)

Als PPTX, PDF herunterladen
Tom Mens
Tom Mens

Presentation at CHAOSSCon Europe 2020 about the generic technical lag software measurement framework. Technical lag measures the increasing difference between deployed software components and the ideal upstream software components. For more information, see https://doi.org/10.1002/smr.2157

Wissenschaft
1 von 29
chaoss.community @tom_mens Dr. Tom Mens Dr. Ahmed Zerouali Software Engineering Lab University of Mons tom.mens@umons.ac.be
chaoss.community secoassist.github.io @secoassist "Excellence of Science" Research Project
chaoss.community Focus Which measures can help software developers and deployers to decide when and why they should update? 3
chaoss.community Focus 4
chaoss.community Online survey What would be the most appropriate (i.e., ideal) version of a software library to depend on? • 17 respondents Highly educated with an average of 3 years of development experience • Responses: 5 ★ Most stable (14) ★ Latest available (9) ★ Most documented (7) ★ Most secure (5)
chaoss.community Idea: Technical Lag “The increasing difference between deployed software packages and the ideal available upstream packages.” 6 Ideal • stability, security, functionality, recency, etc. Difference • time, version updates, bugs, vulnerabilities, features, … J. Gonzalez-Barahona, P. Sherwood, G. Robles, D. Izquierdo (2017) "Technical lag in software compilations: Measuring how outdated a software deployment is.” IFIP International Conference on Open Source Systems. Springer
chaoss.community Importance of Technical Lag Semi-structured interviews: 2019 5 highly educated software practitioners with an average of 10 years of experience 7 Technical Lag is important, especially if we mix between the benefits of updating and the effort required to do that.
chaoss.community Measuring Technical Lag ∆ version ∆ time ∆ bugs ∆ vulnerabilities
chaoss.community Measuring Technical Lag A technical lag framework F is a tuple (C, L, ideal, delta, agg) with • C a set of component releases • L a set of possible lag values • ideal: C → C computes the “ideal” (upstream) component release for a given (deployed) release • delta: C x C → L computes the difference between two component releases • agg: 2L → L aggregates the results of a set of lags A formal framework for measuring technical lag in component repositories – and its application to npm. A. Zerouali, T. Mens, J. Gonzalez-Barahona, A. Decan, E. Constantinou, G. Robles. Wiley Journal on Software Evolution and Process, 2019
chaoss.community Measuring Technical Lag Given a technical lag framework F, we define techlagF(c) = delta(c,ideal(c)) for any deployed component c aggLagF(D) = agg( {techlagF(c) | c in D} ) for any set of deployed components D A formal framework for measuring technical lag in component repositories – and its application to npm. A. Zerouali, T. Mens, J. Gonzalez-Barahona, A. Decan, E. Constantinou, G. Robles. Wiley Journal on Software Evolution and Process, 2019
chaoss.community Technical Lag - Example Time-based measurement of technical lag (ideal = most recent release; delta = time difference) 1.0.1 1.1.0 2.0.01.2.0 2.0.1 deployed package upstream package Time lag date(2.0.1) - date(1.1.0)
chaoss.community Technical Lag - Example Version-based measurement of technical lag (ideal = highest release; delta = version difference) 1.0.1 1.1.0 2.0.12.0.0 1.2.0 deployed package 1 major upstream package 1 patch Version lag 1 major + 1 patch
chaoss.community Technical Lag - Example Vulnerability-based measurement of technical lag (ideal = least vulnerable release; delta = #vulnerabilities) 1.0.1 1.1.0 2.0.01.2.0 2.0.1 deployed package upstream package Security lag 1 vulnerability fix behind
chaoss.community Technical Lag - Example Bug-based measurement of technical lag (ideal = least known bugs; delta = #known bugs) 1.0.1 1.1.0 2.0.0 deployed package upstream package 1.2.0 2.0.1 Dependency needs to be downgraded to be able to use most stable version… Bug lag 1 more bug than most stable version
chaoss.community Case study 1: Technical lag in npm distribution of JavaScript packages Credits: https://exploring-data.com/vis/npm-packages-dependencies/ A. Decan, T. Mens, E. Constantinou (2018) On the evolution of technical lag in the npm package dependency network. IEEE Int’l Conf. Software Maintenance and Evolution +20M dependencies
chaoss.community package.json Technical Lag – Example 16
chaoss.community Technical Lag – Example 17
chaoss.community Technical Lag – Example 18 Time-based technical lag for deployed release debug 2.6.9 ideal (debug 2.6.9) = debug 3.1.0 timeLag(debug 2.6.9) = 26-09-2017 - 22-09-2017 = 4 days versionLag(debug 2.6.9) = 1 major + 1 minor + 1 patch
chaoss.community Technical Lag – Example 19 Time-based technical lag for deployed release ms 2.0.0 ideal (ms 2.0.0) = ms 2.1.1 timeLag(ms 2.0.0) = 30-11-2017 - 16-05-2017 = 198 days versionLag(ms 2.0.0) = 1 minor + 1 patch
chaoss.community Technical Lag – Example 20 Aggregated transitive time lag for deployed release youtube-player 5.5.0 agglag({debug 2.6.9, ms 2.0.0}) = max(4 days, 198 days) = 198 days
chaoss.community Tool support Example: david-dm.org
chaoss.community Case study 2: Technical lag in Debian-based Docker containers A. Zerouali, T. Mens, G. Robles, J. Gonzalez-Barahona (2019). On the relation between outdated Docker containers, security vulnerabilities, and bugs. IEEE In’tl Conf. SANER
chaoss.community Case study 2: Technical lag in Debian-based Docker containers Important issues faced when deploying Docker containers: • Security vulnerabilities • Dependence on external software packages • Presence of bugs in third-party software • Outdated third-party software
chaoss.community 1.0.1 1.1.0 2.0.01.2.1 2.1.0 Docker container C Technical lag ∆ versions (freshness) ∆ vulnerabilities (security) ∆ bugs (stability) « ideal » release deployed container included Debian package release upstream releases of the Debian package Technical Lag in Debian-based Docker containers 26
chaoss.community Tool support Example: snyk container
chaoss.community Summary Technical Lag is a very useful generic measure for assessing to which extent deployed software is outdated w.r.t. upstream releases. • Different ways to measure (time, version, bugs, vulnerabilities, …) and aggregate (max, sum, …) technical lag • It can be operationalized in different contexts (package dependency management, container deployment, …) Suggestion: • Include this measure as part of the CHAOSS Metrics and Tooling Open Challenges: • How to measure effort required to update? • How to combine multiple dimensions of technical lag? • How to assess whether updates do not cause breaking changes? 30
chaoss.community New proposed CHAOSS project metrics • Dependencies • Number of / List of; Direct or transitive • Dependency depth • Outdated dependencies • List of / Number of / Ratio of • Vulnerable dependencies • List of / Number of / Ratio of • Dependents (i.e. reverse dependencies) • Number of / List of; Direct or transitive • Dependency lag • aggregated dependency-based technical lag of a project • Deployment lag • Aggregated lag of set of deployed components w.r.t. upstream
chaoss.community SoHeal, May 2020 http://soheal.github.io 3rd Int’l ICSE Workshop on Software Health What? • Focus on the health of software projects, communities and ecosystems • Discuss about technical, social, legal and business aspects related to project effectiveness, success, longevity, growth, resilience, survival, diversity, sustainability, popularity, inclusiveness, ... Who? • Open Source Community Members, Industry and Academia Why? • Raise awareness on software health • Present tools, methods, practical experiences • Advance body of knowledge on software health Seoul, South Korea – May 2020 @iw_soheal
chaoss.community SoHeal 2020 http://soheal.github.io/cft.html Extended call for submissions Are you a involved in software projects or ecosystems, and have something to say about software health? Submit a short paper or talk proposal on  Open source and industrial experiences from individual, team or community level  Relation between software health and social, technical, legal, process and business aspects  Tools, dashboards and models to enable, assess, predict and recommend software health  Guidelines and lessons learned Submission deadline: Friday, February 7, 2019

Empfohlen

PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...Ahmed Zerouali
 
The Cloudification Perspectives of Search-based Software Testing
The Cloudification Perspectives of Search-based Software TestingThe Cloudification Perspectives of Search-based Software Testing
The Cloudification Perspectives of Search-based Software TestingSebastiano Panichella
 
Cloud Resilience with Open Stack
Cloud Resilience with Open StackCloud Resilience with Open Stack
Cloud Resilience with Open StackJorge Cardoso
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryPerforce
 
Expert mining compsac-2014
Expert mining compsac-2014Expert mining compsac-2014
Expert mining compsac-2014GESSI UPC
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryKenta Yamamoto
 
Top Software Engineering & Applications Research articles of 2019
Top Software Engineering & Applications Research articles of 2019Top Software Engineering & Applications Research articles of 2019
Top Software Engineering & Applications Research articles of 2019ijseajournal
 
Understanding Test Management And the Relationship with Quality Management
Understanding Test Management And the Relationship with Quality ManagementUnderstanding Test Management And the Relationship with Quality Management
Understanding Test Management And the Relationship with Quality ManagementIT Weekend
 

Empfohlen

PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...Ahmed Zerouali
 
The Cloudification Perspectives of Search-based Software Testing
The Cloudification Perspectives of Search-based Software TestingThe Cloudification Perspectives of Search-based Software Testing
The Cloudification Perspectives of Search-based Software TestingSebastiano Panichella
 
Cloud Resilience with Open Stack
Cloud Resilience with Open StackCloud Resilience with Open Stack
Cloud Resilience with Open StackJorge Cardoso
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryPerforce
 
Expert mining compsac-2014
Expert mining compsac-2014Expert mining compsac-2014
Expert mining compsac-2014GESSI UPC
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryKenta Yamamoto
 
Top Software Engineering & Applications Research articles of 2019
Top Software Engineering & Applications Research articles of 2019Top Software Engineering & Applications Research articles of 2019
Top Software Engineering & Applications Research articles of 2019ijseajournal
 
Understanding Test Management And the Relationship with Quality Management
Understanding Test Management And the Relationship with Quality ManagementUnderstanding Test Management And the Relationship with Quality Management
Understanding Test Management And the Relationship with Quality ManagementIT Weekend
 
Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...
Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...
Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...University of Antwerp
 
Cloud continuous integration- A distributed approach using distinct services
Cloud continuous integration- A distributed approach using distinct servicesCloud continuous integration- A distributed approach using distinct services
Cloud continuous integration- A distributed approach using distinct servicesAndré Agostinho
 
Unlocking Engineering Observability with advanced IT analytics
Unlocking Engineering Observability with advanced IT analyticsUnlocking Engineering Observability with advanced IT analytics
Unlocking Engineering Observability with advanced IT analyticssource{d}
 
Of Changes and Their History
Of Changes and Their HistoryOf Changes and Their History
Of Changes and Their HistoryUniversity of Zurich
 
2014-10-10-SBC361-Reproducible research
2014-10-10-SBC361-Reproducible research2014-10-10-SBC361-Reproducible research
2014-10-10-SBC361-Reproducible researchYannick Wurm
 
Ibm innovate ci for system z
Ibm innovate ci for system zIbm innovate ci for system z
Ibm innovate ci for system zRosalind Radcliffe
 
Wait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtWait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtRungrojMaipradit1
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesTao Xie
 
Software Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software EngineeringSoftware Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software EngineeringTao Xie
 
3784_Streamlining_the_development_process_with_feature_flighting_and_Azure_cl...
3784_Streamlining_the_development_process_with_feature_flighting_and_Azure_cl...3784_Streamlining_the_development_process_with_feature_flighting_and_Azure_cl...
3784_Streamlining_the_development_process_with_feature_flighting_and_Azure_cl...Crystal Thomas
 
ICONIQ Analytics: The Modern Developer Technology Stack
ICONIQ Analytics: The Modern Developer Technology StackICONIQ Analytics: The Modern Developer Technology Stack
ICONIQ Analytics: The Modern Developer Technology StackChristine Edmonds
 
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINAL
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINALJun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINAL
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINALAlex Tarra
 
Google software engineering practices by handerson
Google software engineering practices by handersonGoogle software engineering practices by handerson
Google software engineering practices by handersonmustafa sarac
 
Software Quality and DevOps - Friends or Foes? @ Instituto Politécnico de Leiria
Software Quality and DevOps - Friends or Foes? @ Instituto Politécnico de LeiriaSoftware Quality and DevOps - Friends or Foes? @ Instituto Politécnico de Leiria
Software Quality and DevOps - Friends or Foes? @ Instituto Politécnico de LeiriaManuel Pais
 
ProDebt's Lessons Learned from Planning Technical Debt Strategically
ProDebt's Lessons Learned from Planning Technical Debt StrategicallyProDebt's Lessons Learned from Planning Technical Debt Strategically
ProDebt's Lessons Learned from Planning Technical Debt StrategicallyQAware GmbH
 
Msr2021 tutorial-di penta
Msr2021 tutorial-di pentaMsr2021 tutorial-di penta
Msr2021 tutorial-di pentaMassimiliano Di Penta
 
Maintaining and Releasing Open Source Software
Maintaining and Releasing Open Source SoftwareMaintaining and Releasing Open Source Software
Maintaining and Releasing Open Source SoftwareJoel Nothman
 
L'impatto della sicurezza su DevOps
L'impatto della sicurezza su DevOpsL'impatto della sicurezza su DevOps
L'impatto della sicurezza su DevOpsGiulio Vian
 
Scientific Software: Sustainability, Skills & Sociology
Scientific Software: Sustainability, Skills & SociologyScientific Software: Sustainability, Skills & Sociology
Scientific Software: Sustainability, Skills & SociologyNeil Chue Hong
 
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...University of Antwerp
 
How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD studentTom Mens
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentTom Mens
 

Weitere ähnliche Inhalte

Ähnlich wie Measuring Technical Lag in Software Deployments (CHAOSScon 2020)

Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...
Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...
Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...University of Antwerp
 
Cloud continuous integration- A distributed approach using distinct services
Cloud continuous integration- A distributed approach using distinct servicesCloud continuous integration- A distributed approach using distinct services
Cloud continuous integration- A distributed approach using distinct servicesAndré Agostinho
 
Unlocking Engineering Observability with advanced IT analytics
Unlocking Engineering Observability with advanced IT analyticsUnlocking Engineering Observability with advanced IT analytics
Unlocking Engineering Observability with advanced IT analyticssource{d}
 
2014-10-10-SBC361-Reproducible research
2014-10-10-SBC361-Reproducible research2014-10-10-SBC361-Reproducible research
2014-10-10-SBC361-Reproducible researchYannick Wurm
 
Wait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtWait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtRungrojMaipradit1
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesTao Xie
 
Software Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software EngineeringSoftware Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software EngineeringTao Xie
 
3784_Streamlining_the_development_process_with_feature_flighting_and_Azure_cl...
3784_Streamlining_the_development_process_with_feature_flighting_and_Azure_cl...3784_Streamlining_the_development_process_with_feature_flighting_and_Azure_cl...
3784_Streamlining_the_development_process_with_feature_flighting_and_Azure_cl...Crystal Thomas
 
ICONIQ Analytics: The Modern Developer Technology Stack
ICONIQ Analytics: The Modern Developer Technology StackICONIQ Analytics: The Modern Developer Technology Stack
ICONIQ Analytics: The Modern Developer Technology StackChristine Edmonds
 
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINAL
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINALJun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINAL
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINALAlex Tarra
 
Google software engineering practices by handerson
Google software engineering practices by handersonGoogle software engineering practices by handerson
Google software engineering practices by handersonmustafa sarac
 
Software Quality and DevOps - Friends or Foes? @ Instituto Politécnico de Leiria
Software Quality and DevOps - Friends or Foes? @ Instituto Politécnico de LeiriaSoftware Quality and DevOps - Friends or Foes? @ Instituto Politécnico de Leiria
Software Quality and DevOps - Friends or Foes? @ Instituto Politécnico de LeiriaManuel Pais
 
ProDebt's Lessons Learned from Planning Technical Debt Strategically
ProDebt's Lessons Learned from Planning Technical Debt StrategicallyProDebt's Lessons Learned from Planning Technical Debt Strategically
ProDebt's Lessons Learned from Planning Technical Debt StrategicallyQAware GmbH
 
Maintaining and Releasing Open Source Software
Maintaining and Releasing Open Source SoftwareMaintaining and Releasing Open Source Software
Maintaining and Releasing Open Source SoftwareJoel Nothman
 
L'impatto della sicurezza su DevOps
L'impatto della sicurezza su DevOpsL'impatto della sicurezza su DevOps
L'impatto della sicurezza su DevOpsGiulio Vian
 
Scientific Software: Sustainability, Skills & Sociology
Scientific Software: Sustainability, Skills & SociologyScientific Software: Sustainability, Skills & Sociology
Scientific Software: Sustainability, Skills & SociologyNeil Chue Hong
 
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...University of Antwerp
 

Ähnlich wie Measuring Technical Lag in Software Deployments (CHAOSScon 2020) (20)

Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...
Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...
Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...
 
Cloud continuous integration- A distributed approach using distinct services
Cloud continuous integration- A distributed approach using distinct servicesCloud continuous integration- A distributed approach using distinct services
Cloud continuous integration- A distributed approach using distinct services
 
Unlocking Engineering Observability with advanced IT analytics
Unlocking Engineering Observability with advanced IT analyticsUnlocking Engineering Observability with advanced IT analytics
Unlocking Engineering Observability with advanced IT analytics
 
Of Changes and Their History
Of Changes and Their HistoryOf Changes and Their History
Of Changes and Their History
 
2014-10-10-SBC361-Reproducible research
2014-10-10-SBC361-Reproducible research2014-10-10-SBC361-Reproducible research
2014-10-10-SBC361-Reproducible research
 
Ibm innovate ci for system z
Ibm innovate ci for system zIbm innovate ci for system z
Ibm innovate ci for system z
 
Wait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtWait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debt
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and Challenges
 
Software Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software EngineeringSoftware Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software Engineering
 
3784_Streamlining_the_development_process_with_feature_flighting_and_Azure_cl...
3784_Streamlining_the_development_process_with_feature_flighting_and_Azure_cl...3784_Streamlining_the_development_process_with_feature_flighting_and_Azure_cl...
3784_Streamlining_the_development_process_with_feature_flighting_and_Azure_cl...
 
ICONIQ Analytics: The Modern Developer Technology Stack
ICONIQ Analytics: The Modern Developer Technology StackICONIQ Analytics: The Modern Developer Technology Stack
ICONIQ Analytics: The Modern Developer Technology Stack
 
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINAL
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINALJun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINAL
Jun 08 - PMWT Featured Paper -Tarabykin - XP PAPER - FINAL
 
Google software engineering practices by handerson
Google software engineering practices by handersonGoogle software engineering practices by handerson
Google software engineering practices by handerson
 
Software Quality and DevOps - Friends or Foes? @ Instituto Politécnico de Leiria
Software Quality and DevOps - Friends or Foes? @ Instituto Politécnico de LeiriaSoftware Quality and DevOps - Friends or Foes? @ Instituto Politécnico de Leiria
Software Quality and DevOps - Friends or Foes? @ Instituto Politécnico de Leiria
 
ProDebt's Lessons Learned from Planning Technical Debt Strategically
ProDebt's Lessons Learned from Planning Technical Debt StrategicallyProDebt's Lessons Learned from Planning Technical Debt Strategically
ProDebt's Lessons Learned from Planning Technical Debt Strategically
 
Msr2021 tutorial-di penta
Msr2021 tutorial-di pentaMsr2021 tutorial-di penta
Msr2021 tutorial-di penta
 
Maintaining and Releasing Open Source Software
Maintaining and Releasing Open Source SoftwareMaintaining and Releasing Open Source Software
Maintaining and Releasing Open Source Software
 
L'impatto della sicurezza su DevOps
L'impatto della sicurezza su DevOpsL'impatto della sicurezza su DevOps
L'impatto della sicurezza su DevOps
 
Scientific Software: Sustainability, Skills & Sociology
Scientific Software: Sustainability, Skills & SociologyScientific Software: Sustainability, Skills & Sociology
Scientific Software: Sustainability, Skills & Sociology
 
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
 

Mehr von Tom Mens

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD studentTom Mens
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentTom Mens
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubTom Mens
 
The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHubTom Mens
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureTom Mens
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Tom Mens
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubTom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networksTom Mens
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsTom Mens
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero SpaceTom Mens
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesTom Mens
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Tom Mens
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...Tom Mens
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsTom Mens
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarTom Mens
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersTom Mens
 

Mehr von Tom Mens (20)

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD student
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software development
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHub
 
The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the Future
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHub
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networks
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research Achievements
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminar
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker Containers
 

Kürzlich hochgeladen

GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)Areesha Ahmad
 
Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTSérgio Sacani
 
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls AgencyHire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls AgencySheetal Arora
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxanandsmhk
 
Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)PraveenaKalaiselvan1
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksSérgio Sacani
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bSérgio Sacani
 
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...ssifa0344
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Sérgio Sacani
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRDelhi Call girls
 
Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )aarthirajkumar25
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...jana861314
 
Zoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdfZoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdfSumit Kumar yadav
 
Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxAnimal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxUmerFayaz5
 
Botany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfBotany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfSumit Kumar yadav
 
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisRaman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisDiwakar Mishra
 
Biological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfBiological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfmuntazimhurra
 
GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)Areesha Ahmad
 
DIFFERENCE IN BACK CROSS AND TEST CROSS
DIFFERENCE IN BACK CROSS AND TEST CROSSDIFFERENCE IN BACK CROSS AND TEST CROSS
DIFFERENCE IN BACK CROSS AND TEST CROSSLeenakshiTyagi
 

Kürzlich hochgeladen (20)

GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)
 
Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOST
 
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls AgencyHire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
 
Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disks
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
 
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
 
Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
 
Zoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdfZoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdf
 
Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxAnimal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptx
 
Botany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfBotany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdf
 
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisRaman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
 
Biological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfBiological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdf
 
GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)
 
DIFFERENCE IN BACK CROSS AND TEST CROSS
DIFFERENCE IN BACK CROSS AND TEST CROSSDIFFERENCE IN BACK CROSS AND TEST CROSS
DIFFERENCE IN BACK CROSS AND TEST CROSS
 
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
 

Measuring Technical Lag in Software Deployments (CHAOSScon 2020)

  • 1. chaoss.community @tom_mens Dr. Tom Mens Dr. Ahmed Zerouali Software Engineering Lab University of Mons tom.mens@umons.ac.be
  • 3. chaoss.community Focus Which measures can help software developers and deployers to decide when and why they should update? 3
  • 5. chaoss.community Online survey What would be the most appropriate (i.e., ideal) version of a software library to depend on? • 17 respondents Highly educated with an average of 3 years of development experience • Responses: 5 ★ Most stable (14) ★ Latest available (9) ★ Most documented (7) ★ Most secure (5)
  • 6. chaoss.community Idea: Technical Lag “The increasing difference between deployed software packages and the ideal available upstream packages.” 6 Ideal • stability, security, functionality, recency, etc. Difference • time, version updates, bugs, vulnerabilities, features, … J. Gonzalez-Barahona, P. Sherwood, G. Robles, D. Izquierdo (2017) "Technical lag in software compilations: Measuring how outdated a software deployment is.” IFIP International Conference on Open Source Systems. Springer
  • 7. chaoss.community Importance of Technical Lag Semi-structured interviews: 2019 5 highly educated software practitioners with an average of 10 years of experience 7 Technical Lag is important, especially if we mix between the benefits of updating and the effort required to do that.
  • 8. chaoss.community Measuring Technical Lag ∆ version ∆ time ∆ bugs ∆ vulnerabilities
  • 9. chaoss.community Measuring Technical Lag A technical lag framework F is a tuple (C, L, ideal, delta, agg) with • C a set of component releases • L a set of possible lag values • ideal: C → C computes the “ideal” (upstream) component release for a given (deployed) release • delta: C x C → L computes the difference between two component releases • agg: 2L → L aggregates the results of a set of lags A formal framework for measuring technical lag in component repositories – and its application to npm. A. Zerouali, T. Mens, J. Gonzalez-Barahona, A. Decan, E. Constantinou, G. Robles. Wiley Journal on Software Evolution and Process, 2019
  • 10. chaoss.community Measuring Technical Lag Given a technical lag framework F, we define techlagF(c) = delta(c,ideal(c)) for any deployed component c aggLagF(D) = agg( {techlagF(c) | c in D} ) for any set of deployed components D A formal framework for measuring technical lag in component repositories – and its application to npm. A. Zerouali, T. Mens, J. Gonzalez-Barahona, A. Decan, E. Constantinou, G. Robles. Wiley Journal on Software Evolution and Process, 2019
  • 11. chaoss.community Technical Lag - Example Time-based measurement of technical lag (ideal = most recent release; delta = time difference) 1.0.1 1.1.0 2.0.01.2.0 2.0.1 deployed package upstream package Time lag date(2.0.1) - date(1.1.0)
  • 12. chaoss.community Technical Lag - Example Version-based measurement of technical lag (ideal = highest release; delta = version difference) 1.0.1 1.1.0 2.0.12.0.0 1.2.0 deployed package 1 major upstream package 1 patch Version lag 1 major + 1 patch
  • 13. chaoss.community Technical Lag - Example Vulnerability-based measurement of technical lag (ideal = least vulnerable release; delta = #vulnerabilities) 1.0.1 1.1.0 2.0.01.2.0 2.0.1 deployed package upstream package Security lag 1 vulnerability fix behind
  • 14. chaoss.community Technical Lag - Example Bug-based measurement of technical lag (ideal = least known bugs; delta = #known bugs) 1.0.1 1.1.0 2.0.0 deployed package upstream package 1.2.0 2.0.1 Dependency needs to be downgraded to be able to use most stable version… Bug lag 1 more bug than most stable version
  • 15. chaoss.community Case study 1: Technical lag in npm distribution of JavaScript packages Credits: https://exploring-data.com/vis/npm-packages-dependencies/ A. Decan, T. Mens, E. Constantinou (2018) On the evolution of technical lag in the npm package dependency network. IEEE Int’l Conf. Software Maintenance and Evolution +20M dependencies
  • 18. chaoss.community Technical Lag – Example 18 Time-based technical lag for deployed release debug 2.6.9 ideal (debug 2.6.9) = debug 3.1.0 timeLag(debug 2.6.9) = 26-09-2017 - 22-09-2017 = 4 days versionLag(debug 2.6.9) = 1 major + 1 minor + 1 patch
  • 19. chaoss.community Technical Lag – Example 19 Time-based technical lag for deployed release ms 2.0.0 ideal (ms 2.0.0) = ms 2.1.1 timeLag(ms 2.0.0) = 30-11-2017 - 16-05-2017 = 198 days versionLag(ms 2.0.0) = 1 minor + 1 patch
  • 20. chaoss.community Technical Lag – Example 20 Aggregated transitive time lag for deployed release youtube-player 5.5.0 agglag({debug 2.6.9, ms 2.0.0}) = max(4 days, 198 days) = 198 days
  • 22. chaoss.community Case study 2: Technical lag in Debian-based Docker containers A. Zerouali, T. Mens, G. Robles, J. Gonzalez-Barahona (2019). On the relation between outdated Docker containers, security vulnerabilities, and bugs. IEEE In’tl Conf. SANER
  • 23. chaoss.community Case study 2: Technical lag in Debian-based Docker containers Important issues faced when deploying Docker containers: • Security vulnerabilities • Dependence on external software packages • Presence of bugs in third-party software • Outdated third-party software
  • 24. chaoss.community 1.0.1 1.1.0 2.0.01.2.1 2.1.0 Docker container C Technical lag ∆ versions (freshness) ∆ vulnerabilities (security) ∆ bugs (stability) « ideal » release deployed container included Debian package release upstream releases of the Debian package Technical Lag in Debian-based Docker containers 26
  • 26. chaoss.community Summary Technical Lag is a very useful generic measure for assessing to which extent deployed software is outdated w.r.t. upstream releases. • Different ways to measure (time, version, bugs, vulnerabilities, …) and aggregate (max, sum, …) technical lag • It can be operationalized in different contexts (package dependency management, container deployment, …) Suggestion: • Include this measure as part of the CHAOSS Metrics and Tooling Open Challenges: • How to measure effort required to update? • How to combine multiple dimensions of technical lag? • How to assess whether updates do not cause breaking changes? 30
  • 27. chaoss.community New proposed CHAOSS project metrics • Dependencies • Number of / List of; Direct or transitive • Dependency depth • Outdated dependencies • List of / Number of / Ratio of • Vulnerable dependencies • List of / Number of / Ratio of • Dependents (i.e. reverse dependencies) • Number of / List of; Direct or transitive • Dependency lag • aggregated dependency-based technical lag of a project • Deployment lag • Aggregated lag of set of deployed components w.r.t. upstream
  • 28. chaoss.community SoHeal, May 2020 http://soheal.github.io 3rd Int’l ICSE Workshop on Software Health What? • Focus on the health of software projects, communities and ecosystems • Discuss about technical, social, legal and business aspects related to project effectiveness, success, longevity, growth, resilience, survival, diversity, sustainability, popularity, inclusiveness, ... Who? • Open Source Community Members, Industry and Academia Why? • Raise awareness on software health • Present tools, methods, practical experiences • Advance body of knowledge on software health Seoul, South Korea – May 2020 @iw_soheal
  • 29. chaoss.community SoHeal 2020 http://soheal.github.io/cft.html Extended call for submissions Are you a involved in software projects or ecosystems, and have something to say about software health? Submit a short paper or talk proposal on  Open source and industrial experiences from individual, team or community level  Relation between software health and social, technical, legal, process and business aspects  Tools, dashboards and models to enable, assess, predict and recommend software health  Guidelines and lessons learned Submission deadline: Friday, February 7, 2019

Hinweis der Redaktion

  1. So the goal and the focus of this thesis was to answer the following question: [read slide]
  2. we performed semi structured interviews with 5 software practitioners during the event of FOSDEM in Brussels, In these interviews, we explained the technical lag and asked the interviewees about their opinion regarding the technical lag. We found that throughout the interviews, the importance of technical lag was stressed. However, participants acknowledged that a mix between what is missing (i.e., benefits) and the effort (i.e., cost) needed to update would be even better than only knowing what is missing. The benefits here can refer to many things, like a new feauture, a bug fix, or a vulnerability fix, etc. So the notion of ideal is related to what we want to have as benefits and since there are many benefits, there should be many ideals also
  3. So, since the ideal of a version is not a specific version with some specific characteristic and since the difference between the ideal and the deployed software isnt also a specific metric, we needed to create an extensible framework that supports all these variants. Moreover, we needed a framework that should not only support one deployed software component, but it should support a set of deployed components. Since in most of the cases, a deployed software will come with its dependencies.
  4. so indeed, we presented a technical lag framework as a tuple of : [ Read slide]
  5. so indeed, we presented a technical lag framework as a tuple of : [ Read slide]
  6. In other words, to compute the technical lag or the time lag for the time-based instatiation, we use the difference in days between the releases dates of the deployed version and the ideal version.
  7. and then to compute the technical lag in terms of missing updates, we compute how many versions are between the deployed and the ideal versions while checking their version type. For example here, from here to here the minor version number changes,
  8. and then to compute the technical lag in terms of missing updates, we compute how many versions are between the deployed and the ideal versions while checking their version type. For example here, from here to here the minor version number changes,
  9. and then to compute the technical lag in terms of missing updates, we compute how many versions are between the deployed and the ideal versions while checking their version type. For example here, from here to here the minor version number changes,
  10. For example, in the case of npm packages, to specify a dependency, developers need to put a dependency constraint that refers to the range of allowed versions to be installed. Let’s take a concrete example of the youtube-player npm package, In the figure, we can see that this package makes use of three dependencies. However, to specify which versions of these packages to use, the package youtube-player make use of dependency constraints. So In many cases, the use of these constraints can lead to the use of outdated or not ideal package version.
  11. Concrete example: here. the version 5.5.0 of the youtube player package makes use of three direct dependencies (...). Using different dependency constraints. While the debug package version makes use of the ms package using the constraint 2.0.0 this dependency here is considered as a transitive dependency for the youtube player package version. Because of the use of these constraints, the debug and ms dependencies could not be installed with the latest available version at the release date of the youtube player package and thus they were inducing a technical lag So while this situation is not necessarily a problem, it can sometimes come with issues. For example, if the outdated package version here was suffering from a bug or vulnerability, then this bug will propagate and debug will suffer from it and also youtube player will suffer from it.
  12. Concrete example: here. the version 5.5.0 of the youtube player package makes use of three direct dependencies (...). Using different dependency constraints. While the debug package version makes use of the ms package using the constraint 2.0.0 this dependency here is considered as a transitive dependency for the youtube player package version. Because of the use of these constraints, the debug and ms dependencies could not be installed with the latest available version at the release date of the youtube player package and thus they were inducing a technical lag So while this situation is not necessarily a problem, it can sometimes come with issues. For example, if the outdated package version here was suffering from a bug or vulnerability, then this bug will propagate and debug will suffer from it and also youtube player will suffer from it.
  13. Concrete example: here. the version 5.5.0 of the youtube player package makes use of three direct dependencies (...). Using different dependency constraints. While the debug package version makes use of the ms package using the constraint 2.0.0 this dependency here is considered as a transitive dependency for the youtube player package version. Because of the use of these constraints, the debug and ms dependencies could not be installed with the latest available version at the release date of the youtube player package and thus they were inducing a technical lag So while this situation is not necessarily a problem, it can sometimes come with issues. For example, if the outdated package version here was suffering from a bug or vulnerability, then this bug will propagate and debug will suffer from it and also youtube player will suffer from it.
  14. Concrete example: here. the version 5.5.0 of the youtube player package makes use of three direct dependencies (...). Using different dependency constraints. While the debug package version makes use of the ms package using the constraint 2.0.0 this dependency here is considered as a transitive dependency for the youtube player package version. Because of the use of these constraints, the debug and ms dependencies could not be installed with the latest available version at the release date of the youtube player package and thus they were inducing a technical lag So while this situation is not necessarily a problem, it can sometimes come with issues. For example, if the outdated package version here was suffering from a bug or vulnerability, then this bug will propagate and debug will suffer from it and also youtube player will suffer from it.
  15. so, as a conclusion statement : The technical lag framework, the actionable results and the tools developed in this thesis can be used to help open source software developers and deployers to keep their software in a healthy shape.
  16. So, starting with the first case, we focused on images that are based on Debian. and to compute the technical lag, we relied on the same standards, which is the ideal version and then the difference between the used and ideal version. In this case analysis, we considered three different ideal versions. For developers interested in freshness we considered the latest available version as ideal version. For developers interested in security, we considered, the most secure software version as the idea version, and for For developers interested in stability, we considered, the most stable software version as the idea version, and so to compute the technical lag, we relied respectively on three measurement units
  17. So, starting with the first case, we focused on images that are based on Debian. and to compute the technical lag, we relied on the same standards, which is the ideal version and then the difference between the used and ideal version. In this case analysis, we considered three different ideal versions. For developers interested in freshness we considered the latest available version as ideal version. For developers interested in security, we considered, the most secure software version as the idea version, and for For developers interested in stability, we considered, the most stable software version as the idea version, and so to compute the technical lag, we relied respectively on three measurement units
  18. So, starting with the first case, we focused on images that are based on Debian. and to compute the technical lag, we relied on the same standards, which is the ideal version and then the difference between the used and ideal version. In this case analysis, we considered three different ideal versions. For developers interested in freshness we considered the latest available version as ideal version. For developers interested in security, we considered, the most secure software version as the idea version, and for For developers interested in stability, we considered, the most stable software version as the idea version, and so to compute the technical lag, we relied respectively on three measurement units
  19. So, starting with the first case, we focused on images that are based on Debian. and to compute the technical lag, we relied on the same standards, which is the ideal version and then the difference between the used and ideal version. In this case analysis, we considered three different ideal versions. For developers interested in freshness we considered the latest available version as ideal version. For developers interested in security, we considered, the most secure software version as the idea version, and for For developers interested in stability, we considered, the most stable software version as the idea version, and so to compute the technical lag, we relied respectively on three measurement units
  20. So, starting with the first case, we focused on images that are based on Debian. and to compute the technical lag, we relied on the same standards, which is the ideal version and then the difference between the used and ideal version. In this case analysis, we considered three different ideal versions. For developers interested in freshness we considered the latest available version as ideal version. For developers interested in security, we considered, the most secure software version as the idea version, and for For developers interested in stability, we considered, the most stable software version as the idea version, and so to compute the technical lag, we relied respectively on three measurement units
  21. so, as a conclusion statement : The technical lag framework, the actionable results and the tools developed in this thesis can be used to help open source software developers and deployers to keep their software in a healthy shape.