SlideShare ist ein Scribd-Unternehmen logo

Understanding and Improving Open Source Software Ecosystem Health

Als PPTX, PDF herunterladen
Tom Mens
Tom Mens

Presentation at DrupalCamp 2018 (Ghent) by Tom Mens (University of Mons) about lessons learned and guidelines based on a historical empirical analysis of the npm JavaScript packaging ecosystem, and the impact of technical problems in its package dependency network. This work is part of the SECOHealth and SECO-ASSIST research projects, co-financed by the FNRS-FRS.

Software
1 von 34
Tom Mens, University of Mons, Belgium On the health of the npm packaging ecosystem
On the health of the packaging ecosystem Guidelines and lessons learned based on historical software data analytics Tom Mens Software Engineering Lab tom.mens@umons.ac.be T Mens E Constantinou A Decan @tom_mens
Research Context • Today over 80% of all software in any technology product or service is open source software (OSS). • CHAOSS focuses on creating analytics and metrics to help define OSS community health. https://chaoss.community "The CHAOSS community is developing metrics, methodologies, and software for expressing open source project health and sustainability. By doing so, CHAOSS seeks to improve the transparency of open source project health and sustainability so that relevant stakeholders can make more informed decisions about open source project engagement."
www.secohealth.org @secohealth Bilateral Research Project Wallonia-Canada 2017-2019
seco-assist.github.io @seco-assist "Excellence of Science" Research Project 2018-2021
• Dependency problems • Unmaintained or outdated libraries • Security vulnerabilities • Bugs • Technical debt • Incompatible software licenses • ... Technical • Contributor abandonment / Bus factor • Lack of communication / interaction • Insufficient social diversity • Social conflicts • Cultural differences • .. Software Ecosystem Health Issues
Motivation: leftpad
Motivation: dependency hell
Motivation: dependency hell
Motivation: dependency hell
Most packages depend on another one. ~60% in April 2016 Motivation: dependency hell
Motivation: micropackages
Motivation: breaking changes
Motivation: Security vulnerabilities security exploit in 2017 “attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn’t.” Wired Magazine, “Equifax Has No Excuse”, September 2017 "Patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don’t break key functions on the site.” Ars Technica, Failure to patch two-month-old bug led to massive Equifax breach, September 2017
Understanding through Big Data Analytics npm = software package manager for JavaScript since 2010 In 2017: 3.5TB of storage required for hosting 500K packages 2.3 million opened GitHub pull requests for JavaScript repositories We analysed: ~462 thousand packages ~3 million package releases ~13,6 million (runtime) package dependencies
Ecosystems grow rapidly For npm: Exponential growth of • #packages • #package updates • #dependencies # new packages per trimester # package updates per trimester Total # package dependencies
Ecosystems grow rapidly Package updates can be the cause of many maintainability issues or even failures in dependent packages ! # new packages per trimester # package updates per trimester Total # package dependencies
Issues in packages may have high transitive impact Average dependency depth for top-level packages Proportional dependency depth for top-level packages Many "top-level" packages have a high number of indirect (transitive) dependencies
Issues in packages may have high transitive impact March 2016: Unexpected removal of left-pad caused > 2% of all packages to break (> 5,400 packages) Number of packages that are transitively required by at least 5% of all packages
Lesson learned: Be wary of transitive dependencies! • Developers are often unaware of transitive dependencies • It just takes one such transitive package to break or compromise your software! Monitoring tools may help to detect and address such dependency issues
Security vulnerabilities • When are vulnerabilities discovered in npm? • When are vulnerabilities fixed in npm? • When do dependent packages adopt a fixed release? SOURCE: A Decan, T Mens, E Constantinou (2018) IEEE Int'l Conf. Mining Software Repositories "On the impact of security vulnerabilities in the npm package dependency network" "37% of websites include a JavaScript library with a known open source vulnerability." T. Lauinger et al. "Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web", NDSS 2017.
Vulnerability introduction Vulnerability discovery Vulnerability publication Vulnerability fixed time When are vulnerabilities discovered in npm ?
When are vulnerabilities discovered in npm ? >40% of all vulnerabilities are not discovered even 2 years after their introduction, regardless of their severity. It takes a long time to discover vulnerabilities regardless of their severity
Vulnerability introduction Vulnerability discovery Vulnerability publication Vulnerability fixed time When are vulnerabilities fixed in npm ?
When are vulnerabilities fixed in npm ? Most vulnerabilities are fixed quickly, and before becoming public. 1 out of 5 take more than a year to be fixed  unmaintained packages that should be deprecated
When do dependent packages adopt a fixed release? 1 out of 3 dependents never update their dependency to a vulnerable package Improper or too restrictive use of dependency constraints Dependent package is no longer actively maintained Maintainers of dependent packages are unaware of the vulnerability or the fix Fixed package version is incompatible
Technical Lag (a.k.a. dependency freshness) Goal • Study, at an ecosystem level, how outdated npm software packages are with respect to their upstream dependencies. • Study to which extent semantic versioning is respected SOURCE: A Decan, T Mens, E Constantinou (2018) IEEE Int'l Conf. Software Maintenance and Evolution "On the evolution of technical lag in the npm package dependency network" Technical lag is caused by dependency constraints preventing the use of a more recent package version
Technical Lag Main findings • 1 out of 4 package dependencies suffers from technical lag • 1 out of 4 package releases has a technical lag of more than 9 months • Minor and patch updates tend to increase technical lag, even though they are supposed to be backward compatible • Major updates tend to reduce technical lag
Technical Lag Actionable results • Appropriate use of version constraints could reduce technical lag in 17% of all releases • Dependency monitoring tools should inform developers of technical lag and help to reduce it. • Package maintainers should help dependent packages to upgrade to new releases as easily as possible. • Package maintainers should backport important bug and security fixes to earlier major releases.
Be prudent ! • Only add a dependency if it is really needed • Avoid too many (transitive) dependencies • Avoid adding dependencies to problematic packages • too high technical lag • security vulnerabilities • unmaintained or deprecated packages Guidelines and lessons learned
Be agile ! • Detect and fix vulnerabilities early • Embrace semantic versioning • Use (transitive) dependency monitoring tools to review your dependencies regularly • Integrate these tools in your Continuous Integration process Guidelines and lessons learned
Be communicative ! • Inform your dependents about • incompatible upgrades: by adhering to semantic versioning • planned updates • deprecated features • Help your dependents to upgrade more easily • Provide (automated) migration guidelines • Provide alpha/beta releases • Test your changes on dependents before releasing updates Guidelines and lessons learned
SoHeal 2019 2nd International ICSE Workshop on Software Health Montreal, Canada, 28 May 2019 • Position papers: 1 February 2019 • Industry/practitioner talk proposals: 15 February 2019 https://soheal.github.io @iw_soheal What? Software Health encompasses many socio-technical aspects: success, longevity, growth, resilience, survival, diversity, sustainability, popularity, inclusiveness ... Why? • Raise awareness of software health • Present tools, methods, practical experiences, ... • Advance body of knowledge on software health. Who? Open Source Community Members, Industry and Academia
Understanding and Improving Open Source Software Ecosystem Health

Empfohlen

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?Tom Mens
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarWhiteSource
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskWhiteSource
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskDevOps.com
 

Empfohlen

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?Tom Mens
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarWhiteSource
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskWhiteSource
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskDevOps.com
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkTom Mens
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDevOps.com
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Stefan Streichsbier
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsFrom Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsDevOps.com
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureDevOps.com
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
 

Weitere ähnliche Inhalte

Was ist angesagt?

RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkTom Mens
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDevOps.com
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Stefan Streichsbier
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsFrom Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsDevOps.com
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureDevOps.com
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 

Was ist angesagt? (20)

The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency network
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in Shape
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsFrom Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CD
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 

Ähnlich wie Understanding and Improving Open Source Software Ecosystem Health

Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
 
Software Ecosystems = Big Data
Software Ecosystems = Big DataSoftware Ecosystems = Big Data
Software Ecosystems = Big DataTom Mens
 
Socio-Technical Empirical Comparison of Software Package Ecosystems
Socio-Technical Empirical Comparison of Software Package EcosystemsSocio-Technical Empirical Comparison of Software Package Ecosystems
Socio-Technical Empirical Comparison of Software Package EcosystemsTom Mens
 
Evolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondEvolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondeconst
 
Tips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party LibrariesTips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party LibrariesKaty Anton
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkeconst
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAhmed Zerouali
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for DevopsJerika Phelps
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Project
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
 
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...Gene Kim
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...WhiteSource
 
Implementing policy @ WSSSPE
Implementing policy @ WSSSPEImplementing policy @ WSSSPE
Implementing policy @ WSSSPEDaisie Huang
 
Genomics Applications in the Cloud with the DNAnexus Platform
Genomics Applications in the Cloud with the DNAnexus PlatformGenomics Applications in the Cloud with the DNAnexus Platform
Genomics Applications in the Cloud with the DNAnexus Platformkislyuk
 
All Things Open 2022 - State of OSS Security & Support
All Things Open 2022 - State of OSS Security & SupportAll Things Open 2022 - State of OSS Security & Support
All Things Open 2022 - State of OSS Security & SupportJavier Perez
 
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Tom Mens
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelWhiteSource
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkTom Mens
 

Ähnlich wie Understanding and Improving Open Source Software Ecosystem Health (20)

Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)
 
Software Ecosystems = Big Data
Software Ecosystems = Big DataSoftware Ecosystems = Big Data
Software Ecosystems = Big Data
 
Socio-Technical Empirical Comparison of Software Package Ecosystems
Socio-Technical Empirical Comparison of Software Package EcosystemsSocio-Technical Empirical Comparison of Software Package Ecosystems
Socio-Technical Empirical Comparison of Software Package Ecosystems
 
Evolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondEvolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyond
 
Tips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party LibrariesTips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party Libraries
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package Dependencies
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...
 
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
 
Implementing policy @ WSSSPE
Implementing policy @ WSSSPEImplementing policy @ WSSSPE
Implementing policy @ WSSSPE
 
Genomics Applications in the Cloud with the DNAnexus Platform
Genomics Applications in the Cloud with the DNAnexus PlatformGenomics Applications in the Cloud with the DNAnexus Platform
Genomics Applications in the Cloud with the DNAnexus Platform
 
All Things Open 2022 - State of OSS Security & Support
All Things Open 2022 - State of OSS Security & SupportAll Things Open 2022 - State of OSS Security & Support
All Things Open 2022 - State of OSS Security & Support
 
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
 

Mehr von Tom Mens

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD studentTom Mens
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentTom Mens
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubTom Mens
 
The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHubTom Mens
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureTom Mens
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Tom Mens
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubTom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networksTom Mens
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsTom Mens
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero SpaceTom Mens
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesTom Mens
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Tom Mens
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...Tom Mens
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Tom Mens
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsTom Mens
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarTom Mens
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersTom Mens
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmTom Mens
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talkTom Mens
 
SoHeal 2018 Welcome Slides: First International Workshop on Software Health
SoHeal 2018 Welcome Slides: First International Workshop on Software HealthSoHeal 2018 Welcome Slides: First International Workshop on Software Health
SoHeal 2018 Welcome Slides: First International Workshop on Software HealthTom Mens
 

Mehr von Tom Mens (20)

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD student
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software development
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHub
 
The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the Future
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHub
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networks
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research Achievements
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminar
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker Containers
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npm
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk
 
SoHeal 2018 Welcome Slides: First International Workshop on Software Health
SoHeal 2018 Welcome Slides: First International Workshop on Software HealthSoHeal 2018 Welcome Slides: First International Workshop on Software Health
SoHeal 2018 Welcome Slides: First International Workshop on Software Health
 

Kürzlich hochgeladen

DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 

Kürzlich hochgeladen (20)

DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 

Understanding and Improving Open Source Software Ecosystem Health

  • 1. Tom Mens, University of Mons, Belgium On the health of the npm packaging ecosystem
  • 2. On the health of the packaging ecosystem Guidelines and lessons learned based on historical software data analytics Tom Mens Software Engineering Lab tom.mens@umons.ac.be T Mens E Constantinou A Decan @tom_mens
  • 3. Research Context • Today over 80% of all software in any technology product or service is open source software (OSS). • CHAOSS focuses on creating analytics and metrics to help define OSS community health. https://chaoss.community "The CHAOSS community is developing metrics, methodologies, and software for expressing open source project health and sustainability. By doing so, CHAOSS seeks to improve the transparency of open source project health and sustainability so that relevant stakeholders can make more informed decisions about open source project engagement."
  • 6. • Dependency problems • Unmaintained or outdated libraries • Security vulnerabilities • Bugs • Technical debt • Incompatible software licenses • ... Technical • Contributor abandonment / Bus factor • Lack of communication / interaction • Insufficient social diversity • Social conflicts • Cultural differences • .. Software Ecosystem Health Issues
  • 11. Most packages depend on another one. ~60% in April 2016 Motivation: dependency hell
  • 14. Motivation: Security vulnerabilities security exploit in 2017 “attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn’t.” Wired Magazine, “Equifax Has No Excuse”, September 2017 "Patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don’t break key functions on the site.” Ars Technica, Failure to patch two-month-old bug led to massive Equifax breach, September 2017
  • 15. Understanding through Big Data Analytics npm = software package manager for JavaScript since 2010 In 2017: 3.5TB of storage required for hosting 500K packages 2.3 million opened GitHub pull requests for JavaScript repositories We analysed: ~462 thousand packages ~3 million package releases ~13,6 million (runtime) package dependencies
  • 16. Ecosystems grow rapidly For npm: Exponential growth of • #packages • #package updates • #dependencies # new packages per trimester # package updates per trimester Total # package dependencies
  • 17. Ecosystems grow rapidly Package updates can be the cause of many maintainability issues or even failures in dependent packages ! # new packages per trimester # package updates per trimester Total # package dependencies
  • 18. Issues in packages may have high transitive impact Average dependency depth for top-level packages Proportional dependency depth for top-level packages Many "top-level" packages have a high number of indirect (transitive) dependencies
  • 19. Issues in packages may have high transitive impact March 2016: Unexpected removal of left-pad caused > 2% of all packages to break (> 5,400 packages) Number of packages that are transitively required by at least 5% of all packages
  • 20. Lesson learned: Be wary of transitive dependencies! • Developers are often unaware of transitive dependencies • It just takes one such transitive package to break or compromise your software! Monitoring tools may help to detect and address such dependency issues
  • 21. Security vulnerabilities • When are vulnerabilities discovered in npm? • When are vulnerabilities fixed in npm? • When do dependent packages adopt a fixed release? SOURCE: A Decan, T Mens, E Constantinou (2018) IEEE Int'l Conf. Mining Software Repositories "On the impact of security vulnerabilities in the npm package dependency network" "37% of websites include a JavaScript library with a known open source vulnerability." T. Lauinger et al. "Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web", NDSS 2017.
  • 23. When are vulnerabilities discovered in npm ? >40% of all vulnerabilities are not discovered even 2 years after their introduction, regardless of their severity. It takes a long time to discover vulnerabilities regardless of their severity
  • 25. When are vulnerabilities fixed in npm ? Most vulnerabilities are fixed quickly, and before becoming public. 1 out of 5 take more than a year to be fixed  unmaintained packages that should be deprecated
  • 26. When do dependent packages adopt a fixed release? 1 out of 3 dependents never update their dependency to a vulnerable package Improper or too restrictive use of dependency constraints Dependent package is no longer actively maintained Maintainers of dependent packages are unaware of the vulnerability or the fix Fixed package version is incompatible
  • 27. Technical Lag (a.k.a. dependency freshness) Goal • Study, at an ecosystem level, how outdated npm software packages are with respect to their upstream dependencies. • Study to which extent semantic versioning is respected SOURCE: A Decan, T Mens, E Constantinou (2018) IEEE Int'l Conf. Software Maintenance and Evolution "On the evolution of technical lag in the npm package dependency network" Technical lag is caused by dependency constraints preventing the use of a more recent package version
  • 28. Technical Lag Main findings • 1 out of 4 package dependencies suffers from technical lag • 1 out of 4 package releases has a technical lag of more than 9 months • Minor and patch updates tend to increase technical lag, even though they are supposed to be backward compatible • Major updates tend to reduce technical lag
  • 29. Technical Lag Actionable results • Appropriate use of version constraints could reduce technical lag in 17% of all releases • Dependency monitoring tools should inform developers of technical lag and help to reduce it. • Package maintainers should help dependent packages to upgrade to new releases as easily as possible. • Package maintainers should backport important bug and security fixes to earlier major releases.
  • 30. Be prudent ! • Only add a dependency if it is really needed • Avoid too many (transitive) dependencies • Avoid adding dependencies to problematic packages • too high technical lag • security vulnerabilities • unmaintained or deprecated packages Guidelines and lessons learned
  • 31. Be agile ! • Detect and fix vulnerabilities early • Embrace semantic versioning • Use (transitive) dependency monitoring tools to review your dependencies regularly • Integrate these tools in your Continuous Integration process Guidelines and lessons learned
  • 32. Be communicative ! • Inform your dependents about • incompatible upgrades: by adhering to semantic versioning • planned updates • deprecated features • Help your dependents to upgrade more easily • Provide (automated) migration guidelines • Provide alpha/beta releases • Test your changes on dependents before releasing updates Guidelines and lessons learned
  • 33. SoHeal 2019 2nd International ICSE Workshop on Software Health Montreal, Canada, 28 May 2019 • Position papers: 1 February 2019 • Industry/practitioner talk proposals: 15 February 2019 https://soheal.github.io @iw_soheal What? Software Health encompasses many socio-technical aspects: success, longevity, growth, resilience, survival, diversity, sustainability, popularity, inclusiveness ... Why? • Raise awareness of software health • Present tools, methods, practical experiences, ... • Advance body of knowledge on software health. Who? Open Source Community Members, Industry and Academia

Hinweis der Redaktion

  1. Technical Diversity: different platforms, different programming languages, different application domains, different packages with similar functionality Community Smells: Lone Wolfs, Isolated Teams, Communication Problems Contributor Abandonment: Rage quitting
  2. “The package leftpad essentially contains a few lines of source code but has thousands of dependent projects, including Node and Babel. When its developer decided to unpublish all his modules for npm, this had important consequences, “almost breaking the internet “ March 2016 Unexpected removal of left-pad caused > 2% of all packages to break (> 5,400 packages) RubyGems, November 2010 Release 0.5.0 of i18n broke dependent package ActiveRecord, transitively required by >5% of all packages (930)
  3. Transitive dependencies are a problem, especially since dependency monitoring tools typically only consider direct dependencies.
  4. Breaking changes = backward incompatible changes that are not announced as such. If semantic versioning is used, breaking changes should only arise in "major" releases.
  5. Volume: need to store, analyse and manipulate huge quantities of data when studying software ecosystems (containing tends of thousands of components and dependencies, a huge number of commits, thousands of contributors, millions of lines of code, … For packaging ecosystems (numbers reported by A. Decan): Number of packages, releases (excluding prereleases) and (runtime) dependencies (March 2018): - Cargo : 14,491 / 80,778 / 292,470 - NPM : 698,647 / 4,432,172 / 19,838,481 - Packagist : 126,363 / 832,899 / 2,273,465 - Rubygems : 143,737 / 825,386 / 1,970,396 Other numbers that could be of interest (coming from https://octoverse.github.com/, 2017), e.g.: - Number of opened PR for Javascript: 2.3M - Number of opened PR for Python: 1M - ... Some numbers for single projects: - Rails (rubygems): 68,980 commits, 346 releases, 3,570 contributors 370 open, 11,064 closed issues 720 open, 20,689 closed PR - Django (python): 25,703 commits, 186 releases, 1,584 contributors 28,665 issues (not on github) 162 open, 9,784 closed PR - React (javascript): 9,885 commits, 89 releases, 1,178 contributors 373 open, 5,553 closed issues 90 open, 6,684 closed PR
  6. Packagist (PHP), Cargo (Rust), CRAN, CPAN, npm, nuget, rubyGems
  7. #packages grows exponentially for npm and packagist #dependencies and #package updates grows exponentially for npm, linearly for packagist
  8. Survival analtysis. After 24 months, 40% of all vulnerabilities are still not discovered!
  9. + Most vulnerabilities are quickly fixed after their discovery. - ~20% of vulnerabilities take more than 1 year to be fixed.
  10. Version constraints could reduce technical lag in 17% of all releases. E.g., through better of semantic versioning Package maintainers should help dependent packages to upgrade to new releases as easily as possible. E.g. through (automated) migration guidelines; or by providing alpha/beta releases