Understanding When to Adopt a Library: A Case Study on ASF Projects

Ihara, Akinori; Fujibayashi, Daiki; Suwa, Hirohiko; Kula, Raula Gaikovina; Matsumoto, Kenichi

doi:10.1007/978-3-319-57735-7_13

Cited by 7 publications

(5 citation statements)

References 14 publications

(16 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As outlined in Raemaekers et al (2012), Teyton et al (2012), andBogart et al (2016), dependency management includes making cost-benefit decisions related to keeping or updating dependencies on outdated libraries. Additionally, Robbes et al (2012), Hora et al (2015, Sawant et al (2016), Bavota et al (2015), and Ihara et al (2017) showed that updating libraries and their APIs are slow and lagging. Decan et al (2017) showed the comparison of dependency evolution and issue from three different ecosystems.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Lags in the release, adoption, and propagation of npm vulnerability fixes

et al. 2021

Self Cite

View full text Add to dashboard Cite

Security vulnerability in third-party dependencies is a growing concern not only for developers of the affected software, but for the risks it poses to an entire software ecosystem, e.g., Heartbleed vulnerability. Recent studies show that developers are slow to respond to the threat of vulnerability, sometimes taking four to eleven months to act. To ensure quick adoption and propagation of a release that contains the fix (fixing release), we conduct an empirical investigation to identify lags that may occur between the vulnerable release and its fixing release (package-side fixing release). Through a preliminary study of 231 package-side fixing release of npm projects on GitHub, we observe that a fixing release is rarely released on its own, with up to 85.72% of the bundled commits being unrelated to a fix. We then compare the package-side fixing release with changes on a client-side (client-side fixing release). Through an empirical study of the adoption and propagation tendencies of 1,290 package-side fixing releases that impact throughout a network of 1,553,325 releases of npm packages, we find that stale clients require additional migration effort, even if the package-side fixing release was quick (i.e., package-side fixing releasetypeSpatch). Furthermore, we show the influence of factors such as the branch that the package-side fixing release lands on and the severity of vulnerability on its propagation. In addition to these lags we identify and characterize, this paper lays the groundwork for future research on how to mitigate propagation lags in an ecosystem.

show abstract

Section: Related Workmentioning

confidence: 99%

“…3. Studies by Kula et al (2018b), Bavota et al (2015), Bogart et al (2016), and Ihara et al (2017) show that developers are slow to update their vulnerable packages, which is occasionally due to management and process factors.…”

Section: Introductionmentioning

confidence: 99%

Lags in the release, adoption, and propagation of npm vulnerability fixes

et al. 2021

Self Cite

View full text Add to dashboard Cite

show abstract

“…Application developers using a library should replace their library copy with a new version, if the copied version of the library included severe problems such as security vulnerabilities. Adopting a new version of a library may seem a simple task, but have many difficulties [5]. Knowledge about a system's past upgrade activity with respect to a library can help maintainers [6].…”

Section: Introductionmentioning

confidence: 99%

Extraction of Library Update History Using Source Code Reuse Detection

Jewmaidang

Ishio

Ihara

et al. 2018

IEICE Trans. Inf. & Syst.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Library projects where new code libraries are developed and client projects where the libraries are reused organize release management in a different way to accomodate their technical dependencies. On that regard, recent results suggest that client projects are quicker to update libraries with a rapid release cycle compared to actual library projects with a longer release cycle [30]. The same study also suggests that client projects are more likely to adopt the latest version of libraries with shorter release cycles.…”

Section: Prior Related Workmentioning

confidence: 95%

“…As Git tags apply only to a commit and are not branchaware 30 , OpenStack developers encode key release information such as project name, release series, branch and commit hash, within plain YAML 31 text files. Developers produce a large variety of code that is hosted across multiple Git repositories.…”

Section: Orchestrating Distributed Work Tagging and Version Controlmentioning

confidence: 99%

Managing to release early, often and on time in the OpenStack software ecosystem

Teixeira

Karsten

2019

J Internet Serv Appl

View full text Add to dashboard Cite

The dictum of "Release early, release often." by Eric Raymond as the Linux modus operandi highlights the importance of release management in open source software development. However, there are very few empirical studies addressing release management in this context. It is already known that most open source software communities adopt either a feature-based or time-based release strategy. Both have their own advantages and disadvantages that are also context-specific. Recent research reports that many prominent open source software projects have overcome a number of recurrent problems by moving from feature-based to time-based release strategies. In this longitudinal case study, we address the release management practices of OpenStack, a large scale open source project developing cloud computing technologies. We discuss how the release management practices of OpenStack have evolved in terms of chosen strategy and timeframes with close attention to processes and tools. We discuss the number of practical and managerial issues related to release management within the context of large and complex software ecosystems. Our findings also reveal that multiple release management cycles can co-exist in large and complex software ecosystems such as OpenStack.

show abstract

Understanding When to Adopt a Library: A Case Study on ASF Projects

Cited by 7 publications

References 14 publications

Lags in the release, adoption, and propagation of npm vulnerability fixes

Lags in the release, adoption, and propagation of npm vulnerability fixes

Extraction of Library Update History Using Source Code Reuse Detection

Managing to release early, often and on time in the OpenStack software ecosystem

Contact Info

Product

Resources

About