An Introduction to Software Ecosystems

This chapter defines and presents different kinds of software ecosystems. The focus is on the development, tooling and analytics aspects of software ecosystems, i.e., communities of software developers and the interconnected software components (e.g., projects, libraries, packages, repositories, plug-ins, apps) they are developing and maintaining. The technical and social dependencies between these developers and software components form a socio-technical dependency network, and the dynamics of this network change over time. We classify and provide several examples of such ecosystems. The chapter also introduces and clarifies the relevant terms needed to understand and analyse these ecosystems, as well as the techniques and research methods that can be used to analyse different aspects of these ecosystems.Comment: Preprint of chapter "An Introduction to Software Ecosystems" by Tom Mens and Coen De Roover, published in the book "Software Ecosystems: Tooling and Analytics" (eds. T. Mens, C. De Roover, A. Cleve), 2023, ISBN 978-3-031-36059-6, reproduced with permission of Springer. The final authenticated version of the book and this chapter is available online at: https://doi.org/10.1007/978-3-031-36060-

Security considerations in the open source software ecosystem

Open source software plays an important role in the software supply chain, allowing stakeholders to utilize open source components as building blocks in their software, tooling, and infrastructure. But relying on the open source ecosystem introduces unique challenges, both in terms of security and trust, as well as in terms of supply chain reliability. In this dissertation, I investigate approaches, considerations, and encountered challenges of stakeholders in the context of security, privacy, and trustworthiness of the open source software supply chain. Overall, my research aims to empower and support software experts with the knowledge and resources necessary to achieve a more secure and trustworthy open source software ecosystem. In the first part of this dissertation, I describe a research study investigating the security and trust practices in open source projects by interviewing 27 owners, maintainers, and contributors from a diverse set of projects to explore their behind-the-scenes processes, guidance and policies, incident handling, and encountered challenges, finding that participants’ projects are highly diverse in terms of their deployed security measures and trust processes, as well as their underlying motivations. More on the consumer side of the open source software supply chain, I investigated the use of open source components in industry projects by interviewing 25 software developers, architects, and engineers to understand their projects’ processes, decisions, and considerations in the context of external open source code, finding that open source components play an important role in many of the industry projects, and that most projects have some form of company policy or best practice for including external code. On the side of end-user focused software, I present a study investigating the use of software obfuscation in Android applications, which is a recommended practice to protect against plagiarism and repackaging. The study leveraged a multi-pronged approach including a large-scale measurement, a developer survey, and a programming experiment, finding that only 24.92% of apps are obfuscated by their developer, that developers do not fear theft of their own apps, and have difficulties obfuscating their own apps. Lastly, to involve end users themselves, I describe a survey with 200 users of cloud office suites to investigate their security and privacy perceptions and expectations, with findings suggesting that users are generally aware of basic security implications, but lack technical knowledge for envisioning some threat models. The key findings of this dissertation include that open source projects have highly diverse security measures, trust processes, and underlying motivations. That the projects’ security and trust needs are likely best met in ways that consider their individual strengths, limitations, and project stage, especially for smaller projects with limited access to resources. That open source components play an important role in industry projects, and that those projects often have some form of company policy or best practice for including external code, but developers wish for more resources to better audit included components. This dissertation emphasizes the importance of collaboration and shared responsibility in building and maintaining the open source software ecosystem, with developers, maintainers, end users, researchers, and other stakeholders alike ensuring that the ecosystem remains a secure, trustworthy, and healthy resource for everyone to rely on

IMPLICATIONS OF RANCHER DECISION-MAKING PATTERNS IN DOUGLAS COUNTY, WASHINGTON FOR INCENTIVE-BASED CONSERVATION OF SAGE-GROUSE

Conservationists are increasingly recognizing the importance of private land for the conservation of imperiled wildlife species while at the same time acknowledging the controversies with seeking Endangered Species Act protections. Recent and ongoing government-led efforts to conserve the greater sage-grouse (Centrocercus urophasianus) through the Sage Grouse Initiative (SGI) provide an illustrative experiment in applying incentive-based conservation to private lands. However, whether the SGI program works because it provides an alternative to listing has not been empirically researched. In this study I apply a qualitative, exploratory approach to examine SGI participation among ranchers in Washington, a state with high percentage of core sage-grouse habitat existing on private ranches and concerted efforts of SGI to promote grazing planning as a means to protect sage-grouse. Through interviews and analysis of both participating and nonparticipating ranchers, I found the most important factors in determining ranchers’ decision processes are their different regulatory risk perceptions, knowledge claims, stewardship values, and anticipated costs/benefits. Analysis of the interactions among these factors revealed five decision patterns among the ranchers in my sample. These include two patterns revealing why ranchers participate in SGI and three which explain nonparticipation. I refer to the first two as: (1) risk mitigators who participate in SGI to mitigate the threat of possible regulations to protect sage-grouse in addition to other anticipated benefits such as infrastructure improvements; and (2) capacity builders who participate in SGI because it further enables them to improve their stewardship goals. The three that pertain to nonparticipation are: (3) capacity maintainers who do not see SGI as providing any additional management benefit; (4) skeptical pragmatists who doubt the utility of the practices or protections prescribed by SGI; and (5) sovereign stewards who desire to be autonomous and self-reliant. Significantly, three of the five decision patterns are not incentivized by the presumed importance of reducing regulatory risk, and ranchers’ stewardship values deterred participation in SGI as much as they enabled it. Based on my findings, I suggest implications where further investigation is needed to fully understand the complex political, cultural, and economic dynamics that shape land managers’ support of incentive-based conservation efforts

Pika: Empowering Non-Programmers to Author Executable Governance Policies in Online Communities

Internet users have formed a wide array of online communities with nuanced and diverse community goals and norms. However, most online platforms only offer a limited set of governance models in their software infrastructure and leave little room for customization. Consequently, technical proficiency becomes a prerequisite for online communities to build governance policies in code, excluding non-programmers from participation in designing community governance. In this paper, we present Pika, a system that empowers non-programmers to author a wide range of executable governance policies. At its core, Pika incorporates a declarative language that decomposes governance policies into modular components, thereby facilitating expressive policy authoring through a user-friendly, form-based web interface. Our user studies with 17 participants show that Pika can empower non-programmers to author governance policies approximately 2.5 times faster than programmers who author in code. We also provide insights about Pika's expressivity in supporting diverse policies that online communities want.Comment: Under revie

Understanding and improving requirements discovery in open source software development: an initial exploration

In proprietary or closed source software (CSS) development, there is a formal requirements engineering (RE) phase for discovering the requirements for an application. The requirements engineering process in CSS development is comprised of many formal practices (e.g., elicitation/generation). With the advent of the Internet and web-based tools and technologies, a new and different form of software development has emerged – globally distributed, typically volunteer driven, open source software (OSS) development. OSS development largely occurs in an informal, ad hoc manner and often lacks the formal developmental practices and processes of CSS development. The goal of this research is to gain a better understanding of the current state of RE in OSS, to identify potential directions for improving RE in OSS, and to empirically investigate the potential of some specific RE practices to improve OSS development. In pursuit of the research goal, in the initial phase of this research a web-based survey of practicing OSS developers was conducted to explore the current state of RE in OSS. Results supported the claims about informality of RE in OSS. as well as pointed towards potential directions for improvement. In the second phase of the research, a web-based experiment was conducted to investigate the actual benefits from a particular CSS development requirements generation practice – requirements reuse (operationalized as the availability of a library of reusable requirements within OSS development environment) – for OSS development. Analysis of the experimental data revealed that that the experimental treatment (availability of a library of reusable requirements) had a significant effect on the size of requirements message, requirements quantity and requirements completeness after controlling for covariates, indicating usefulness of the reusable library. The final phase of the research focused on OSS issue gathering approaches, a source of requirements for OSS. In this phase, a qualitative study of OSS developers explored how an OSS issue gathering approach, enforcing classification (versus free-form OSS issue gathering), may contribute to the misclassification problem (erroneous classification of OSS issues), and what can be done at the issue gathering interface level to mitigate the misclassification problem. Insights from the analysis of data from the final phase of the research shed light on the desirable characteristics that OSS issue gathering interfaces should possess for mitigating misclassification