68 research outputs found
The Life and Death of Software Ecosystems
Software ecosystems have gained a lot of attention in recent times. Industry
and developers gather around technologies and collaborate to their advancement;
when the boundaries of such an effort go beyond certain amount of projects, we
are witnessing the appearance of Free/Libre and Open Source Software (FLOSS)
ecosystems.
In this chapter, we explore two aspects that contribute to a healthy
ecosystem, related to the attraction (and detraction) and the death of
ecosystems. To function and survive, ecosystems need to attract people, get
them on-boarded and retain them. In Section One we explore possibilities with
provocative research questions for attracting and detracting contributors (and
users): the lifeblood of FLOSS ecosystems. Then in the Section Two, we focus on
the death of systems, exploring some presumed to be dead systems and their
state in the afterlife.Comment: Book Chapte
In War and Peace: The Impact of World Politics on Software Ecosystems
Reliance on third-party libraries is now commonplace in contemporary software
engineering. Being open source in nature, these libraries should advocate for a
world where the freedoms and opportunities of open source software can be
enjoyed by all. Yet, there is a growing concern related to maintainers using
their influence to make political stances (i.e., referred to as protestware).
In this paper, we reflect on the impact of world politics on software
ecosystems, especially in the context of the ongoing War in Ukraine. We show
three cases where world politics has had an impact on a software ecosystem, and
how these incidents may result in either benign or malignant consequences. We
further point to specific opportunities for research, and conclude with a
research agenda with ten research questions to guide future research
directions.Comment: Accepted to ESEC/FSE as a vision pape
Using High-Rising Cities to Visualize Performance in Real-Time
For developers concerned with a performance drop or improvement in their
software, a profiler allows a developer to quickly search and identify
bottlenecks and leaks that consume much execution time. Non real-time profilers
analyze the history of already executed stack traces, while a real-time
profiler outputs the results concurrently with the execution of software, so
users can know the results instantaneously. However, a real-time profiler risks
providing overly large and complex outputs, which is difficult for developers
to quickly analyze. In this paper, we visualize the performance data from a
real-time profiler. We visualize program execution as a three-dimensional (3D)
city, representing the structure of the program as artifacts in a city (i.e.,
classes and packages expressed as buildings and districts) and their program
executions expressed as the fluctuating height of artifacts. Through two case
studies and using a prototype of our proposed visualization, we demonstrate how
our visualization can easily identify performance issues such as a memory leak
and compare performance changes between versions of a program. A demonstration
of the interactive features of our prototype is available at
https://youtu.be/eleVo19Hp4k.Comment: 10 pages, VISSOFT 2017, Artifact:
https://github.com/sefield/high-rising-city-artifac
Promises and Perils of Mining Software Package Ecosystem Data
The use of third-party packages is becoming increasingly popular and has led
to the emergence of large software package ecosystems with a maze of
inter-dependencies. Since the reliance on these ecosystems enables developers
to reduce development effort and increase productivity, it has attracted the
interest of researchers: understanding the infrastructure and dynamics of
package ecosystems has given rise to approaches for better code reuse,
automated updates, and the avoidance of vulnerabilities, to name a few
examples. But the reality of these ecosystems also poses challenges to software
engineering researchers, such as: How do we obtain the complete network of
dependencies along with the corresponding versioning information? What are the
boundaries of these package ecosystems? How do we consistently detect
dependencies that are declared but not used? How do we consistently identify
developers within a package ecosystem? How much of the ecosystem do we need to
understand to analyse a single component? How well do our approaches generalise
across different programming languages and package ecosystems? In this chapter,
we review promises and perils of mining the rich data related to software
package ecosystems available to software engineering researchers.Comment: Submitted as a Book Chapte
Ethical Considerations Towards Protestware
A key drawback to using a Open Source third-party library is the risk of
introducing malicious attacks. In recently times, these threats have taken a
new form, when maintainers turn their Open Source libraries into protestware.
This is defined as software containing political messages delivered through
these libraries, which can either be malicious or benign. Since developers are
willing to freely open-up their software to these libraries, much trust and
responsibility are placed on the maintainers to ensure that the library does
what it promises to do. This paper takes a look into the possible scenarios
where developers might consider turning their Open Source Software into
protestware, using an ethico-philosophical lens. Using different frameworks
commonly used in AI ethics, we explore the different dilemmas that may result
in protestware. Additionally, we illustrate how an open-source maintainer's
decision to protest is influenced by different stakeholders (viz., their
membership in the OSS community, their personal views, financial motivations,
social status, and moral viewpoints), making protestware a multifaceted and
intricate matter.Comment: Under submissio
Lessons from the Long Tail: Analysing Unsafe Dependency Updates across Software Ecosystems
A risk in adopting third-party dependencies into an application is their
potential to serve as a doorway for malicious code to be injected (most often
unknowingly). While many initiatives from both industry and research
communities focus on the most critical dependencies (i.e., those most depended
upon within the ecosystem), little is known about whether the rest of the
ecosystem suffers the same fate. Our vision is to promote and establish safer
practises throughout the ecosystem. To motivate our vision, in this paper, we
present preliminary data based on three representative samples from a
population of 88,416 pull requests (PRs) and identify unsafe dependency updates
(i.e., any pull request that risks being unsafe during runtime), which clearly
shows that unsafe dependency updates are not limited to highly impactful
libraries. To draw attention to the long tail, we propose a research agenda
comprising six key research questions that further explore how to safeguard
against these unsafe activities. This includes developing best practises to
address unsafe dependency updates not only in top-tier libraries but throughout
the entire ecosystem
- …