Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is

González-Barahona, Jesús M.; Sherwood, P. C.; Robles, Gregório; Izquierdo, Daniel

doi:10.1007/978-3-319-57735-7_17

Cited by 34 publications

(33 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, updating to more recent versions might lead to an increased risk of backward incompatible changes. Package maintainers advocate to investigate the impact of breaking changes in dependent packages before deciding to update them 1 . Depending on the number of dependencies, this can become an infeasible task.…”

Section: Introductionmentioning

confidence: 99%

“…Depending on the number of dependencies, this can become an infeasible task. To capture this challenging balance between risks and opportunities of updating dependencies, Gonzalez-Barahona et al [1] proposed the concept of technical lag for reflecting how outdated a software system is with respect to its upstream dependencies. Having a precise way of measuring technical lag allows software developers to make informed decisions on whether and when to update their outdated dependencies.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

On the Evolution of Technical Lag in the npm Package Dependency Network

Decan

Mens

Constantinou

2018

2018 IEEE International Conference on Software Maintenance and Evolution (ICSME)

View full text Add to dashboard Cite

Software packages developed and distributed through package managers extensively depend on other packages. These dependencies are regularly updated, for example to add new features, resolve bugs or fix security issues. In order to take full advantage of the benefits of this type of reuse, developers should keep their dependencies up to date by relying on the latest releases. In practice, however, this is not always possible, and packages lag behind with respect to the latest version of their dependencies. This phenomenon is described as technical lag in the literature. In this paper, we perform an empirical study of technical lag in the npm dependency network by investigating its evolution for over 1.4M releases of 120K packages and 8M dependencies between these releases. We explore how technical lag increases over time, taking into account the release type and the use of package dependency constraints. We also discuss how technical lag can be reduced by relying on the semantic versioning policy.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

On the Evolution of Technical Lag in the npm Package Dependency Network

Decan

Mens

Constantinou

2018

2018 IEEE International Conference on Software Maintenance and Evolution (ICSME)

View full text Add to dashboard Cite

show abstract

“…González-Barahona et al [13] proposed a theoretical model of "technical lag" to measure how outdated software components are. They explored many ways in which technical lag can be measured, and presented specific cases for which it is useful to analyze the evolution of technical lag.…”

Section: Related Workmentioning

confidence: 99%

“…Debian maintainers prefer to start with easy bugs that are trivial to fix rather than normal ones. Nonetheless, bugs that may have an impact on releasing the package with the Stable release of Debian (i.e., high severity 13 ) have the highest priority.…”

Section: Rq 4 : How Long Do Bugs Remain Unfixed?mentioning

confidence: 99%

“…The method is based on the concept of technical lag [13], which we use to estimate the difference between the software deployed in production and the most recent version of this software (in our case, in terms of novelty, vulnerabilities and bugs). To show the applicability of the approach, we have conducted an empirical study, measuring technical lag, security vulnerabilities and bugs for 2, 453 official and 4, 927 community Docker Hub images based on the Debian Linux distribution.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs

Zerouali¹,

Mens²,

Robles

et al. 2019

2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER)

Self Cite

View full text Add to dashboard Cite

Packaging software into containers is becoming a common practice when deploying services in cloud and other environments. Docker images are one of the most popular container technologies for building and deploying containers. A container image usually includes a collection of software packages, that can have bugs and security vulnerabilities that affect the container health. Our goal is to support container deployers by analysing the relation between outdated containers and vulnerable and buggy packages installed in them. We use the concept of technical lag of a container as the difference between a given container and the most up-to-date container that is possible with the most recent releases of the same collection of packages. For 7,380 official and community Docker images that are based on the Debian Linux distribution, we identify which software packages are installed in them and measure their technical lag in terms of version updates, security vulnerabilities and bugs. We have found, among others, that no release is devoid of vulnerabilities, so deployers cannot avoid vulnerabilities even if they deploy the most recent packages. We offer some lessons learned for container developers in regard to the strategies they can follow to minimize the number of vulnerabilities. We argue that Docker container scan and security management tools should improve their platforms by adding data about other kinds of bugs and include the measurement of technical lag to offer deployers information of when to update.

show abstract

A formal framework for measuring technical lag in component repositories — and its application to npm

Zerouali

Mens

González-Barahona

et al. 2019

J Software Evolu Process

Self Cite

View full text Add to dashboard Cite

Reusable Open Source Software (OSS) components for major programming languages are available in package repositories. Developers rely on package management tools to automate deployments, specifying which package releases satisfy the needs of their applications. However, these specifications may lead to deploying package releases that are outdated, or otherwise undesirable, because they do not include bug fixes, security fixes, or new functionality. In contrast, automatically updating to a more recent release may introduce incompatibility issues.To capture this delicate balance, we formalise a generic model of technical lag, a concept that quantifies to which extent a deployed collection of components is outdated, with respect to the ideal deployment. We operationalise this model for the npm package manager. We empirically analyze the history of package update practices and technical lag for more than 500K packages with about 4M package releases over a seven-year period. We consider both development and runtime dependencies, and study both direct and transitive dependencies. We also analyze the technical lag of external GitHub applications depending on npm packages. We report our findings, suggesting the need for more awareness of, and integrated tool support for, controlling technical lag in software libraries. KEYWORDS empirical analysis, semantic versioning, software repository mining, software reuse, technical lag INTRODUCTIONOver the past years, depending on external software components has become a common software development practice, especially in the free, Open Source community. 1 This practice can lead to a significant gain in productivity, because of the ability to reuse complex functionality, rather than implementing it from scratch. 2 To further facilitate this form of reuse, many online platforms have been created for distributions of operating systems (eg, Linux distributions such as Debian and Ubuntu) and the most prominent programming languages (eg. npm for JavaScript, MavenCentral for Java, RubyGems for Ruby), totaling millions of reusable components.While the availability and abundance of those reusable components facilitate building software, it can also cause problems in maintenance and evolution. For example, a recent version of an application may be outdated, not because of its own code but due to depending on components that were not updated to their latest versions. If this happens, there is a higher risk of having bugs and security issues that may have been already fixed. 3 On the other hand, updating to more recent releases of reusable components is not for free since it might lead to a risk of facing backward incompatible changes. 4To capture how outdated a deployed software package release is w.r.t. the ''ideal'' situation, Gonzalez-Barahona et al 5 introduced the concept of ''technical lag'' as the increasing lag between upstream development and the deployed system if no corrective actions are taken. Its goal is to enable developers to decide on a more informed basis, whether or not t...

show abstract

Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is

Cited by 34 publications

References 10 publications

On the Evolution of Technical Lag in the npm Package Dependency Network

On the Evolution of Technical Lag in the npm Package Dependency Network

On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs

A formal framework for measuring technical lag in component repositories — and its application to npm

Contact Info

Product

Resources

About