Papers
Topics
Authors
Recent
Search
2000 character limit reached

Engineering Formality and Software Risk in Debian Python Packages

Published 8 Mar 2024 in cs.SE and cs.CY | (2403.05728v2)

Abstract: While free/libre and open source software (FLOSS) is critical to global computing infrastructure, the maintenance of widely-adopted FLOSS packages is dependent on volunteer developers who select their own tasks. Risk of failure due to the misalignment of engineering supply and demand -- known as underproduction -- has led to code base decay and subsequent cybersecurity incidents such as the Heartbleed and Log4Shell vulnerabilities. FLOSS projects are self-organizing but can often expand into larger, more formal efforts. Although some prior work suggests that becoming a more formal organization decreases project risk, other work suggests that formalization may increase the likelihood of project abandonment. We evaluate the relationship between underproduction and formality, focusing on formal structure, developer responsibility, and work process management. We analyze 182 packages written in Python and made available via the Debian GNU/Linux distribution. We find that although more formal structures are associated with higher risk of underproduction, more elevated developer responsibility is associated with less underproduction, and the relationship between formal work process management and underproduction is not statistically significant. Our analysis suggests that a FLOSS organization's transformation into a more formal structure may face unintended consequences which must be carefully managed.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (34)
  1. K. Crowston, K. Wei, J. Howison, and A. Wiggins, “Free/Libre open-source software development: What we know and what we do not know,” ACM Computing Surveys, vol. 44, no. 2, pp. 1–35, Feb. 2012.
  2. K. Champion and B. M. Hill, “Underproduction: An approach for measuring risk in open source software,” in 2021 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER).   Honolulu, HI, USA: IEEE, Mar. 2021, pp. 388–399. [Online]. Available: https://ieeexplore.ieee.org/document/9426043/
  3. J. Walden, “The Impact of a Major Security Event on an Open Source Project: The Case of OpenSSL,” in 17th International Conference on Mining Software Repositories, ser. MSR ’20.   New York, NY, USA: Association for Computing Machinery, Jun. 2020, pp. 409–419. [Online]. Available: http://doi.org/10.1145/3379597.3387465
  4. “Log4Shell 10 days later: Enterprises halfway through patching,” Dec. 2021, publication Title: wiz.io. [Online]. Available: https://www.wiz.io/blog/10-days-later-enterprises-halfway-through-patching-log4shell
  5. “CISA Open Source Software Security Roadmap,” Sep. 2023. [Online]. Available: https://www.cisa.gov/resources-tools/resources/cisa-open-source-software-security-roadmap
  6. P. Krill, “Report finds few open source projects actively maintained,” InfoWorld, Oct. 2023. [Online]. Available: https://www.infoworld.com/article/3708630/report-finds-few-open-source-projects-actively-maintained.html
  7. ——, “Coase’s penguin, or, Linux and the nature of the firm,” Yale Law Journal, vol. 112, no. 3, pp. 369–446, 2002. [Online]. Available: http://www.jstor.org/stable/1562247
  8. ——, “Peer production, the commons, and the future of the firm,” Strategic Organization, vol. 15, no. 2, pp. 264–274, May 2017. [Online]. Available: https://doi.org/10.1177/1476127016652606
  9. X. Yin and E. J. Zajac, “The strategy/governance structure fit relationship: theory and evidence in franchising arrangements,” Strategic Management Journal, vol. 25, no. 4, pp. 365–383, 2004. [Online]. Available: https://onlinelibrary.wiley.com/doi/abs/10.1002/smj.389
  10. J. W. Meyer and B. Rowan, “Institutionalized organizations: Formal structure as myth and ceremony,” American Journal of Sociology, vol. 83, no. 2, pp. 340–363, Sep. 1977. [Online]. Available: http://www.jstor.org/stable/2778293
  11. K. Healy and A. Schussman, “The Ecology of Open-Source Software Development,” 2003. [Online]. Available: https://www.semanticscholar.org/paper/The-Ecology-of-Open-Source-Software-Development-Healy-Schussman/9abecf8dfccfa21b20bb931fc63c161752b50181
  12. S. Hwang and A. Shaw, “Rules and Rule-Making in the Five Largest Wikipedias,” Proceedings of the International AAAI Conference on Web and Social Media, vol. 16, pp. 347–357, May 2022. [Online]. Available: https://ojs.aaai.org/index.php/ICWSM/article/view/19297
  13. A. Shaw and B. M. Hill, “Laboratories of oligarchy? How the iron law extends to peer production,” Journal of Communication, vol. 64, no. 2, pp. 215–238, 2014. [Online]. Available: http://onlinelibrary.wiley.com/doi/10.1111/jcom.12082/abstract
  14. P. Tourani, B. Adams, and A. Serebrenik, “Code of conduct in open source projects,” in 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), Feb. 2017, pp. 24–33. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/7884606
  15. P. B. de Laat, “Governance of open source software: state of the art,” Journal of Management & Governance, vol. 11, no. 2, pp. 165–177, May 2007, tex.ids= noauthor_notitle_nodate-1. [Online]. Available: https://doi.org/10.1007/s10997-007-9022-9
  16. Y. Jiang, B. Adams, and D. M. German, “Will my patch make it? And how fast? Case study on the Linux kernel,” in 2013 10th Working Conference on Mining Software Repositories (MSR), May 2013, pp. 101–110, iSSN: 2160-1860. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/6624016
  17. S. Onoue, H. Hata, and K. Matsumoto, “Software population pyramids: the current and the future of OSS development communities,” in Proceedings of the 8th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, ser. ESEM ’14.   New York, NY, USA: Association for Computing Machinery, Sep. 2014, pp. 1–4. [Online]. Available: https://doi.org/10.1145/2652524.2652565
  18. D. A. Tamburri, P. Lago, and H. v. Vliet, “Organizational social structures for software engineering,” ACM Computing Surveys, vol. 46, no. 1, pp. 3:1–3:35, Jul. 2013. [Online]. Available: https://dl.acm.org/doi/10.1145/2522968.2522971
  19. D. A. A. Tamburri, F. Palomba, and R. Kazman, “Exploring Community Smells in Open-Source: An Automated Approach,” IEEE Transactions on Software Engineering, pp. 1–1, 2019.
  20. J. van Meijel, “On the Relations Between Community Patterns and Smells in Open-Source: A Taxonomic and Empirical Analysis,” Master’s thesis, Eindhoven University of Technology, Eindhoven, NL, Oct. 2021.
  21. M. De Stefano, E. Iannone, F. Pecorelli, and D. A. Tamburri, “Impacts of software community patterns on process and product: An empirical study,” Science of Computer Programming, vol. 214, p. 102731, Feb. 2022. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0167642321001246
  22. K. Finley, “For Open Source, It’s All About GitHub Now,” Wired, Apr. 2019. [Online]. Available: https://www.wired.com/story/open-source-all-about-github-now/
  23. Y. Zhang, H. Wang, Y. Wu, D. Hu, and T. Wang, “GitHub’s milestone tool: A mixed-methods analysis on its use,” Journal of Software: Evolution and Process, vol. 32, no. 4, p. e2229, 2020. [Online]. Available: https://onlinelibrary.wiley.com/doi/abs/10.1002/smr.2229
  24. L. Yin, Z. Chen, Q. Xuan, and V. Filkov, “Sustainability forecasting for Apache incubator projects,” in Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ser. ESEC/FSE 2021.   New York, NY, USA: Association for Computing Machinery, Aug. 2021, pp. 1056–1067. [Online]. Available: https://dl.acm.org/doi/10.1145/3468264.3468563
  25. K. Crowston and J. Howison, “Assessing the health of open source communities,” IEEE Computer, vol. 39, no. 5, pp. 89–91, 2006.
  26. L. Yin, M. Chakraborti, Y. Yan, C. Schweik, S. Frey, and V. Filkov, “Open Source Software Sustainability: Combining Institutional Analysis and Socio-Technical Networks,” Proceedings of the ACM on Human-Computer Interaction, vol. 6, no. CSCW2, pp. 1–23, Nov. 2022. [Online]. Available: https://dl.acm.org/doi/10.1145/3555129
  27. S. Spaeth, M. Stuermer, S. Haefliger, and G. von Krogh, “Sampling in Open Source Software Development: The Case for Using the Debian GNU/Linux Distribution,” in 2007 40th Annual Hawaii International Conference on System Sciences (HICSS’07).   Waikoloa, HI: IEEE, Jan. 2007.
  28. B. M. Sadowski, G. Sadowski-Rasters, and G. Duysters, “Transition of governance in a mature open software source community: Evidence from the Debian case,” Information Economics and Policy, vol. 20, no. 4, pp. 323–332, Dec. 2008.
  29. R. Nguyen and R. Holt, “Life and death of software packages: An evolutionary study of Debian,” in Proceedings of the 2012 Conference of the Center for Advanced Studies on Collaborative Research, ser. CASCON ’12.   Toronto, Ontario, Canada: IBM Corp., Nov. 2012, pp. 192–204.
  30. L. Nussbaum and S. Zacchiroli, “The Ultimate Debian Database: Consolidating bazaar metadata for Quality Assurance and data mining,” in 2010 7th IEEE Working Conference on Mining Software Repositories (MSR 2010).   Cape Town, South Africa: IEEE, May 2010, pp. 52–61.
  31. S. Dueñas, V. Cosentino, G. Robles, and J. M. Gonzalez-Barahona, “Perceval: software project data at your will,” in Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings.   Gothenburg Sweden: ACM, May 2018, pp. 1–4. [Online]. Available: https://dl.acm.org/doi/10.1145/3183440.3183475
  32. G. Catolino, F. Palomba, and D. A. Tamburri, “The Secret Life of Software Communities: What we know and What we Don’t know,” Proceedings of the 18th Belgium-Netherlands Software Evolution Workshop,, 2019.
  33. W. Mauerer, M. Joblin, D. A. Tamburri, C. Paradis, R. Kazman, and S. Apel, “In Search of Socio-Technical Congruence: A Large-Scale Longitudinal Study,” IEEE Transactions on Software Engineering, vol. 48, no. 8, pp. 3159–3184, Aug. 2022. [Online]. Available: https://ieeexplore.ieee.org/document/9436025/
  34. G. Gousios, M. Pinzger, and A. v. Deursen, “An exploratory study of the pull-based software development model,” in Proceedings of the 36th International Conference on Software Engineering, ser. ICSE 2014.   New York, NY, USA: Association for Computing Machinery, May 2014, pp. 345–355. [Online]. Available: https://dl.acm.org/doi/10.1145/2568225.2568260

Summary

No one has generated a summary of this paper yet.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Continue Learning

We haven't generated follow-up questions for this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 2 tweets with 0 likes about this paper.