Software composition and dependency management
On Backporting Practices in Package Dependency Networks
February 6, 2022
4:20 PM – 4:40 PM Add to calendar
4:20 PM – 4:40 PM Add to calendar
D.dependency
<p>The practice of backporting aims to bring the benefits of a bug or vulnerability fix from a higher to a lower release of a software package. When such a package adheres to semantic versioning, backports can be recognised as new releases in a lower major train. This is particularly useful in case a substantial number of software packages continues to depend on that lower major train. In this talk, we discuss the backporting practices in four popular package distributions, namely Cargo, npm, Packagist and RubyGems. We observe that many dependent packages could benefit from backports provided by their dependencies. In particular, we find that a majority of security vulnerabilities affect more than one major train but are only fixed in the highest one, letting thousands of dependent packages exposed to the vulnerability. Despite that, we find that backporting updates is quite infrequent, and mostly practised by long-lived and more active packages for a variety of reasons.</p>
The full paper associated with this talk can be found at https://doi.org/10.1109/TSE.2021.3112204
The research has been carried out in the context of the Belgian SECOASSIST "Excellence of Science" Research Project https://secoassist.github.io
Additional information
| Type | devroom |
|---|
More sessions
| 2/6/22 |
<p>The devroom intro by devroom organization team!</p>
|
| 2/6/22 |
<p>Package URLs are a compact way to identify software packages across multiple ecosystems. Together with the new "vers" Version Range Specifier, these two mini specs will offer a new way to create new, mostly universal dependency resolvers and installers, working across ecosystems.</p>
|
| 2/6/22 |
<p>Legal Risk Mitigation is one of the three main functions of an <a href="https://github.com/todogroup/ospodefinition.org">OSPO</a> (designated places where open source is supported, nurtured, shared, explained, and grown inside an organization). OSPOs often oversee aspects of a company’s open source license compliance process and supply chain as one of the first activities. The responsibilities include:</p> <ul> <li>Maintaining open source license compliance reviews and oversight</li> ...
|
| 2/6/22 |
<p>This talk aims at presenting our trials and tribulations as well as our achievements in designing a compliance software project for open source licenses.</p> <p><em>"Are all module licenses in our software project compliant with each other ?"</em> Many of our customers have asked us this question even though they already had a plethora of software solutions (not always FOSS software) dealing with this topic. This surprised us, and led us to seek out the cause of their uncertainty. We then ...
|
| 2/6/22 |
<p>The management of SBoM (software bill of material) is very important for companies to comply with the OpenChain specification.The latest features of SW360 support the management of license obligations and the management of SBOMs in SPDX format. In this presentation, I will introduce and demonstrate the features of SW360.</p>
|
| 2/6/22 |
<p>Granted that software composition and dependency processing are very relevant for software engineering. The presentations have pointed out how such processing is embedded into activities of an organization. We would like to gather feedback about how the current status of adoption and integration looks like.</p>
|
| 2/6/22 |
<p>break</p>
|
