Dependency Management
There's no sustainability problem in FOSS
Except that there is.
February 1, 2020
3:30 PM – 4:00 PM Add to calendar
3:30 PM – 4:00 PM Add to calendar
UD2.119
The community seems to be rife with conversations about our sustainability problems. Do we actually have one? We’ll lead a discussion and debate around how we as a community can think about these issues, while drawing out the nuanced aspects of each as well as their potential solutions.
When something like left-pad or event-stream happens, how much responsibility should be taken on by companies who deployed a dependency that was critical enough to their operations that removing it created immediate crisis, but not well supported or understood enough that there was any kind of mitigation strategy or backup plan?
And yet, when you look at OpenSSL, curl, and other pieces of open source infrastructure that live in our dependency chains, there are many examples of projects that are important enough to be critical, but are under-resourced to the point that maintainers are having to make quality-of-life tradeoffs to stay on top of the project. We are responsible for ensuring that our shared dependencies are sustainably developed. But who is holding us accountable?
If a maintainer is driving themselves to burnout because they are supporting too many of their open source projects, don’t they bear some responsibility for that choice?
But how are we supposed to untangle which of the thousands of dependencies that we use are in most need of support - and what kind of support they prefer?
Is there a sustainability problem in FOSS after all?
This presentation will be co-presented with Duane O'Brien, Head of Open Source at Indeed.com, the world’s #1 jobs site.
Additional information
| Type | devroom |
|---|
More sessions
| 2/1/20 |
As recent events, such as the leftpad incident and the Equifax data breach, have demonstrated, dependencies on networks of external libraries can introduce projects to significant operational and compliance risks as well as difficult to assess security implications. FASTEN introduces fine-grained, method-level, tracking of dependencies on top of existing dependency management networks. In our talk, we will present how FASTEN works on top of the Rust/Cargo and Java/Maven ecosystems.
|
| 2/1/20 |
In the last couple of years, the Software Engineering Lab of the University of Mons has extensively studied different aspects of dependency management within and across different package management ecosystems, including Cargo, npm, Packagist, Rubygems, CPAN, CRAN and NuGet. These ecosystems contain a large number of package releases with many interdependencies. They face challenges related to their scale, complexity, and rate of evolution. Typical problems are backward incompatible package ...
|
| 2/1/20 |
The ultimate software supply chain self-help guide
|
| 2/1/20 |
GitHub has recently added Code Navigation features (jump to definition and find all references) that let you navigate code directly on github.com. For the languages that we support, we extract and store symbol information for every named branch and tag, of every repository, public or private, with no configuration necessary. The compute and storage requirements to do this for all of the code on GitHub are quite large. In this talk, we'll discuss some of the trade-offs we've made to make this ...
|
| 2/1/20 |
Dependency resolution is deceptively complex; simply selecting a set of compatible versions for an arbitrary network of dependencies is NP-hard. Much effort has been spent on this problem for modern single-language ecosystems, but many of these ecosystems rely on natively compiled libraries, and dependency mangers often fail at managing the additional complexities that native libraries entail. Further, dependency resolution has traditionally been modeled as a SAT problem, where the package ...
|
| 2/1/20 |
Package managers have become the default way for managing dependencies for most projects but they’re not without their challenges and risks. In this panel we bring together experts representing several popular package managers for a lively discussion on package management best practices, the state of package management communities, and a look forward at what we can expect to see in the future.
|
