SlideShare a Scribd company logo

Package Freshness in Linux Distributions: Perception versus Reality

Tom Mens
Tom Mens

Presentation by Damien Legay (Software Engineering Lab, University of Mons) during the BENEVOL 2020 software evolution research seminar. Abstract: The Linux operating system comes in a variety of distributions. These distributions incorporate the Linux kernel and a host of third-party packages, which provide much of the end-user functionality of the distribution. Distribution maintainers have the difficult task of ensuring that these packages are and remain in good working order, free of security vulnerabilities and continuously adapt to meet the ever-evolving needs of their users. These concerns are sometimes in conflict, which lead distributions to adopt different philosophies. As a result, not only do distributions offer a different set of packages, but the packages they have in common are present in different versions. We define package freshness as the difference, in time and number of versions, between a package’s latest version available and the one deployed in a given distribution. Through a mixed-method research approach, we provide qualitative and quantitative analyses to compare user perception with quantitatively measurable freshness of packages in mainstream Linux distributions: Arch Linux, CentOS, Debian Stable, Debian Unstable, Fedora and Ubuntu.

Science
1 of 20
Download to read offline
Legay, Decan, Mens Damien Legay, Alexandre Decan, Tom Mens Software Engineering Lab University of Mons Package Freshness in Linux Distributions 1BENEVOL 2020 Software Evolution Research Seminar – 4 December 2020 Perception versus Reality
Legay, Decan, Mens Linux Distributions 2Package Freshness in Linux Distributions
Legay, Decan, Mens Linux distributions emphasise different qualities Distribution Divergence 3Package Freshness in Linux Distributions Stability Security Freshness Debian (stable) QubesOS Arch Linux CentOS Subgraph Gentoo Linux Mint Alpine Linux OpenSUSE Tumbleweed Package freshness: how up to date a package is compared to upstream
Legay, Decan, Mens Mixed-methods research study: §Qualitative survey of users of Linux distributions § Published in ICSME2020 - NIER track § "On Package Freshness in Linux Distributions," International Conference on Software Maintenance and Evolution (ICSME 2020). DOI: 10.1109/ICSME46990.2020.00072 §Quantitative analyses of package freshness based on extracted historical data of Linux package distributions § Submitted / Under review 1 Package freshness 4Package Freshness in Linux Distributions
Legay, Decan, Mens §170 participants surveyed: §CHAOSSCon Europe 2020 §FOSDEM 2020 §Linux fora §subreddits §Focus on: § Perception of package freshness § Importance of package freshness § Motivations to update packages § Mechanisms used to update packages Qualitative Survey of users of Linux distributions 5Package Freshness in Linux Distributions
Legay, Decan, Mens Linux Distributions Used 6Package Freshness in Linux Distributions Distribution First Second Third Total Ubuntu (family) 47 46 43 117 Debian (family) 30 37 26 93 Red Hat (family) 33 33 25 91 Arch Linux 29 8 8 45 OpenSUSE (family) 21 13 5 39 Linux Mint 5 10 7 22 Slackware 2 2 1 5 Other distributions 3 6 5 14 Ranking of most-used distributions (up to 3)
Legay, Decan, Mens Asked about 6 package categories: §Open source end-user software: LibreOffice, Firefox, GIMP… §Proprietary end-user software: Adobe Reader, Skype, Spotify… §Development tools: Emacs, Eclipse, git… §System tools and libraries: openSSL, zsh, sudo… §Programing language runtimes: Python, Java… §Programing language libraries: Numpy, Lodash… Package Categories 7Package Freshness in Linux Distributions
Legay, Decan, Mens Perception of delay of package update deployment User Perception 8Package Freshness in Linux Distributions System Tools End-user Development ProgrammProgrammingEnd-user
Legay, Decan, Mens Importance of Package Freshness 9Package Freshness in Linux Distributions How important is package freshness to respondents? system tools end-user open source dev. tools programming language runtimes programming language libraries end-user proprietary software Around 75% of respondents consider freshness at least moderately important, except for proprietary software.
Legay, Decan, Mens Update Mechanisms Used 10Package Freshness in Linux Distributions Official community repositories are used whenever possible. Official repos Community repositories 3rd party managers Binaries Sources System Tools system tools end-user open source dev. tools programming language runtimes programming language libraries end-user proprietary software
Legay, Decan, Mens §Extracted data from 6 popular Linux distributions: Arch, CentOS, Debian Stable, Debian Unstable, Fedora, Ubuntu §Selected 890 packages common to all 6 distributions §Selected snapshots of these packages: § At time of release for distributions with a point release policy § Daily for distributions with a rolling release policy §Observation period: [2015-01-01, 2020-01-01[ Quantitative Analysis 11Package Freshness in Linux Distributions
Legay, Decan, Mens Proportion of packages not using the latest available version 12Package Freshness in Linux Distributions Vast discrepancy between distributions: from 10% (Arch) to 80% (CentOS)
Legay, Decan, Mens Update Delay 13Package Freshness in Linux Distributions Time since a more recent version of the package has become available. Example: package postgresql in Ubuntu 17.04
Legay, Decan, Mens Update Delay 14Package Freshness in Linux Distributions §Most packages in most distributions have < 3 months of update delay §In particular, 90% of Arch packages have very low update delay (under 10 days) §Contrasted by CentOS: Half of its packages have been superseded by another version by > 1 year
Legay, Decan, Mens Version Lag 15Package Freshness in Linux Distributions §70% to 90% of packages lag behind by at most two versions in most distributions §CentOS: more than half the packages lay behind by 3+ versions, 20% by 10+ versions!
Legay, Decan, Mens Comparing Package Freshness 16Package Freshness in Linux Distributions Ranking freshness of packages in distributions (1 = freshest, 6 = least fresh) Arch almost always ranked first, CentOS very often ranked last.
Legay, Decan, Mens Perception versus Reality 17Package Freshness in Linux Distributions Perception Reality Arch packages deployed in official repositories in a few days 90% of packages updates deployed within 10 days Fedora and Ubuntu in the order of weeks 60% deployed in less than a month Debian Stable in the order of months 60%-70% deployed within a six- month delay (30% > 3 months) CentOS in the order of months 50% of packages outdated by over a year
Legay, Decan, Mens §Users consider it important to keep packages fresh for different reasons: § security (90% of respondents) § bug fixing (88% of respondents) § benefiting from new features (66% of respondents) §Users rely on official repositories whenever possible è Important to have fresh packages in official repositories Conclusions 18Package Freshness in Linux Distributions
Legay, Decan, Mens §Package freshness varies a lot in popular Linux distributions § Arch packages the most fresh § CentOS packages much less fresh than other distributions §Perception versus reality of package freshness? §User perception is mostly accurate §Exception: underestimating time for CentOS §Nearly a third of respondents do not know at least for specific package categories Conclusions 19Package Freshness in Linux Distributions
Legay, Decan, Mens §Finer-grained study of package freshness §by package category §in distribution-agnostic package managers (Flatpak, Snap, AppImage, …) §Study trade-offs between freshness, security and stability § Latest version not necessarily most secure or stable § New versions introduce new features, and fix bugs and security issues… § … but also introduce new (undiscovered) bugs and vulnerabilities §Creation of historical database of package versions deployed in distributions and package upstream release dates Future Work 20Package Freshness in Linux Distributions

Recommended

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD student
Tom Mens
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software development
Tom Mens
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHub
Tom Mens
 
The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub
Tom Mens
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the Future
Tom Mens
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?
Tom Mens
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHub
Tom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networks
Tom Mens
 

Recommended

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD student
Tom Mens
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software development
Tom Mens
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHub
Tom Mens
 
The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub
Tom Mens
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the Future
Tom Mens
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?
Tom Mens
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHub
Tom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networks
Tom Mens
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Tom Mens
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
Tom Mens
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
Tom Mens
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
Tom Mens
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Tom Mens
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
Tom Mens
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
Tom Mens
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)
Tom Mens
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Tom Mens
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research Achievements
Tom Mens
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminar
Tom Mens
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
Tom Mens
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker Containers
Tom Mens
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
Tom Mens
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npm
Tom Mens
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?
Tom Mens
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk
Tom Mens
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystem
Tom Mens
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
Tom Mens
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency network
Tom Mens
 
Zoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdfZoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdf
Sumit Kumar yadav
 
Site Acceptance Test .
Site Acceptance Test .Site Acceptance Test .
Site Acceptance Test .
Poonam Aher Patil
 

More Related Content

More from Tom Mens

Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Tom Mens
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
Tom Mens
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
Tom Mens
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Tom Mens
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)
Tom Mens
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
Tom Mens
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npm
Tom Mens
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency network
Tom Mens
 

More from Tom Mens (20)

Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research Achievements
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminar
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker Containers
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npm
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystem
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency network
 

Recently uploaded

9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
Sapana Sha
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
PirithiRaju
 
Bacterial Identification and Classifications
Bacterial Identification and ClassificationsBacterial Identification and Classifications
Bacterial Identification and Classifications
Areesha Ahmad
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptx
gindu3009
 
Conjugation, transduction and transformation
Conjugation, transduction and transformationConjugation, transduction and transformation
Conjugation, transduction and transformation
Areesha Ahmad
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
PirithiRaju
 
Connaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verified
Connaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verifiedConnaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verified
Connaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verified
Delhi Call girls
 
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune WaterworldsBiogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Sérgio Sacani
 

Recently uploaded (20)

Zoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdfZoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdf
 
Site Acceptance Test .
Site Acceptance Test .Site Acceptance Test .
Site Acceptance Test .
 
American Type Culture Collection (ATCC).pptx
American Type Culture Collection (ATCC).pptxAmerican Type Culture Collection (ATCC).pptx
American Type Culture Collection (ATCC).pptx
 
module for grade 9 for distance learning
module for grade 9 for distance learningmodule for grade 9 for distance learning
module for grade 9 for distance learning
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
 
Forensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdfForensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdf
 
Bacterial Identification and Classifications
Bacterial Identification and ClassificationsBacterial Identification and Classifications
Bacterial Identification and Classifications
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptx
 
Conjugation, transduction and transformation
Conjugation, transduction and transformationConjugation, transduction and transformation
Conjugation, transduction and transformation
 
GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
 
Connaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verified
Connaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verifiedConnaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verified
Connaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verified
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)
 
GBSN - Microbiology (Unit 3)
GBSN - Microbiology (Unit 3)GBSN - Microbiology (Unit 3)
GBSN - Microbiology (Unit 3)
 
FAIRSpectra - Enabling the FAIRification of Spectroscopy and Spectrometry
FAIRSpectra - Enabling the FAIRification of Spectroscopy and SpectrometryFAIRSpectra - Enabling the FAIRification of Spectroscopy and Spectrometry
FAIRSpectra - Enabling the FAIRification of Spectroscopy and Spectrometry
 
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICESAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
 
Botany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfBotany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdf
 
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune WaterworldsBiogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
 

Package Freshness in Linux Distributions: Perception versus Reality

  • 1. Legay, Decan, Mens Damien Legay, Alexandre Decan, Tom Mens Software Engineering Lab University of Mons Package Freshness in Linux Distributions 1BENEVOL 2020 Software Evolution Research Seminar – 4 December 2020 Perception versus Reality
  • 2. Legay, Decan, Mens Linux Distributions 2Package Freshness in Linux Distributions
  • 3. Legay, Decan, Mens Linux distributions emphasise different qualities Distribution Divergence 3Package Freshness in Linux Distributions Stability Security Freshness Debian (stable) QubesOS Arch Linux CentOS Subgraph Gentoo Linux Mint Alpine Linux OpenSUSE Tumbleweed Package freshness: how up to date a package is compared to upstream
  • 4. Legay, Decan, Mens Mixed-methods research study: §Qualitative survey of users of Linux distributions § Published in ICSME2020 - NIER track § "On Package Freshness in Linux Distributions," International Conference on Software Maintenance and Evolution (ICSME 2020). DOI: 10.1109/ICSME46990.2020.00072 §Quantitative analyses of package freshness based on extracted historical data of Linux package distributions § Submitted / Under review 1 Package freshness 4Package Freshness in Linux Distributions
  • 5. Legay, Decan, Mens §170 participants surveyed: §CHAOSSCon Europe 2020 §FOSDEM 2020 §Linux fora §subreddits §Focus on: § Perception of package freshness § Importance of package freshness § Motivations to update packages § Mechanisms used to update packages Qualitative Survey of users of Linux distributions 5Package Freshness in Linux Distributions
  • 6. Legay, Decan, Mens Linux Distributions Used 6Package Freshness in Linux Distributions Distribution First Second Third Total Ubuntu (family) 47 46 43 117 Debian (family) 30 37 26 93 Red Hat (family) 33 33 25 91 Arch Linux 29 8 8 45 OpenSUSE (family) 21 13 5 39 Linux Mint 5 10 7 22 Slackware 2 2 1 5 Other distributions 3 6 5 14 Ranking of most-used distributions (up to 3)
  • 7. Legay, Decan, Mens Asked about 6 package categories: §Open source end-user software: LibreOffice, Firefox, GIMP… §Proprietary end-user software: Adobe Reader, Skype, Spotify… §Development tools: Emacs, Eclipse, git… §System tools and libraries: openSSL, zsh, sudo… §Programing language runtimes: Python, Java… §Programing language libraries: Numpy, Lodash… Package Categories 7Package Freshness in Linux Distributions
  • 8. Legay, Decan, Mens Perception of delay of package update deployment User Perception 8Package Freshness in Linux Distributions System Tools End-user Development ProgrammProgrammingEnd-user
  • 9. Legay, Decan, Mens Importance of Package Freshness 9Package Freshness in Linux Distributions How important is package freshness to respondents? system tools end-user open source dev. tools programming language runtimes programming language libraries end-user proprietary software Around 75% of respondents consider freshness at least moderately important, except for proprietary software.
  • 10. Legay, Decan, Mens Update Mechanisms Used 10Package Freshness in Linux Distributions Official community repositories are used whenever possible. Official repos Community repositories 3rd party managers Binaries Sources System Tools system tools end-user open source dev. tools programming language runtimes programming language libraries end-user proprietary software
  • 11. Legay, Decan, Mens §Extracted data from 6 popular Linux distributions: Arch, CentOS, Debian Stable, Debian Unstable, Fedora, Ubuntu §Selected 890 packages common to all 6 distributions §Selected snapshots of these packages: § At time of release for distributions with a point release policy § Daily for distributions with a rolling release policy §Observation period: [2015-01-01, 2020-01-01[ Quantitative Analysis 11Package Freshness in Linux Distributions
  • 12. Legay, Decan, Mens Proportion of packages not using the latest available version 12Package Freshness in Linux Distributions Vast discrepancy between distributions: from 10% (Arch) to 80% (CentOS)
  • 13. Legay, Decan, Mens Update Delay 13Package Freshness in Linux Distributions Time since a more recent version of the package has become available. Example: package postgresql in Ubuntu 17.04
  • 14. Legay, Decan, Mens Update Delay 14Package Freshness in Linux Distributions §Most packages in most distributions have < 3 months of update delay §In particular, 90% of Arch packages have very low update delay (under 10 days) §Contrasted by CentOS: Half of its packages have been superseded by another version by > 1 year
  • 15. Legay, Decan, Mens Version Lag 15Package Freshness in Linux Distributions §70% to 90% of packages lag behind by at most two versions in most distributions §CentOS: more than half the packages lay behind by 3+ versions, 20% by 10+ versions!
  • 16. Legay, Decan, Mens Comparing Package Freshness 16Package Freshness in Linux Distributions Ranking freshness of packages in distributions (1 = freshest, 6 = least fresh) Arch almost always ranked first, CentOS very often ranked last.
  • 17. Legay, Decan, Mens Perception versus Reality 17Package Freshness in Linux Distributions Perception Reality Arch packages deployed in official repositories in a few days 90% of packages updates deployed within 10 days Fedora and Ubuntu in the order of weeks 60% deployed in less than a month Debian Stable in the order of months 60%-70% deployed within a six- month delay (30% > 3 months) CentOS in the order of months 50% of packages outdated by over a year
  • 18. Legay, Decan, Mens §Users consider it important to keep packages fresh for different reasons: § security (90% of respondents) § bug fixing (88% of respondents) § benefiting from new features (66% of respondents) §Users rely on official repositories whenever possible è Important to have fresh packages in official repositories Conclusions 18Package Freshness in Linux Distributions
  • 19. Legay, Decan, Mens §Package freshness varies a lot in popular Linux distributions § Arch packages the most fresh § CentOS packages much less fresh than other distributions §Perception versus reality of package freshness? §User perception is mostly accurate §Exception: underestimating time for CentOS §Nearly a third of respondents do not know at least for specific package categories Conclusions 19Package Freshness in Linux Distributions
  • 20. Legay, Decan, Mens §Finer-grained study of package freshness §by package category §in distribution-agnostic package managers (Flatpak, Snap, AppImage, …) §Study trade-offs between freshness, security and stability § Latest version not necessarily most secure or stable § New versions introduce new features, and fix bugs and security issues… § … but also introduce new (undiscovered) bugs and vulnerabilities §Creation of historical database of package versions deployed in distributions and package upstream release dates Future Work 20Package Freshness in Linux Distributions