SlideShare a Scribd company logo

Package Freshness in Linux Distributions: Perception versus Reality

Tom Mens
Tom Mens

Presentation by Damien Legay (Software Engineering Lab, University of Mons) during the BENEVOL 2020 software evolution research seminar. Abstract: The Linux operating system comes in a variety of distributions. These distributions incorporate the Linux kernel and a host of third-party packages, which provide much of the end-user functionality of the distribution. Distribution maintainers have the difficult task of ensuring that these packages are and remain in good working order, free of security vulnerabilities and continuously adapt to meet the ever-evolving needs of their users. These concerns are sometimes in conflict, which lead distributions to adopt different philosophies. As a result, not only do distributions offer a different set of packages, but the packages they have in common are present in different versions. We define package freshness as the difference, in time and number of versions, between a package’s latest version available and the one deployed in a given distribution. Through a mixed-method research approach, we provide qualitative and quantitative analyses to compare user perception with quantitatively measurable freshness of packages in mainstream Linux distributions: Arch Linux, CentOS, Debian Stable, Debian Unstable, Fedora and Ubuntu.

Science
1 of 20
Download to read offline
Legay, Decan, Mens Damien Legay, Alexandre Decan, Tom Mens Software Engineering Lab University of Mons Package Freshness in Linux Distributions 1BENEVOL 2020 Software Evolution Research Seminar – 4 December 2020 Perception versus Reality
Legay, Decan, Mens Linux Distributions 2Package Freshness in Linux Distributions
Legay, Decan, Mens Linux distributions emphasise different qualities Distribution Divergence 3Package Freshness in Linux Distributions Stability Security Freshness Debian (stable) QubesOS Arch Linux CentOS Subgraph Gentoo Linux Mint Alpine Linux OpenSUSE Tumbleweed Package freshness: how up to date a package is compared to upstream
Legay, Decan, Mens Mixed-methods research study: §Qualitative survey of users of Linux distributions § Published in ICSME2020 - NIER track § "On Package Freshness in Linux Distributions," International Conference on Software Maintenance and Evolution (ICSME 2020). DOI: 10.1109/ICSME46990.2020.00072 §Quantitative analyses of package freshness based on extracted historical data of Linux package distributions § Submitted / Under review 1 Package freshness 4Package Freshness in Linux Distributions
Legay, Decan, Mens §170 participants surveyed: §CHAOSSCon Europe 2020 §FOSDEM 2020 §Linux fora §subreddits §Focus on: § Perception of package freshness § Importance of package freshness § Motivations to update packages § Mechanisms used to update packages Qualitative Survey of users of Linux distributions 5Package Freshness in Linux Distributions
Legay, Decan, Mens Linux Distributions Used 6Package Freshness in Linux Distributions Distribution First Second Third Total Ubuntu (family) 47 46 43 117 Debian (family) 30 37 26 93 Red Hat (family) 33 33 25 91 Arch Linux 29 8 8 45 OpenSUSE (family) 21 13 5 39 Linux Mint 5 10 7 22 Slackware 2 2 1 5 Other distributions 3 6 5 14 Ranking of most-used distributions (up to 3)
Legay, Decan, Mens Asked about 6 package categories: §Open source end-user software: LibreOffice, Firefox, GIMP… §Proprietary end-user software: Adobe Reader, Skype, Spotify… §Development tools: Emacs, Eclipse, git… §System tools and libraries: openSSL, zsh, sudo… §Programing language runtimes: Python, Java… §Programing language libraries: Numpy, Lodash… Package Categories 7Package Freshness in Linux Distributions
Legay, Decan, Mens Perception of delay of package update deployment User Perception 8Package Freshness in Linux Distributions System Tools End-user Development ProgrammProgrammingEnd-user
Legay, Decan, Mens Importance of Package Freshness 9Package Freshness in Linux Distributions How important is package freshness to respondents? system tools end-user open source dev. tools programming language runtimes programming language libraries end-user proprietary software Around 75% of respondents consider freshness at least moderately important, except for proprietary software.
Legay, Decan, Mens Update Mechanisms Used 10Package Freshness in Linux Distributions Official community repositories are used whenever possible. Official repos Community repositories 3rd party managers Binaries Sources System Tools system tools end-user open source dev. tools programming language runtimes programming language libraries end-user proprietary software
Legay, Decan, Mens §Extracted data from 6 popular Linux distributions: Arch, CentOS, Debian Stable, Debian Unstable, Fedora, Ubuntu §Selected 890 packages common to all 6 distributions §Selected snapshots of these packages: § At time of release for distributions with a point release policy § Daily for distributions with a rolling release policy §Observation period: [2015-01-01, 2020-01-01[ Quantitative Analysis 11Package Freshness in Linux Distributions
Legay, Decan, Mens Proportion of packages not using the latest available version 12Package Freshness in Linux Distributions Vast discrepancy between distributions: from 10% (Arch) to 80% (CentOS)
Legay, Decan, Mens Update Delay 13Package Freshness in Linux Distributions Time since a more recent version of the package has become available. Example: package postgresql in Ubuntu 17.04
Legay, Decan, Mens Update Delay 14Package Freshness in Linux Distributions §Most packages in most distributions have < 3 months of update delay §In particular, 90% of Arch packages have very low update delay (under 10 days) §Contrasted by CentOS: Half of its packages have been superseded by another version by > 1 year
Legay, Decan, Mens Version Lag 15Package Freshness in Linux Distributions §70% to 90% of packages lag behind by at most two versions in most distributions §CentOS: more than half the packages lay behind by 3+ versions, 20% by 10+ versions!
Legay, Decan, Mens Comparing Package Freshness 16Package Freshness in Linux Distributions Ranking freshness of packages in distributions (1 = freshest, 6 = least fresh) Arch almost always ranked first, CentOS very often ranked last.
Legay, Decan, Mens Perception versus Reality 17Package Freshness in Linux Distributions Perception Reality Arch packages deployed in official repositories in a few days 90% of packages updates deployed within 10 days Fedora and Ubuntu in the order of weeks 60% deployed in less than a month Debian Stable in the order of months 60%-70% deployed within a six- month delay (30% > 3 months) CentOS in the order of months 50% of packages outdated by over a year
Legay, Decan, Mens §Users consider it important to keep packages fresh for different reasons: § security (90% of respondents) § bug fixing (88% of respondents) § benefiting from new features (66% of respondents) §Users rely on official repositories whenever possible è Important to have fresh packages in official repositories Conclusions 18Package Freshness in Linux Distributions
Legay, Decan, Mens §Package freshness varies a lot in popular Linux distributions § Arch packages the most fresh § CentOS packages much less fresh than other distributions §Perception versus reality of package freshness? §User perception is mostly accurate §Exception: underestimating time for CentOS §Nearly a third of respondents do not know at least for specific package categories Conclusions 19Package Freshness in Linux Distributions
Legay, Decan, Mens §Finer-grained study of package freshness §by package category §in distribution-agnostic package managers (Flatpak, Snap, AppImage, …) §Study trade-offs between freshness, security and stability § Latest version not necessarily most secure or stable § New versions introduce new features, and fix bugs and security issues… § … but also introduce new (undiscovered) bugs and vulnerabilities §Creation of historical database of package versions deployed in distributions and package upstream release dates Future Work 20Package Freshness in Linux Distributions

Recommended

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD studentTom Mens
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentTom Mens
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubTom Mens
 
The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHubTom Mens
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureTom Mens
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Tom Mens
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubTom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networksTom Mens
 

Recommended

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD studentTom Mens
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentTom Mens
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubTom Mens
 
The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHubTom Mens
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureTom Mens
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Tom Mens
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubTom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networksTom Mens
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsTom Mens
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero SpaceTom Mens
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesTom Mens
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Tom Mens
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...Tom Mens
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Tom Mens
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsTom Mens
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarTom Mens
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersTom Mens
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmTom Mens
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?Tom Mens
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talkTom Mens
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemTom Mens
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkTom Mens
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkTom Mens
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPirithiRaju
 
Site Acceptance Test .
Site Acceptance Test .Site Acceptance Test .
Site Acceptance Test .Poonam Aher Patil
 

More Related Content

More from Tom Mens

Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsTom Mens
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero SpaceTom Mens
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesTom Mens
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Tom Mens
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...Tom Mens
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Tom Mens
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsTom Mens
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarTom Mens
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersTom Mens
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmTom Mens
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?Tom Mens
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talkTom Mens
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemTom Mens
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkTom Mens
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkTom Mens
 

More from Tom Mens (20)

Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research Achievements
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminar
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker Containers
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npm
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystem
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency network
 

Recently uploaded

Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPirithiRaju
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bSérgio Sacani
 
Zoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdfZoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdfSumit Kumar yadav
 
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptxSCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptxRizalinePalanog2
 
Botany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfBotany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfSumit Kumar yadav
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPirithiRaju
 
9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Servicenishacall1
 
Proteomics: types, protein profiling steps etc.
Proteomics: types, protein profiling steps etc.Proteomics: types, protein profiling steps etc.
Proteomics: types, protein profiling steps etc.Silpa
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Lokesh Kothari
 
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdfPests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdfPirithiRaju
 
GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)Areesha Ahmad
 
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...Lokesh Kothari
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)Areesha Ahmad
 
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.Nitya salvi
 
American Type Culture Collection (ATCC).pptx
American Type Culture Collection (ATCC).pptxAmerican Type Culture Collection (ATCC).pptx
American Type Culture Collection (ATCC).pptxabhishekdhamu51
 
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICESAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICEayushi9330
 
Factory Acceptance Test( FAT).pptx .
Factory Acceptance Test( FAT).pptx .Factory Acceptance Test( FAT).pptx .
Factory Acceptance Test( FAT).pptx .Poonam Aher Patil
 
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bAsymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bSérgio Sacani
 

Recently uploaded (20)

Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
 
Site Acceptance Test .
Site Acceptance Test .Site Acceptance Test .
Site Acceptance Test .
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
 
Zoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdfZoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdf
 
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptxSCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
 
Botany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfBotany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdf
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
 
9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service
 
Proteomics: types, protein profiling steps etc.
Proteomics: types, protein profiling steps etc.Proteomics: types, protein profiling steps etc.
Proteomics: types, protein profiling steps etc.
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
 
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdfPests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
 
CELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdfCELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdf
 
GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)
 
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)
 
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
 
American Type Culture Collection (ATCC).pptx
American Type Culture Collection (ATCC).pptxAmerican Type Culture Collection (ATCC).pptx
American Type Culture Collection (ATCC).pptx
 
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICESAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
 
Factory Acceptance Test( FAT).pptx .
Factory Acceptance Test( FAT).pptx .Factory Acceptance Test( FAT).pptx .
Factory Acceptance Test( FAT).pptx .
 
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bAsymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
 

Package Freshness in Linux Distributions: Perception versus Reality

  • 1. Legay, Decan, Mens Damien Legay, Alexandre Decan, Tom Mens Software Engineering Lab University of Mons Package Freshness in Linux Distributions 1BENEVOL 2020 Software Evolution Research Seminar – 4 December 2020 Perception versus Reality
  • 2. Legay, Decan, Mens Linux Distributions 2Package Freshness in Linux Distributions
  • 3. Legay, Decan, Mens Linux distributions emphasise different qualities Distribution Divergence 3Package Freshness in Linux Distributions Stability Security Freshness Debian (stable) QubesOS Arch Linux CentOS Subgraph Gentoo Linux Mint Alpine Linux OpenSUSE Tumbleweed Package freshness: how up to date a package is compared to upstream
  • 4. Legay, Decan, Mens Mixed-methods research study: §Qualitative survey of users of Linux distributions § Published in ICSME2020 - NIER track § "On Package Freshness in Linux Distributions," International Conference on Software Maintenance and Evolution (ICSME 2020). DOI: 10.1109/ICSME46990.2020.00072 §Quantitative analyses of package freshness based on extracted historical data of Linux package distributions § Submitted / Under review 1 Package freshness 4Package Freshness in Linux Distributions
  • 5. Legay, Decan, Mens §170 participants surveyed: §CHAOSSCon Europe 2020 §FOSDEM 2020 §Linux fora §subreddits §Focus on: § Perception of package freshness § Importance of package freshness § Motivations to update packages § Mechanisms used to update packages Qualitative Survey of users of Linux distributions 5Package Freshness in Linux Distributions
  • 6. Legay, Decan, Mens Linux Distributions Used 6Package Freshness in Linux Distributions Distribution First Second Third Total Ubuntu (family) 47 46 43 117 Debian (family) 30 37 26 93 Red Hat (family) 33 33 25 91 Arch Linux 29 8 8 45 OpenSUSE (family) 21 13 5 39 Linux Mint 5 10 7 22 Slackware 2 2 1 5 Other distributions 3 6 5 14 Ranking of most-used distributions (up to 3)
  • 7. Legay, Decan, Mens Asked about 6 package categories: §Open source end-user software: LibreOffice, Firefox, GIMP… §Proprietary end-user software: Adobe Reader, Skype, Spotify… §Development tools: Emacs, Eclipse, git… §System tools and libraries: openSSL, zsh, sudo… §Programing language runtimes: Python, Java… §Programing language libraries: Numpy, Lodash… Package Categories 7Package Freshness in Linux Distributions
  • 8. Legay, Decan, Mens Perception of delay of package update deployment User Perception 8Package Freshness in Linux Distributions System Tools End-user Development ProgrammProgrammingEnd-user
  • 9. Legay, Decan, Mens Importance of Package Freshness 9Package Freshness in Linux Distributions How important is package freshness to respondents? system tools end-user open source dev. tools programming language runtimes programming language libraries end-user proprietary software Around 75% of respondents consider freshness at least moderately important, except for proprietary software.
  • 10. Legay, Decan, Mens Update Mechanisms Used 10Package Freshness in Linux Distributions Official community repositories are used whenever possible. Official repos Community repositories 3rd party managers Binaries Sources System Tools system tools end-user open source dev. tools programming language runtimes programming language libraries end-user proprietary software
  • 11. Legay, Decan, Mens §Extracted data from 6 popular Linux distributions: Arch, CentOS, Debian Stable, Debian Unstable, Fedora, Ubuntu §Selected 890 packages common to all 6 distributions §Selected snapshots of these packages: § At time of release for distributions with a point release policy § Daily for distributions with a rolling release policy §Observation period: [2015-01-01, 2020-01-01[ Quantitative Analysis 11Package Freshness in Linux Distributions
  • 12. Legay, Decan, Mens Proportion of packages not using the latest available version 12Package Freshness in Linux Distributions Vast discrepancy between distributions: from 10% (Arch) to 80% (CentOS)
  • 13. Legay, Decan, Mens Update Delay 13Package Freshness in Linux Distributions Time since a more recent version of the package has become available. Example: package postgresql in Ubuntu 17.04
  • 14. Legay, Decan, Mens Update Delay 14Package Freshness in Linux Distributions §Most packages in most distributions have < 3 months of update delay §In particular, 90% of Arch packages have very low update delay (under 10 days) §Contrasted by CentOS: Half of its packages have been superseded by another version by > 1 year
  • 15. Legay, Decan, Mens Version Lag 15Package Freshness in Linux Distributions §70% to 90% of packages lag behind by at most two versions in most distributions §CentOS: more than half the packages lay behind by 3+ versions, 20% by 10+ versions!
  • 16. Legay, Decan, Mens Comparing Package Freshness 16Package Freshness in Linux Distributions Ranking freshness of packages in distributions (1 = freshest, 6 = least fresh) Arch almost always ranked first, CentOS very often ranked last.
  • 17. Legay, Decan, Mens Perception versus Reality 17Package Freshness in Linux Distributions Perception Reality Arch packages deployed in official repositories in a few days 90% of packages updates deployed within 10 days Fedora and Ubuntu in the order of weeks 60% deployed in less than a month Debian Stable in the order of months 60%-70% deployed within a six- month delay (30% > 3 months) CentOS in the order of months 50% of packages outdated by over a year
  • 18. Legay, Decan, Mens §Users consider it important to keep packages fresh for different reasons: § security (90% of respondents) § bug fixing (88% of respondents) § benefiting from new features (66% of respondents) §Users rely on official repositories whenever possible è Important to have fresh packages in official repositories Conclusions 18Package Freshness in Linux Distributions
  • 19. Legay, Decan, Mens §Package freshness varies a lot in popular Linux distributions § Arch packages the most fresh § CentOS packages much less fresh than other distributions §Perception versus reality of package freshness? §User perception is mostly accurate §Exception: underestimating time for CentOS §Nearly a third of respondents do not know at least for specific package categories Conclusions 19Package Freshness in Linux Distributions
  • 20. Legay, Decan, Mens §Finer-grained study of package freshness §by package category §in distribution-agnostic package managers (Flatpak, Snap, AppImage, …) §Study trade-offs between freshness, security and stability § Latest version not necessarily most secure or stable § New versions introduce new features, and fix bugs and security issues… § … but also introduce new (undiscovered) bugs and vulnerabilities §Creation of historical database of package versions deployed in distributions and package upstream release dates Future Work 20Package Freshness in Linux Distributions