Challenges of Tracking and Documenting Open Source Dependencies in Products: A Case Study (OSS 2020 Paper)

Software vendors need to manage the dependencies of the open source components used in their products. Without this management, license compliance would be impossible, export restrictions could not be maintained, and security vulnerabilities would remain unknown to the vendor. The management of these dependencies has grown in an ad-hoc fashion in most companies. As such, vendors find it hard to learn from each other and improve practices. To address this problem, we performed exploratory single-case study research at one large established software vendor. We gathered and analyzed the key challenges of tracking and documenting open source dependencies in products. We wanted to understand whether these ad-hoc solutions could be based on a single unified conceptual model for managing dependencies. Our study suggests that underlying the various point solutions that we found at this vendor lies a conceptual model that we tentatively call the product (architecture) model. In future cross-vendor work, we will investigate whether this conceptual model can be expanded to become a unifying model for all open source dependency management.

Continue reading “Challenges of Tracking and Documenting Open Source Dependencies in Products: A Case Study (OSS 2020 Paper)”

The Ecosystem of openKONSEQUENZ, a User-Led Open Source Foundation (OSS 2020 Paper)

Companies without expertise in software development can opt to form consortia to develop open source software to meet their needs, as an alternative to the build-or-buy decision. Such user-led foundations are little understood, due to a limited number of published examples. In particular, almost nothing is known about the ecosystems surrounding user-led foundations. Our work seeks to address this gap, through an exploratory qualitative survey of openKONSEQUENZ, from the German energy sector. We find that the technological goals are quite homogeneous, independent of a participant’s role in the ecosystem, but that economic conflicts exist between foundation members and supplier companies due to the consortium’s efforts to transform the software market structure to limit dependency on specific vendors.

Continue reading “The Ecosystem of openKONSEQUENZ, a User-Led Open Source Foundation (OSS 2020 Paper)”

Pattern Discovery and Validation Using Scientific Research Methods (Technical Report)

Abstract: Pattern discovery, the process of discovering previously unrecognized patterns, is usually performed as an ad-hoc process with little resulting certainty in the quality of the proposed patterns. Pattern validation, the process of validating the accuracy of proposed patterns, has rarely gone beyond the simple heuristic of “the rule of three”. This article shows how to use established scientific research methods for the purpose of pattern discovery and validation. The result is an approach to pattern discovery and validation that can provide the same certainty that traditional scientific research methods can provide for the theories they are used to validate. This article describes our approach and explores its usefulness for pattern discovery and evaluation in a series of studies.

Keywords: Patterns, pattern discovery, pattern validation, theory codification, theory building and evaluation, research design

Reference: Riehle, D., Harutyunyan, N., & Barcomb, A. (2020). Pattern Discovery and Validation Using Scientific Research Methods. Friedrich-Alexander-Universität Erlangen-Nürnberg, Dept. of Computer Science, Technical Reports, CS-2020-01, February 2020.

The article is available as a PDF file and on FAU’s OPUS server.

Managing the Open Source Dependency (Tomas Gustavsson, IEEE Computer Column)

I’m happy to report that the sixth article in the Open Source Expanded column of IEEE Computer has been published.

TitleManaging the open source dependency
KeywordsComputer Applications, Open Source Software
AuthorsTomas Gustavsson, PrimeKey
PublicationComputer vol. 53, no. 2 (February 2020), pp. 83-87

Abstract: Organizations use open source software in a majority of computer application programs. Here we describe some of the technical challenges and offer recommendations about how to manage open source software dependencies and avoid the most common pitfalls that might be encountered through decision-making, automated scanning, upgrading, and strategic contributions.

As always, the article is freely available (local copy).

Also, check out the full list of articles.

Industry Best Practices for FLOSS Governance and Component Reuse (EuroPLoP 2019)

Abstract: Corporate use of open source in software products is on the rise. While this brings a number of technological and business benefits to companies, it also comes with potential legal and financial risks caused by license non-compliance and ungoverned use of open source components. Companies address these threats with free/libre and open source software (FLOSS) governance – internal guidelines and processes for using open source components in products. An essential aspect of FLOSS governance is component reuse and component repository, which enable efficient governance for the previously used components by the company’s developers. In our study, we aimed to identify the current industry best practices for FLOSS governance and component reuse. We conducted 15 expert interviews in companies with high governance maturity, analyzed these interviews and derived 19 best practices cast in the pattern format of context-problem-solution. The format was inspired by design patterns and enables higher applicability of our research results by practitioners. The 19 best practices form a handbook on FLOSS governance and component reuse that also includes workflows connecting the individual practices into process templates.

Keywords: Open Source Software, FLOSS, FOSS, Open Source Governance, Best Practice, Commercial Use of Open Source, Component Repository, Component Reuse, Industry Best Practice, Introduction of FLOSS in Companies, Pattern, Pattern Language

Reference: Harutyunyan, N., & Riehle D. (2019). Industry Best Practices for FLOSS Governance and Component Reuse. In Proceedings of the 24th European Conference on Pattern Languages of Programs (EuroPLoP 2019). ACM, article no. 21.

The paper is available a PDF file.

How to Select Open Source Components (Diomidis Spinellis, IEEE Computer Column)

I’m happy to report that the fifth article in the new Open Source Expanded column of IEEE Computer has been published.

TitleHow to select open source components
KeywordsOpen Source Software, Licenses, Documentation, Computer Bugs, Software Project Management
AuthorsDiomidis Spinellis, Athens University of Economy and Business
PublicationComputer vol. 52, no. 12 (December 2019), pp. 103-106

Abstract: With millions of open source projects available on forges such as GitHub, it may be difficult to select those that best match your requirements. Examining each project’s product and development process can help you confidently select the open source projects required for your work.

As always, the article is freely available (local copy).

Also, check out the full list of articles.

Getting Started With Open Source Governance (Jeff McAffer, IEEE Computer Column)

I’m happy to report that the fourth article in the new Open Source Expanded column of IEEE Computer has been published.

TitleGetting Started With Open Source Governance
KeywordsCompanies, Licenses, Security, Software, Law
AuthorsJeff McAffer, GitHub
PublicationComputer vol. 52, no. 10 (October 2019), pp. 92-96

Abstract: Using and managing open source is essential in modern software development. Here we lay out a framework for thinking about open source engagement and highlight the key steps in getting started.

As always, the article is freely available (local copy).

Also, check out the full list of articles.

Industry Best Practices for Corporate Open Sourcing (HICSS 53)

Abstract: Companies usually don’t share the source code for the software they develop. While this approach is justified in software that constitutes differentiating intellectual property, proprietary development can lead to redundant development and other opportunity costs. In response, companies are increasingly open sourcing some if not all of their non-differentiating software. Given the limited academic research on this emerging topic, we bridge the gap between industry and academia by taking a practice-based approach. We investigate why and how companies engage in corporate open sourcing. We take an exploratory case study approach. Our cases are four companies with multi-billion-dollar revenues each: A major e-commerce company based in Germany; a leading social networking service company based in the USA; a cloud computing software company based in the USA; and a manufacturing and media software company based in the USA. We present the resulting theory in an actionable format of state-of-the-art best practice patterns.

Reference: Harutyunyan, N., Riehle, D., & Sathya, G. (2020). Industry Best Practices for Corporate Open Sourcing. In Proceedings of the 53rd Hawaii International Conference on System Sciences (HICSS 2020), pp. 5849-5858.

Download: The paper is available as a PDF file.

The JDownloader Immune System for Continuous Deployment (HICSS 53)

Abstract: Continuous deployment can reduce the time from a source code change to a newly deployed application significantly. Increased innovation speed can make all the difference in a competitive market situation. However, deploying at high frequency requires high speeds of discovering bugs in the deployed software. Using the JDownloader file download manager as our example, we present a fitness model to evaluate a continuously deployed software during operation for expected behavior, present the design and implementation of a monitoring component, and evaluate the model and its implementation using data from JDownloader’s multi-million member strong user base. Our evaluation finds that there had been thousands of undetected bugs, and that newly created bugs can be detected and reported 16 times faster than before.

Keywords: Continuous deployment, continuous delivery, immune system

Reference: Rechenmacher, T., Riehle, D., & Weber, M. (2020). The JDownloader Immune System for Continuous Deployment. In Proceedings of the 53rd Hawaii International Conference on System Sciences (HICSS 2020), pp. 6559-6568.

Download: The paper is available a PDF file.

What Microservices Can Learn From Enterprise Information Integration (HICSS 53)

Abstract: Microservices are an architectural style in which each service typically provides the complete stack of functions from a user or application programming interface through a domain model all the way to storage for that model. As a consequence, querying conjunct data from different microservices becomes a non-trivial engineering task. In this article, we review older and established general data integration theory in the enterprise context and then compare current microservice practice with enterprise information integration (EII) theory as an established approach to data integration. We find that microservices do not utilize all possible approaches for data integration that are common in enterprises. Specifically, microservices use middleware only partially and databases are not used at all to integrate data. Therefore, we further investigate whether, when, and how these two approaches can be used in a microservices context and present our findings. With our findings, we (i) clear the way for fellow researchers to investigate and improve unused integration strategies with microservices and (ii) raise the awareness of practitioners that some integration strategies may not work out of the box with microservices as they do in EII.

Keywords: Microservices, data integration, enterprise Information integration, EII

Reference: Schwarz, G. & Riehle, D. (2020). What Microservices Can Learn From Enterprise Information Integration. In Proceedings of the 53rd Hawaii International Conference on System Sciences (HICSS 2020), pp. 5513-5522.

Download: The paper is available a PDF file.