September 27-30, 2021
Seattle, Washington, USA + Virtual
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit + Embedded Linux Conference + OSPOCon 2021 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (UTC -7). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Wednesday, September 29 • 2:45pm - 3:35pm
(IN-PERSON) A Complex Web of Open Source Software Dependencies Risk - Sean Goggins, University of Missouri & CHAOSS Project

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Today, software project development is nearly impossible without the use of interdependent components. These interdependencies have such a strong impact that software projects often fail if an open-source project library malfunctions. This was observed in the NPM project, when an open-source project contributor deleted 11 lines of code that he had contributed to an open-source library causing many other projects dependent on this library to fail. This presentation will present a synthesis of the complexity of managing dependencies, and the relationship between open source software dependency metrics, quality assurance, and security. Members of the CHAOSS Risk working group will answer a simple yet a complex question: what are the categories of open source software dependencies, and what metrics can make these risks visible. Participants will gain insights into:
  • What to measure? 
  • How to measure dependency risks? 
To answer these questions we worked across Linux Foundation projects to identify various dependency issues, and develop a set of metrics based on a:
  • Goal 
  • Question 
  • Metric
Approach. The metrics we then implemented using the CHAOSS Project’s Augur software will demonstrate one approach for visualizing and assessing dependency risk across large project portfolios. The key takeaway is it is work measuring the riskiness of a piece of software you're using or dependent on.

avatar for Sean Goggins

Sean Goggins

Professor, University of Missouri
Sean is an open source software researcher and a founding member of the Linux Foundation’s working group on community health analytics for open source software CHAOSS, co-lead of the CHAOSS metrics software working group and leader of the open source metrics tool AUGUR which can... Read More →

Wednesday September 29, 2021 2:45pm - 3:35pm PDT
  OS Dependability