DI-UMONS : Dépôt institutionnel de l’université de Mons

Recherche transversale
(titres de publication, de périodique et noms de colloque inclus)
2020-12-03 - Colloque/Présentation - communication orale - Anglais - 1 page(s)

Legay Damien , Decan Alexandre , Mens Tom , "A mixed-method approach to analysing package freshness in Linux distributions" in Belgium-Netherlands Software Evolution Workshop (BENEVOL), Luxembourg, Luxembourg, 2020

  • Codes CREF : Informatique appliquée logiciel (DI2570)
  • Unités de recherche UMONS : Génie Logiciel (S852)
  • Instituts UMONS : Institut de Recherche en Technologies de l’Information et Sciences de l’Informatique (InforTech), Institut de Recherche sur les Systèmes Complexes (Complexys)
Texte intégral :

Abstract(s) :

(Anglais) The Linux operating system comes in a variety of distributions. These distributions incorporate the Linux kernel and a host of third-party packages, which provide much of the end-user functionality of the distribution. Distribution maintainers have the difficult task of ensuring that these packages are and remain in good working order, free of security vulnerabilities and continuously adapt to meet the ever-evolving needs of their users. These concerns are sometimes in conflict, which lead distributions to adopt different philosophies. As a result, not only do distributions offer a different set of packages, but the packages they have in common are present in different versions. We define package freshness as the difference, in time and number of versions, between a package's latest version available and the one deployed in a given distribution. Through quantitative empirical analyses, we assess and compare the freshness of 890 common packages in six mainstream distributions: Arch Linux, CentOS, Debian Stable, Debian Unstable, Fedora and Ubuntu. We find that the proportion of outdated packages (packages making use of older versions) varies greatly between Linux distributions, from 10% in Arch Linux to 80% in CentOS and that despite being a development distribution, a significant proportion of packages in Debian Unstable are outdated. However, when quantifying the amplitude, in terms of time and number of versions, of the outdatedness of the packages in the selected distributions, we find that most packages in most distributions are relatively fresh: 70% to 90% of package versions in 4 out of 6 distributions are less than 3 months older than the latest available version. CentOS is the exception: half of its packages are outdated by more than a year and a further 10% by more than 6 months. In five out of six distributions, 80% of packages are fewer than two versions behind the latest available. CentOS is again an exception: more than half of its packages are outdated by more than two versions. If we examine the opportunity to update packages (the time since a more recent version than the one deployed has been available), we again see a vast discrepancy between CentOS and other distributions: whereas most packages in other distributions had 3 months or fewer of opportunity to be updated, in CentOS more than half the packages could have been updated for more than a year. This is compounded by the fact that many packages in CentOS not been updated in years: 41% of CentOS 7.7 's packages have not been updated since CentOS 7.1, despite already being outdated then. For instance, package swig is found in version 2.0.10 in CentOS 7.1 through 7.7. Version 2.0.10 was already outdated by 5 versions at the release of CentOS 7.1 and by 21 versions by the time CentOS 7.7 was released. The latest version of swig at that point was 4.0.0. In our other distributions, this phenomenon is rare, only concerning <= 2% of packages. In all distributions, a large minority of the outdated packages have not been updated for a long time: at least 30% of outdated packages are missing more than a year of updates. We contrast the quantitative results obtained with qualitative surveys of Linux users conducted in prior work in order to assess the relationship between user perception and reality. As that survey revealed that users consider package freshness to be important, we order distributions in terms of the freshness of their packages with Arch Linux as the most fresh, followed by the trio of Fedora, Ubuntu and Debian Unstable, then by Debian Stable and finally, by CentOS. We conclude that users who value package freshness should choose between Arch Linux, Ubuntu and Fedora as their distribution of choice, since most packages in those distributions are up-to-date, and those that are not are rarely outdated by more than a single version. In future work, we will study the reasons why packages are not up to date: concerns of stability, concerns of security or simple lack of time to assess updates on the part of distribution maintainers. We'll investigate those reasons and see if we can explain discrepancies in package freshness between distributions.