research-article

Open access

Surviving Software Dependencies: Software reuse is finally here but comes with risks.

Author:

Russ CoxAuthors Info & Claims

Queue, Volume 17, Issue 2

Pages 24 - 47

https://doi.org/10.1145/3329781.3344149

Published: 01 April 2019 Publication History

All formats PDF

Abstract

Software reuse is finally here, and its benefits should not be understated, but we’ve accepted this transformation without completely thinking through the potential consequences. The Copay and Equifax attacks are clear warnings of real problems in the way software dependencies are consumed today. There’s a lot of good software out there. Let’s work together to find out how to reuse it safely.

References

[1]

Baldwin, A. 2018. Details about the event-stream incident. The npm Blog (November); https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident.

[2]

Cox, R. 2018. Go & Versioning; https://research.swtch.com/vgo.

[3]

Cox, R. 2018. The principles of versioning in Go. GopherCon Singapore (May); https://www.youtube.com/watch?v=F8nrpe0XWRg.

[4]

Cox, R. 2010. RE2: a principled approach to regular expression matching. Google Open Source Blog (March); https://opensource.googleblog.com/2010/03/re2-principled-approach-to-regular.html.

[5]

Cox, R. 2012. Regular expression matching with a trigram index or how Google Code Search worked. Swtch.com (January); https://swtch.com/~rsc/regexp/regexp4.html.

[6]

Facebook. Infer: a tool to detect bugs in Java and C/C++/Objective-C code before it ships; https://fbinfer.com/.

[7]

GNU Project. 1989. GNU General Public License, version 1; https://www.gnu.org/licenses/old-licenses/gpl-1.0.html.

[8]

Go Project. 2013. Go 1 and the future of Go programs; https://golang.org/doc/go1compat.

[9]

Google Open Source. Using third-party licenses; https://opensource.google.com/docs/thirdparty/licenses/#banned.

[10]

Hipp, D. R. How SQLite is tested; https://www.sqlite.org/testing.html.

[11]

Lacasse, N., 2018. Open-sourcing gVisor, a sandboxed container runtime. Google Cloud (May); https://cloud.google.com/blog/products/gcp/open-sourcing-gvisor-a-sandboxed-container-runtime.

[12]

Langley, A. 2009. Chromium's seccomp sandbox. ImperialViolet (August); https://www.imperialviolet.org/2009/08/26/seccomp.html.

[13]

National Institute of Standards and Technology. National Vulnerability Database ? search and statistics; https://nvd.nist.gov/vuln/search.

[14]

Pike, R. 2015. Go Proverbs; https://go-proverbs.github.io/.

[15]

Pike, R., Dorward, S., Griesemer, R., Quinlan, S. 2005. Interpreting the data: parallel analysis with Sawzall. Scientific Programming Journal 13(4), 277-298.

Digital Library

[16]

Potapenko, A. 2014. Testing Chromium: ThreadSanitizer v2, a next-gen data race detector. Chromium Blog (April); https://blog.chromium.org/2014/04/testing-chromium-threadsanitizer-v2.html.

[17]

Potvin, R., Levenberg, J. 2016. Why Google stores billions of lines of code in a single repository. Communications of the ACM 59(7), 78?87.

Digital Library

[18]

Reis, C. 2008. Multi-process architecture. Chromium Blog (September); https://blog.chromium.org/2008/09/multi-process-architecture.html.

[19]

Thompson, K. 1984. Reflections on trusting trust. Communications of the ACM 27(8), 761?763.

Digital Library

[20]

SpotBugs: find bugs in Java programs; https://spotbugs.github.io/.

[21]

U.S. House of Representatives Committee on Oversight and Government Reform. 2018. The Equifax Data Breach, Majority Staff Report, 115th Congress (December).

[22]

Willis, N. 2016. A single Node of failure. LWN.net (March); https://lwn.net/Articles/681410/.

[23]

Winters, T. 2018. SD-8: standard library compatibility, C++ standing document; https://isocpp.org/std/standing-documents/sd-8-standard-library-compatibility.

Cited By

Jahanshahi MMockus ASpinellis DConstantinou EBacchelli A(2024)Dataset: Copy-based Reuse in Open Source SoftwareProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644868(42-47)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644868
Etsagul HJarukitpipat IKula RChoetkiertikul MChhun KWanprasert WSunetnanta T(2024)See to Believe: Using Visualization to Motivate Updating Third-Party Dependencies2024 21st International Joint Conference on Computer Science and Software Engineering (JCSSE)10.1109/JCSSE61278.2024.10613740(618-625)Online publication date: 19-Jun-2024
https://doi.org/10.1109/JCSSE61278.2024.10613740
Chebanyuk O(2023)Software Reuse Approach Based on Review and Analysis of Reuse Risks from Projects Uploaded to GitHubComputer Science and Education in Computer Science10.1007/978-3-031-44668-9_11(144-155)Online publication date: 11-Oct-2023
https://doi.org/10.1007/978-3-031-44668-9_11

Surviving Software Dependencies: Software reuse is finally here but comes with risks.
1. Software and its engineering
  1. Software notations and tools

Recommendations

Surviving software dependencies

Software reuse is finally here but comes with risks.
Software reuse

Software reuse is the process of creating software systems from existing software rather than building software systems from scratch. This simple yet powerful vision was introduced in 1968. Software reuse has, however, failed to become a standard ...
A risk management methodology with risk dependencies

Comments

Information & Contributors

Information

Published In

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 April 2019

Published in QUEUE Volume 17, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Popular
Editor picked

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
61,306
Total Downloads

Downloads (Last 12 months)5,373
Downloads (Last 6 weeks)469

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Jahanshahi MMockus ASpinellis DConstantinou EBacchelli A(2024)Dataset: Copy-based Reuse in Open Source SoftwareProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644868(42-47)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644868
Etsagul HJarukitpipat IKula RChoetkiertikul MChhun KWanprasert WSunetnanta T(2024)See to Believe: Using Visualization to Motivate Updating Third-Party Dependencies2024 21st International Joint Conference on Computer Science and Software Engineering (JCSSE)10.1109/JCSSE61278.2024.10613740(618-625)Online publication date: 19-Jun-2024
https://doi.org/10.1109/JCSSE61278.2024.10613740
Chebanyuk O(2023)Software Reuse Approach Based on Review and Analysis of Reuse Risks from Projects Uploaded to GitHubComputer Science and Education in Computer Science10.1007/978-3-031-44668-9_11(144-155)Online publication date: 11-Oct-2023
https://doi.org/10.1007/978-3-031-44668-9_11
Jarukitpipat VChhun KWanprasert WRagkhitwetsagul CChoetkiertikul MSunetnanta TKula RChinthanet BIshio TMatsumoto K(2022)V-Achilles: An Interactive Visualization of Transitive Security VulnerabilitiesProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3559526(1-4)Online publication date: 10-Oct-2022
https://dl.acm.org/doi/10.1145/3551349.3559526

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Magazine Site

View this article on the magazine site (external)

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents