11 Dec 2021
A complex web of open source software dependencies risk
Today, software project development is nearly impossible without the use of interdependent components. These interdependencies have such a strong impact that software projects often fail if an open-source project library malfunctions. This was observed in the NPM project, when an open-source project contributor deleted 11 lines of code that he had contributed to an open-source library causing many other projects dependent on this library to fail. This presentation will present a synthesis of the complexity of managing dependencies, and the relationship between open source software dependency metrics, quality assurance, and security. Members of the CHAOSS Risk working group will answer a simple yet a complex question: what are the categories of open source software dependencies, and what metrics can make these risks visible. Participants will gain insights into: 1. What to measure? And 2. How to measure dependency risks? To answer these questions we worked across Linux Foundation projects to identify various dependency issues, and develop a set of metrics based on: 1. Goal 2. Question 3. Metric Approach. The metrics we then implemented using the CHAOSS Project’s Augur software will demonstrate one approach for visualizing and assessing dependency risk across large project portfolios. The key takeaway is it is work measuring the riskiness of a piece of software you're using or dependent on.
Today, software project development is nearly impossible without the use of interdependent components. These interdependencies have such a strong impact that software projects often fail if an open-source project library malfunctions. This was observed in the NPM project, when an open-source project contributor deleted 11 lines of code that he had contributed to an open-source library causing many other projects dependent on this library to fail. This presentation will present a synthesis of the complexity of managing dependencies, and the relationship between open source software dependency metrics, quality assurance, and security. Members of the CHAOSS Risk working group will answer a simple yet a complex question: what are the categories of open source software dependencies, and what metrics can make these risks visible. Participants will gain insights into: 1. What to measure? And 2. How to measure dependency risks? To answer these questions we worked across Linux Foundation projects to identify various dependency issues, and develop a set of metrics based on: 1. Goal 2. Question 3. Metric Approach. The metrics we then implemented using the CHAOSS Project’s Augur software will demonstrate one approach for visualizing and assessing dependency risk across large project portfolios. The key takeaway is it is work measuring the riskiness of a piece of software you're using or dependent on.
- 3 participants
- 12 minutes
11 Dec 2021
Building Metrics Models Based on the State of the Art Best Practices
The purpose of defining metrics is to continuously improve the workflow, empower open source projects with the capabilities of governance, operation, and development. We looked into some best practices of the benchmarking communities in the industry on how they measure and govern the project, and constantly explored which metrics and factors will affect the results of measurements. This talk will further seek connections among the current metrics and build a set of models, not only to address existing problems in communities, but also to predict the direction of future community development.
The purpose of defining metrics is to continuously improve the workflow, empower open source projects with the capabilities of governance, operation, and development. We looked into some best practices of the benchmarking communities in the industry on how they measure and govern the project, and constantly explored which metrics and factors will affect the results of measurements. This talk will further seek connections among the current metrics and build a set of models, not only to address existing problems in communities, but also to predict the direction of future community development.
- 2 participants
- 18 minutes
11 Dec 2021
CHAOSS DEI Badging - From There to Here
The CHAOSS project would like to share our experience developing, and implementing a peer reviewed event badging program. The value of appreciating and acknowledging diversity, equity, and inclusion (DEI) in open source communities is underestimated. It is critical to bring together people with different backgrounds, mindsets, ideas and experiences to work for a common cause. The CHAOSS Diversity, Equity, and Inclusion Badging Initiative awards badges to events based on their adherence to and prioritization of DEI best practices. The initiative aims to increase understanding of project and event practices that encourage greater diversity and wider inclusion of people from different backgrounds. This presentation will provide a holistic view of: * The CHAOSS DEI Badging Initiative * Examples of badged events and lessons learned from the process * Ideas on how the badging process may be improved In particular, we will highlight the people, technologies, and processes that have made the CHAOSS DEI Badging Initiative a success to date.
The CHAOSS project would like to share our experience developing, and implementing a peer reviewed event badging program. The value of appreciating and acknowledging diversity, equity, and inclusion (DEI) in open source communities is underestimated. It is critical to bring together people with different backgrounds, mindsets, ideas and experiences to work for a common cause. The CHAOSS Diversity, Equity, and Inclusion Badging Initiative awards badges to events based on their adherence to and prioritization of DEI best practices. The initiative aims to increase understanding of project and event practices that encourage greater diversity and wider inclusion of people from different backgrounds. This presentation will provide a holistic view of: * The CHAOSS DEI Badging Initiative * Examples of badged events and lessons learned from the process * Ideas on how the badging process may be improved In particular, we will highlight the people, technologies, and processes that have made the CHAOSS DEI Badging Initiative a success to date.
- 1 participant
- 7 minutes
11 Dec 2021
Characterizing and Detecting Incivility in Open Source Code Review Discussions
Code review is an important quality assurance activity for open source software development. Yet, code review discussions among developers and maintainers can be heated and sometimes involve personal attacks and unnecessary disrespectful comments, demonstrating, therefore, incivility. Although incivility in public discussions has received increasing attention from researchers in different domains, the understanding of this phenomenon is still very limited in the context of software development and, more specifically, code review. To address this gap, this proposed talk will present the results of a qualitative analysis conducted on 1,545 emails from the Linux Kernel Mailing List (LKML) that were associated with rejected changes. From this analysis, we identified the features of discussion of civil and uncivil communication as well as the causes and consequences of uncivil communication. Based on our results and with the goal to create healthier and more attractive open source communities, we will also discuss in this talk (i) approaches that could be used to address incivility before and after it happens, (ii) pitfalls to avoid when trying to automatically detect incivility, and (iii) heuristics for detecting incivility in code review discussions.
Code review is an important quality assurance activity for open source software development. Yet, code review discussions among developers and maintainers can be heated and sometimes involve personal attacks and unnecessary disrespectful comments, demonstrating, therefore, incivility. Although incivility in public discussions has received increasing attention from researchers in different domains, the understanding of this phenomenon is still very limited in the context of software development and, more specifically, code review. To address this gap, this proposed talk will present the results of a qualitative analysis conducted on 1,545 emails from the Linux Kernel Mailing List (LKML) that were associated with rejected changes. From this analysis, we identified the features of discussion of civil and uncivil communication as well as the causes and consequences of uncivil communication. Based on our results and with the goal to create healthier and more attractive open source communities, we will also discuss in this talk (i) approaches that could be used to address incivility before and after it happens, (ii) pitfalls to avoid when trying to automatically detect incivility, and (iii) heuristics for detecting incivility in code review discussions.
- 1 participant
- 19 minutes
11 Dec 2021
Keynote: All of the People, All of the Time: A holistic approach to building empowered open source culture in your organization
As an ecosystem, open source has been making vast improvements in how we think about and design for community and contributor success. What's lacking is an investment, and common language needed to build healthy open source culture inside organizations; the success of which can have direct and lasting impact in communities, and the products we're working on together. In this talk, Emma will share how she evaluates and designs for a healthy, and inclusive open source culture within Microsoft using building blocks of empowerment, purpose, trust and belonging.
As an ecosystem, open source has been making vast improvements in how we think about and design for community and contributor success. What's lacking is an investment, and common language needed to build healthy open source culture inside organizations; the success of which can have direct and lasting impact in communities, and the products we're working on together. In this talk, Emma will share how she evaluates and designs for a healthy, and inclusive open source culture within Microsoft using building blocks of empowerment, purpose, trust and belonging.
- 2 participants
- 33 minutes
11 Dec 2021
Mystic - An initial effort in academic metrics, impact and community
The last few years have seen a significant uptick in interest in the concept of Open Source Program Offices in academic and governmental entities. Last year the EU adopted an Open Source Strategy for 2020-2023. This year, the United States, The National Academies for Science, Engineering and Mathematics, has called for presidents and provosts of colleges and universities to significantly increase support for Open Work across all colleges and universities in the US. This panel will start with members of the OSPO++ working group (that meets regularly to encourage the creation of municipal and academic OSPOs) will briefly introduce attendees to the needs of these developer and user communities. It will then move to a demo of Mystic, and Open@RIT effort to use GrimoireLab to collect data and display data on faculty Open Work contributions. Questions for all panelists will be encouraged in the last ten minutes.
The last few years have seen a significant uptick in interest in the concept of Open Source Program Offices in academic and governmental entities. Last year the EU adopted an Open Source Strategy for 2020-2023. This year, the United States, The National Academies for Science, Engineering and Mathematics, has called for presidents and provosts of colleges and universities to significantly increase support for Open Work across all colleges and universities in the US. This panel will start with members of the OSPO++ working group (that meets regularly to encourage the creation of municipal and academic OSPOs) will briefly introduce attendees to the needs of these developer and user communities. It will then move to a demo of Mystic, and Open@RIT effort to use GrimoireLab to collect data and display data on faculty Open Work contributions. Questions for all panelists will be encouraged in the last ten minutes.
- 5 participants
- 32 minutes
11 Dec 2021
Why we join and why we leave open source communities
This talk will present the preliminary results from 40 interviews with corporate open source contributors. We asked them "what project characteristics do they look at when making decisions about joining an open source community" and "what project characteristics may influence their decision to leave a community".
This talk will present the preliminary results from 40 interviews with corporate open source contributors. We asked them "what project characteristics do they look at when making decisions about joining an open source community" and "what project characteristics may influence their decision to leave a community".
- 6 participants
- 20 minutes
