Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
CHAOSS / Risk Working Group / 27 Jan 2022
CHAOSS / Risk Working Group / 27 Jan 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: CHAOSS Risk Working Group 1/27/22

Description

Links to minutes from this meeting are on https://chaoss.community/participate.

A

And welcome to the late recording of the risk working group um we've.

B

Been going for a while, and we forgot to record sean.

A

Sean forgot, even though he went through the trouble of logging in as the chaos user. To do so so we're going to focus on defect resolution time as a as a new metric and can.

C

I can ask you a question about that: yeah.

A

Yeah.

C

Right versus bug.

A

um I I have.

D

No religion.

A

I don't know I don't have religion about the term. Do we want to call it bug, resolution time.

B

All these metrics are more formal, so I would say call it defect uh because I think some people there are formal definitions of defect and I think bug is just an informal name for the same thing.

C

Well, I'm also thinking about in the context of risk, where a for me is more specific to something that doesn't work, whereas a bug could also be something more insidious like a security vulnerability like I like, or could lead to that. So I'm just kind of in the.

B

Presuming it's unintentional, I wouldn't perceive a difference now. You could argue that if it's a malicious code intentionally put in it's, not a defect, but it's also not a bug.

A

Dwayne, what do you call? What do you call him at uh indeed,.

A

Is dwayne still here? Did he drop.

D

Oh, I'm still, no, I I'm still here um we probably call them gosh. We probably call them bugs. um uh When I, when I I was, I was checking for reference for what we have in the metrics tracking sheet, um which has bugs in at least three fields, and then you called my name. I didn't get a chance to search for defects, but- um and this may be the.

E

Conversation.

D

While we're having at the beginning but um defect versus bug versus issue.

D

Versus feature on github are all the same unless they're labeled right right.

A

Well,.

B

Github is issues are just the way of tracking comments of some kind. Some.

F

Are feature.

B

Requests, some are defects, um let's see here: ieee 1044, 2009, ieee, standard classification for software anomalies and immediately I find the word defects.

A

So the thing I want to avoid david is like you and I are both software engineering nerds and we know the quantitative meaning of defect and ieee rules like I teach software engineering and that's the word I use, but I think colloquially the word in practice. People who are not as big of software engineering nerds as we are pro it seems like they might use, bug and recognize that term more, which is why I kind of asked dwayne what he thought and I don't know I would guess, kate. You are also yeah and use defect.

A

Well,.

G

I I also think it's probably a good idea for us to standardize on defect, because people do understand that bugs are defects and also that will give us a bridge into the software engineering discipline, as well as a lot of the safety engineering.

C

I was also thinking defect will translate better and we assume that other people in other parts of the world use the word bug, but I live in the u.s and recognize my own limitations on that knowledge. That's a good point.

A

Yeah bugs need some.

E

Protein.

A

Somewhere.

E

But further in the new template, we have this option of synonyms where we can report bugs. Issues like the defect is also known as bugs and other things.

B

Right be careful, don't issue is not a synonym, but, and defect is a synonym um well, at least at least in in, I think they're of them as synonyms, whether or not other people think of them as the synonyms. But I would prefer defect just because as soon as you enter the world of of uh formal stuff- and you start.

F

Talking.

B

To other engineers, uh they don't call these bugs. So if you start talking to hardware engineers, particularly outside of computing, a material science person knows all about defects, they don't know what a bug is.

G

I do consider, though, that an issue is a synonym potentially as well for a defect just because it's become so pervasive.

B

I I don't think so, uh and I think github is absolutely responsible for making those two words different. Most issues aren't defects, most issues are feature requests and some of them are customer support, requests.

F

Not in not attempting to boil the ocean in this discussion, but I the thing the one of the most heated arguments I've had with somebody on github was whether my software not doing the thing they wanted it to do was a bug or not.

E

My strong.

F

My strong assertion was, I never intended for it to do that. So it's not a bug, it's a missing feature and they said that's a bug and I said I strongly disagree. You.

B

Know what the project gets to decide their.

F

Scope, this is how we resolved it. I said this is my project, and so I'm saying that what you're asking for is a new feature which I do not want to build and so yep, but to your point, though, I think a lot of issues are um often tracked as feature requests. I.

A

um I added that undocumented feature is a synonym for defect just um in a joking manner. Here.

G

Just to just be from octave okay, frank.

A

Let's try to see if he's paying attention to what's being typed on the screen, yeah.

B

But by the way I will note that I have worked in in-house as well as proprietary and um uh the hey. It doesn't do what I want it to do. Therefore, it's a bug is not limited to the open source software world. No.

F

Right right, of course, yeah.

A

So so often, what we'll do in a working group when we start to create a new metric is we'll maybe pause the recording and actually collaboratively edit some draft of this into place. uh Folks up for that.

E

John, I don't have added access to the document. I don't know whether others.

A

Heaven I swear. I yeah. Oh, oh, wait a minute I messed up, but.

E

You know yeah, we.

A

Editor sorry yeah eventually.

B

We may want to change that, but I got it for now.

A

That that is, uh that is that's thanks for pointing that out, if an odd, because that was just a failure on my part, I think the link is probably the same, but just in case it isn't. I will update.

A

Way too many tabs open.

C

I don't want to distract the writers, but I think dwayne has raised a good point in the chat that we should be specific to software defects versus other issues. That could exhibit a defectual end case, but whether or not it's part rooted in the software versus how you set it up or the processes and integrations you set around it.

A

So would a better name for the metric piece software defect resolution time. I don't think.

C

We have to, I don't think we have to name that just be more specific about that.

C

The measurement only is going to apply to that, because I I don't know because I then it it becomes a little bit too broad, because then the if the defect is how you set it up versus the thing itself, then that isn't really the project's fault unless the project had incorrect documentation, in which case that's an issue, not a defect.

A

uh So, just okay, now I'm following more closely now it's it's distinguishing between a software defect and a defect introduced by a deployment mistake essentially.

C

Maybe we don't maybe we're getting two in the weeds, but.

A

No, I mean I don't, I don't think so like when, when I get deployment defect, notices regarding auger generally they're my fault, um but I think I think in other in other. There are many other cases where um people just don't actually read the instructions uh or they miss a line and don't install a library. So I think that that's a useful distinction.

C

Like in my head, it's like user error versus software error. Like this morning, I put in the wrong role and so nothing ran, so that wasn't completely my error.

B

I what's the difference between working correctly or as specified.

A

I don't know, uh perhaps it just I mean correctly, I supposed felt more weaselly um and, as specified, sounded less weasely.

H

In some cases there might be formal specifications like use cases or requirements documents and working correctly I see that as the person creating the defect, that's their perception or how it should work.

A

And that gets to the arfon story, where it wasn't a defect, it was it's just exactly what he meant to do.

F

Having flashbacks.

A

Sorry.

A

This this disclaimer regarding privacy risks is something we just leave, as is correct.

A

Or sophia, maybe you recall from artists, I know you've been part of those discussions. Do we just we leave this for now? Even is that right.

C

Yeah we leave it for now. um Okay, we'll review it to make sure that it's still, it doesn't seem like there are any issues or conflicts, um something that we haven't standardized. Yes in this approach, I guess for those that are in the weekly calls. We've been trying to come up with a general statement to encourage people to notice when the data collection required to generate the metric could be potentially putting them into any conflict with legal policy or regulatory policies.

C

So we have a general disclaimer now and given that a lot of these data, the data required to collect a lot of these things, um I'm not seeking requests. Sorry, the data required to produce these metrics could increase the generation a lot of pii and additional data about people, in which case you are in sort of gdpr land.

C

So we have a general disclaimer now that we're sticking into metrics and we're working on a central piece of documentation that will provide a little bit more suggested guidance without being overly prescriptive, because clearly we are not lawyers. We are varying different types of roles. I don't think we have any lawyers in the chaos community actually, um but.

A

We certainly have lawyers at linux foundation. Who'd help helped us organize legally.

C

Yeah and we're actually referencing a couple of lf docs that have come up already in terms of how to deal with export controls or gdpr within the contract with your community. So we're trying to again again try to generate a list of resources available and just encouraging folks to have responsible and ethical metrics practices.

B

Okay, I have, I have uh proposed in the description a just this more specific metric and some notes, and we can argue about it.

B

Are you ready for arguing.

A

Is uh this is right up here david, this description definition.

B

Right so I'm proposing that when we say what's the defect resolution time, uh this is this is basically I mean for our new folks. This is kind of the rubber meets the road. The challenge for this group is narrowing down exactly what you mean by some metric, so I'm proposing that be the time between the formal report of a defect to the project.

B

So you know you know if a project normally takes bug record reports as an as a github issue, whining about something in a slack channel that may not even be associated with a project doesn't count, it's got to be the actual reporting that can you know you know. Maybe formal is the wrong term.

B

uh The report of a defect to the project using its um using the project using the projects, defect, reporting, mechanism, okay and the time where the project accepts or merges something that repairs that defect and makes it available to the public you'll notice, I'm carefully, not defining the end time is when the software is released.

B

There are some projects which, don't you know, you know their releases may only happen say every other year and- and I think that would be way too um coarse-grained, so once the emerge of a defect has been accepted and merged in. I think we should accept that as a perfectly you know, as the end time.

D

uh

B

As long as it's available to the public, because if only two people care about the defect fix, they can get that version.

A

I don't know how other people feel, but I think, from my perspective, david you'll be saddened to learn. I don't have any objection to that definition. Oh.

B

My goodness, maybe the public is the wrong term uh to its users. If we want to allow uh proprietary folks.

A

Although these are open source metrics, so I'd be happy with either.

D

Yeah, well, I I do think it's useful to divorce or separate it's fixed and it's been released and maybe released is the word you're looking for here. At the end.

B

That's right.

D

That's right.

B

We want it to be fixed, not the release, time, because right that I think, is too way way too coarse-grained and really for most custom, most users once it's fixed, and you know it's going to be in the next version- most defects, it's okay! You can live with it for a little while and if you're unhappy you can wind to the project to hurry up their release faster.

A

So is this the distinction, perhaps between the nightly, build of firefox and the official release of firefox as an example.

B

Exactly I would actually go further as soon as you merge it into their main branch. You're done as far as this is concerned,.

A

Which is.

B

Now.

A

They're nightly build your nightly.

B

Build happens hours later, so there's not really much difference now.

D

By the way,.

B

I'm sorry good.

D

But an important question here would be to to understand if it's standard practice or we it's it's standard enough practice that the issues are closed when they're merged, not when it's released.

D

I think that's probably true that feels truish to me, but I don't know if it's actually true.

B

Well, I actually don't think we care about their close time, except that that's how we're getting the data. What we care about is the merge time.

A

I don't, I don't think we can ever speak for all open source projects, but most all of the ones that I've worked on and I'm aware of when you merge a pull request into the main branch that resolves an issue. The issue is closed.

B

I'm familiar um if they have an issue tracker at all. If they don't that's a different problem, uh then you really want to close off those things, because otherwise it gets completely overwhelming.

D

All right, so, let's, let's david, let's get really really precise here. I know you love that bit. I don't.

B

Know I don't.

D

I don't, but I know it's necessary and as written um to the time that the project merges something that repairs the defect. How do we know that the merge has repaired the defect if the issue hasn't been closed,.

A

I think that's a good point.

B

That's a fair point.

A

But there's no right, there's no way to link any pull requests to an issue if it's not if they're not linked, if the issue remains open. As far as we know, the the defect remains in.

D

The software right and in cases at least in cases in github, where, where they're, where they've tagged it and it automatically closes it when the merge lands right. Those are the same time, but if they haven't there's going to be some amount of time that elapses between a merge that fixes the issue and the verification of the issue actually being closed. So I'd say that we actually are pinned to. The issue is closed. That's the only predictable flag that we have that says it's been fixed.

B

Actually, that's not true, because um in some systems yeah this is the this. Is the joy of trying to nail down these definitions? We've uh um you can close it later and add it later hey. This was fixed by I've. Seen that, and in that case a tool can look at that and figure out. Oh, it should have been closed last year and here's the evidence for it.

B

If you don't have any evidence for it, then the time it was closed is the right answer.

A

Yeah thinking in terms of easy to.

A

I mean.

F

I.

A

Would say if a defect's identified by an issue, then the closing of the issue is the only signal that we have that the defect is resolved.

A

um Like it may be resolved by the merge request, but there's no signal to the world that that happened until the issue is closed.

C

I do know of projects that have some auto close tooling for things that are open for a length of time, which doesn't actually mean that close always corresponds to the issue being addressed.

B

Right, in fact, uh I I think that kind of uh leprous uh uh nasty approach is becoming more and more common. You know, hey you reported it last year. I don't want to hear about it anymore. You know, only new things are true and something that's a year old is obviously not true.

A

What so does does so I mean this. This raises a question, though, if because we're going to have to develop a metric that we can actually measure right if we're hard about the heuristic, where the issue has to be tied to some code change to to close the defect, we're going to have defects that are never closed, even if the issue's closed and on the other hand, so that's I'm looking at the rock curve here. That would be uh that'd, be a false negative.

A

If I, if I fix the issue but don't close the issue- and if I close, if I close the issue without doing anything, then that's a false positive that the defect is fixed.

C

Well, I mean the the side argument here: is this kind of up to the implementer how they designate these things too, because we're also going to put in the description of implementation. That really depends on what you're doing your project and the conventions that you've outlined um and within that, then you would design your measurement to correspond to whatever policies or automated actions are being taken.

C

So you wouldn't hopefully that wouldn't be an issue for you. I guess I just I guess I just want to make sure within our own language that we're not inflating anything that we don't need to.

B

Yeah, you know what um I I sean. I agree with your concern. um I think that would be too complicated to try to put all that within this metric. I think that suggests the need for a different metric, something like abandoned bug or defects, or um you know.

A

So what is the? What is the? What is this metric saying? Then I don't disagree. There could be a different metric, but what which, how is this metric defining um the release of software? Does the release of software have to close the defect? They're? The issue.

B

That.

A

Again,.

B

Careful you don't mean a release.

A

Official version 1.0 does the merging of a.

B

Pull.

A

Request have to close the issue, or can the issue be closed without being associated with a pull request, and do we count that.

B

I think it needs to be associated with some actual change of the code or there's or frankly, I would assume that they didn't fix it. They just don't want to do it.

A

And if.

A

So, okay, okay, so.

B

I I think that would not be included in this measure, because we're measuring the time of the report of a defect to the time work got fixed.

A

So would this be right for a defect to be considered.

A

The resolved of the associated issue must be linked to a merged change request or other code change could be. A direct commit is, is that what we're saying.

B

Well, I wouldn't say code, but some change.

A

Okay, what would be I'm just curious? What would be the change other than code that would fix a defect.

B

Could change the process.

B

Well, in fact, uh you know: hey your process for compiling the code is is a bug. It is wrong.

A

Okay, okay, okay! So, for example, if I'm using a building safety, critical software and I'm not tightly bounding, all that that's a process problem.

B

Yeah or your your compiler flags don't work on my cpu, oh we, but that's a supported, cpu we screwed up. um Okay, now to be fair, I would accept that build scripts are code too, so maybe you could just change that say. That's all code anyway! So.

B

You know I I would say uh code, including build instructions.

A

Yeah you can you can change that. However, you want we're about out of time for this meeting.

A

So I all.

B

Right how.

A

How can we.

B

Get the uh the badge uh uh metric renamed.

B

I.

F

Don't know the process yeah the ci to open ssf.

B

I I don't know where I file that issue.

A

um

E

Yeah in the next release notes, we can add this and we can modify it and create.

F

An issue in.

B

The wrist.

E

Work, I can uh take care of that.

B

Oh okay, all right you'll, take care of that and that's great.

E

Yeah, uh if the, what is the correct label, has that been mentioned in the.

B

Just change just change: oh ci, to open ssf; that's it it just.

E

Got a minor.

B

Rename that's all.

E

Okay,.

B

Because cii doesn't technically exist anymore and it got moved over to open ssf. So that's all.

E

Okay, all right.

A

Okay, all right, and so um thank you for taking care of that vanad. I think uh when we meet again in two weeks. We can finish this metric um and incorporate um some. You know if we want to specify example, labels or whatever um I do have a couple of um large spreadsheets that apparently google won't open right now that are in addition to the old ones, so I'll make those available.

A

Once I figure out how to get google to open a very large spreadsheet, um I'm really surprised it wouldn't honestly because it opened the last one. So it's probably a user error all right. Well, thanks. Everybody.

B

Sorry, okay, thank you. Bye, bye,.