Open Source Software Supply Chains


Software engineering (SE) studies practices employed by individual projects. The emergence of and extensive reliance on open source software (OSS) make that traditional SE focus too narrow to comprehend and support key developer decisions in the highly interconnected network of OSS. These networks have least three types of relationships: runtime or tool-chain dependencies, copying of the source code, and transfer of code maintenance expertise. These three relationships are similar to those in traditional supply chains (SCs) with maintenance effort, source code, and knowledge representing the product flow from supplier to consumer in traditional SCs. As in traditional SCs, the decisions are taken in a decentralized manner and risks may materialize because of events at nodes far away from the consumer or producer in the supply chain. Importantly, each of the three types of SSCs has unique advantages and risks.

This tutorial will:
  1. Conceptualize these three OSS dependencies as types of software supply chains (SSCs)
  2. Present ways to operationalize the measurement of OSS SSCs
  3. Go over several examples of the new insights, research questions, and applications of OSS SSCs
  4. Introduce World of Code (WoC) infrastructure designed to support research on OSS SSCs

Target audience

Target audience includes developers, researchers, and all individuals concerned with key risks and benefits of software supply chains (SSCs) especially those who want to study or build tools for SSCs. The tutorial assumes a basic understanding of programming using, for example, shell script.

Expected outcomes

Participants will be able to articulate the nature of the three types of OSS SSCs, understand primary risks and benefits of each type of SSC, and will gain basic skills needed to measure the SSCs using WoC infrastructure.

Speaker's Profile: Audris Mockus

Audris Mockus has worked at AT&T, then Lucent Bell Labs and Avaya Labs for 21 years. Now he is the Ericsson-Harlan D. Mills Chair professor of Digital Archeology and Evidence Engineering in the Department of Electrical Engineering and Computer Science of the University of Tennessee. Dr. Mockus received a B.S. and an M.S. in Applied Mathematics from Moscow Institute of Physics and Technology in 1988. In 1991 he received an M.S. and in 1994 he received a Ph.D. in Statistics from Carnegie Mellon University.

  • Half Day