Open Source Software Resilience Framework

Open Source Software
Resilience Framework
Apostolos Kritikos / Ioannis Stamelos
PhD Candidate / Professor
Informatics School., Aristotle University of Thessaloniki
akritiko@csd.auth.gr
/apostoloskritikos /akritiko
#1Open Source Software Resilience Framework, Apostolos Kritikos, A.U.TH. | 14th International Conference on Open Source Systems (OSS2018) | June 8-10, 2018, Athens, Greece

Affiliation
RESEARCH GROUP
Software Engineering Group
(SWENG)
LAB
Software engineering, Web & Intelligent Systems
(SOFTWISE)
SCHOOL
Informatics
UNIVERSITY
Aristotle University of Thessaloniki
Image Credit: Aristotle University of Thessaloniki
Image Credit: Municipality of Thessaloniki

Motivation
● An Open Source Software (OSS) project can be utilized either as is, to serve specific needs
on an application level, or on the source code level, as a part of another software system
serving as a component, a library, or even an autonomous third party dependency.
● There are several OSS quality models that provide metrics to measure specific aspects of
the project, like its structural quality. Although other dimensions, like community, health
and activity, software governance principles or license permissiveness, are taken into
account, there is no universally accepted OSS assessment model.
● In this work we are proposing an evaluation approach based on the adaptation of the City
Resilience Framework to OSS with the aim of providing a strong theoretical basis for
evaluating OSS projects.

Motivation
In literature we find several works that suggest a holistic approach in evaluating an Open Source
Software project, extending beyond structural quality. For example:
● Permissiveness of the license, number of active developers & end users, language
translations. (Midha & Palvia, [6]*)
● Open Source Governance Model. (Vision Mobile, [7]*)
● Maturity, stability, documentation, community aspects. (Wasserman et al., [9]*)
● Competition & Collaboration in large OSS systems. (Teixeira et al., [10]*)
● Maturity of an OSS project’s community. (Andrade et al. [11]*)
* Note: The extensive references list can be found to our publication.

We propose that...
1. To approach an OSS project as an evolving system in order to be able to
study it in a holistic way.
2. For an OSS project o be able to succeed and achieve longevity, it is
crucial to be resilient in order to survive potential stresses and crises that
might occur.

Stressors & Crises Examples in OSS
● Forks of the project that might drive the attention of the original project’s community
away.
● Migration of lead developers or even part of the development community to other forks or
projects.
● An unsuccessful major release that might hurt the reputation of the project, changes to the
license.
● Migration to another forge.
Example
The case of Libre Office, an OSS project that started as a fork of Open Office, but managed to
retain the development community and evolve, as of the time of writing, to a successful OSS
project. (Gamalielsson et al., [12])

Resilience
Indicative definitions of the term resilience from different disciplines:
“the ability [of a system] to cope with change”
Logistics, (Wieland et al., [13]).
“a resilient system can take a hit to a critical component and recover and
come back for more in a known, bounded and generally acceptable period
of times”
Software, (Axelrod, [14]).

Resilience (2)
Indicative definitions of the term resilience from different disciplines:
“city resilience describes the capacity of cities to function, so that the
people living and working in cities particularly the poor and vulnerable
survive and thrive no matter what stresses or shocks they encounter”.
Urban Planning, (Da Silva, et al. [15]).

City Resilience Framework (CRF)
● Is the result of research undertaken with the aim of establishing an
accessible, evidence-based definition of Urban Resilience by Arup and
the Rockefeller Foundation.
● The CRF is used by the 100 Resilient Cities a non profit organization to
primarily evaluate the Urban Resilience of more than 90 cities around
the world and, additionally, to assist the cities on crises with tailored
made resilience strategies.

City Resilience Index (CRI)
● It is a set of indicators, variables and metrics that allow cities to
understand, baseline and subsequently measure local resilience over
time.
“The CRI will measure relative performance over time rather than comparison
between cities. It will not deliver an overall single score for comparing
performance between cities, neither will it provide a world ranking of the most
resilientcities.”

City Resilience Index (CRI)
4 Dimensions
↓
12 Goals
↓
Indicators (KPIs)
11

CRI: Dimensions & Goals (1)
I. Health & well-being:
Related to people, working and living in the city.
Goals:
1. Minimal human vulnerability
2. Diverse livelihoods & employment
3. Effective safeguards to human health & life.
12

II. Economy & society:
Related to the organization of cities on a social and economical level.
Goals:
1. Sustainable economy
2. Comprehensive security & rule of law
3. Collective identity & community support.
13

III. Infrastructure & environment:
Related to place, the quality of infrastructure and ecosystems.
Goals:
1. Reliable mobility & communications
2. Effective provision of critical services
3. Reduced exposure & fragility
14

IV. Leadership & strategy:
Related to knowledge of the past and adapting appropriately for the future.
Goals:
1. Effective leadership & management
2. Empowered stakeholders
3. Integrated development planning
NOTE: The aforementioned goals are further decomposed to indicators. Due to time constraints we didn’t include
them in this presentation.
15

Open Source Software Resilience Framework
We argue that Open Source Software projects share a conceptual similarity with cities.
● They are dynamic and continuously evolving systems with their own structural properties
● They attract people that form communities around them which, on a second level, may utilize a
governance model.
● Some OSS projects have commercial activity.
● As it is happening with cities, OSS projects can face stresses and crises (we saw some examples
earlier).
16

17
4 Dimensions
↓
12 Goals
↓
Indicators (KPIs)

OSSRF: Dimensions & Goals (1)
18
I. Source Code:
● The first dimension of CRF is Health & Well-being and it is related with people.
● In Open Source Software we consider source code (i.e. classes) to be the structural unit of the
project.
II. Business & Legal:
● The second dimension of CRF is Economy & Society and is related with organization.
● In Open Source Software the norm is voluntary work but, more mature projects are utilizing
Open Source Business Models to offer commercial services (be it pro features or support). For
those types of projects licensing plays a key role when it comes to commercialization.

19
III. Integration & Reuse:
● The third dimension of CRF is related to place.
● Open Source Software projects usually reuse components of other OSS projects or are being
reused themselves. In this spirit, in the third dimension of the Open Source Software Resilience
Framework we will be dealing with the aspects of integration and reuse.
IV. Social (Community):
● The last dimension of CRF is about Leadership & Strategy and is related with utilizing
knowledge from the past to become better and more resilient in the future.
● In Open Source Software both leadership and strategy related processes are usually connected
with the community. Knowledge base is the codebase itself, the CVS system, issue trackers etc.

20
I. Source Code
○ Continuous Growth
○ Holistic Documentation
○ Systematic Testing & Violation Minimization
II. Business & Legal
○ Economic Sustainability
○ Flexible Licensing
○ External Organization Support

21
III. Integration & Reuse
○ Low Dependability
○ Low Complexity
○ Ease of Integration
IV. Social (Community)
○ Well defined Project Standards
○ Well Defined Governance
○ Developer Base Activity

OSSRF: Indicators
22
● The twelve (12) goals are further analyzed to indicators in order to provide a
more specific description of the goals.
● For the purposes of this paper we will analyze the indicators related to the
goals of the Business & Legal dimension.
● Due to space limitations, we provide the full analysis of the indicators to the
following url: http://users.auth.gr/akritiko/ossrf_indicators.html for the
intended audience.

OSSRF: Indicators - Business & Legal Dimension
23
1. Economic Sustainability
a. Donations: 0 (no) or 1 (yes) based on whether the OSS project accepts donations. 0 is
considered a non resilient value.
b. Commercial features: 0 (no) or 1 (yes) based on whether the OSS project offers commercial
features or a pro (paid) version. The indicator was based to the work of [18]. 0 is considered
a non resilient value.
c. Paid support: 0 (no) or 1 (yes) based on whether the OSS project offers a paid plan for
support. [18]. 0 is considered a non resilient value.

OSSRF: Indicators - Business & Legal Dimension (2)
24
2. Flexible Licensing
a. Level or permissiveness: 0 (all restrictive - i.e. commercial), 1 (persistent i.e. GPL), 2 (all
permissive - i.e. BSD). We base the indicator to the of [19]. The indicator is considered non
resilient when it is less than 1.
b. Level of persistence: 0 (no) or 1 (yes) based on whether there are parts of the project’s code
or dependencies published under persistent licenses (i.e. GPL). We base the indicator to
the of [19]. 1 is considered a non resilient value.

OSSRF: Indicators - Business & Legal Dimension (3)
25
3. External Organization Support: 0 (no) or 1 (yes) based on whether the OSS project is supported by
an external organization (non profit, governmental or corporate). 0 is considered a non resilient
value.

OSSRF: Resilience Determination Mechanism
26
● Starting to the indicators level we will consider an OSS project successful towards a resilience
goal when it is considered resilient at least to 50% of the goals ingredients.
● Moving to the dimensions level, an OSS project will be considered successful towards a
resilience dimension when it is considered resilient at least to 50% of the goals of the specific
dimension.
● Likewise, on a project level, the OSS project is considered resilient when at least two (2) out of
four (4) dimension (50%) are considered resilient.

OSSRF: Application - A non-resilient project
27

OSSRF: Application - A resilient project
29

Threats to validity
31
● We should note that OSSRF should be applied to project of a relative maturity in terms of
community and age (we would intuitively suggest at least 10 contributors and a maturity of
more than a year). Applying it in solo maintained OSS projects, or projects that not yet have
reached the proposed maturity may lead to misleading results.
● OSSRF is an adaptation of the City Resilience framework to Open Source Software. Although
the structure of the original framework was retained, despite the conceptual similarities that we
have already mentioned earlier, the mapping of dimensions, goals and indicators is a product of
the subjective lens of the authors.

Threats to validity (2)
32
● Regarding the goals and indicators, some of them are based on metrics available for object
oriented source code. Additionally, as far as control version systems are concerned, for the
needs of this publication we selected projects that are hosted in Github.
● As far as the scales and their aggregation is concerned, in this preliminary approach we
considered each criterion equally important and the threshold for defining a project as resilient
or non resilient is 50%.
● Finally, both of the projects analyzed in this paper, were developed in PHP and their domains
are close (OKapi was a framework for web applications and WooCommerce is a plugin for a
WordPress which is also considered by some a kind of web framework).

Future work
33
● For future work we intend to thoroughly fine-tune the rest of the indicators by testing it to a
variety of OSS projects. This will also allow us to investigatehow the OSSRF responds to projects
of different age, community size or source code size and complexity.
● We also intend to investigate whether the software domain of an OSS project affects the results
of the application of the OSSRF.
● Regarding the framework itself we will experiment with other approached regarding the
“Resilience determination mechanism” (i.e. weighted goals).
● In addition we will be extending the OSSRF to be able to work with a variety of control version
systems (not only git-like but also Mercurial, SVN, CVS).

Future work (2)
34
● In a similar spirit will would like to experiment with projects of different programming
languages (i.e. Java).
● Another challenging idea for future work would be to apply OSSRF to OSS projects that are
known to have faced specific stresses or crises in order to identify how those crises relate with
the resiliency levels of an OSS project.
● Finally we intend to attempt and request feedback, in the form of a survey, from key players of
the Open Source Software international community (lead developers, stakeholders, academics
and so forth) about OSSRF.

APOSTOLOS KRITIKOS CREDITS
# contact info #
0030 6976 432 234
akritiko@csd.auth.com
# social media #
apostoloskritikos @ LinkedIn
akritiko @ Twitter
# web #
www.softwarereseilience.com
apostolos.kritikos.me
# graphic elements license #
All graphic elements used in this presentation, unless explicitely
stated otherwise, were reused from openclipart.org published
under Public Domain (CC0).
# presentation license #
This presentation is published under Creative Commons
Attribution Non Commercial Share Alike 4.0 (CC BY-NC-SA 4.0)
license.
# presentation id #
“Open Source Software Resilience Framework”
14th International Conference on Open Source Systems
(OSS2018).
June 8-10, 2018, Athens, Greece.
08.06.2018

Open Source Software Resilience Framework

More Related Content

Similar to Open Source Software Resilience Framework (20)

More from Apostolos Kritikos (12)

Recently uploaded (20)

Open Source Software Resilience Framework