摘要
开源软件已经成为现代社会的一项关键基础设施,支撑着几乎所有领域的软件开发.通过安装依赖、API调用、项目fork、文件拷贝和代码克隆等形式的代码复用,开源软件之间形成了错综复杂的供应(依赖)关系网络,被称为开源软件供应链.一方面,开源软件供应链为软件开发提供了便利,已然成为软件行业的基石.另一方面,上游软件的风险可以沿着开源软件供应链波及众多的下游软件,使开源软件供应链呈现牵一发而动全身的特点.开源软件供应链近年来逐渐成为学术界和工业界的关注焦点.为了帮助增进研究人员对开源软件供应链的认识,从整体性的角度,对开源软件供应链给出定义和研究框架;然后,对国内外的研究工作进行系统文献调研,总结结构与演化、风险传播与管理、依赖管理3个方面的研究现状;最后,展望开源软件供应链的研究挑战和未来研究方向.
Open source software has been a key infrastructure of modern society,supporting software development in almost every field.Through various kinds of code reuse such as install dependency,API call,project fork,file copy,and code clone,open source software forms an intricate supply(i.e.,dependency)network,which is referred to as an open source software supply chain.On the one hand,software supply chains facilitate software development and have become the foundation of the software industry.On the other hand,risks from upstream software can affect downstream software along the supply chain,leading to the ripple effect in open source software supply chains.Open source software supply chains have attracted more and more attention from both the academia and the industry.To help advance researchers’knowledge of open source software supply chains,this study provides a definition and research framework of open source software supply chains from a holistic perspective.Then,it conducts a systematic literature review on worldwide research and summarizes the status quo of research from three aspects:structure and evolution,risk propagation and management,and dependency management.Finally,the study summarizes the challenges and opportunities of future research on open source software supply chains.
作者
高恺
何昊
谢冰
周明辉
GAO Kai;HE Hao;XIE Bing;ZHOU Ming-Hui(School of Software and Microelectronics,Peking University,Beijing 100871,China;School of Computer Science,Peking University,Beijing 100871,China)
出处
《软件学报》
EI
CSCD
北大核心
2024年第2期581-603,共23页
Journal of Software
基金
国家自然科学基金(61825201)。
关键词
开源软件供应链
结构与演化
风险传播与管理
依赖管理
open source software supply chain
structure and evolution
risk propagation and management
dependency management
作者简介
高恺(1999-),男,博士生,CCF学生会员,主要研究领域为软件仓库挖掘,开源软件生态系统;何昊(1998-),男,博士生,主要研究领域为软件仓库挖掘,开源软件生态系统;谢冰(1970-),男,博士,教授,博士生导师,CCF高级会员,主要研究领域为软件工程,形式化方法,软件复用,智能软件开发;通信作者:周明辉(1974-),女,博士,教授,博士生导师,CCF高级会员,主要研究领域为软件仓库挖掘,开源软件生态系统.E-mail:zhmh@pku.edu.cn。
