BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Pentabarf//Schedule 0.3//EN CALSCALE:GREGORIAN METHOD:PUBLISH X-WR-CALDESC;VALUE=TEXT:Dependency Management devroom X-WR-CALNAME;VALUE=TEXT:Dependency Management devroom X-WR-TIMEZONE;VALUE=TEXT:Europe/Brussels BEGIN:VEVENT METHOD:PUBLISH UID:10536@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T150000 DTEND:20200201T153000 SUMMARY:FASTEN: Scaling static analyses to ecosystems DESCRIPTION:
As recent events, such as the leftpad incident and the Equifax data breach, have demonstrated, dependencies on networks of external libraries can introduce projects to significant operational andcompliance risks as well as difficult to assess security implications. FASTEN introduces fine-grained, method-level, tracking of dependencies on top of existing dependency management networks. In our talk, we will present how FASTEN works on top of the Rust/Cargo and Java/Maven ecosystems.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Dependency Management URL:https:/fosdem.org/2020/schedule/2020/schedule/event/fasten_scaling_static_analyses_to_ecosystems/ LOCATION:UD2.119 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Georgios Gousios":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:9526@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T153000 DTEND:20200201T160000 SUMMARY:There's no sustainability problem in FOSS DESCRIPTION:The community seems to be rife with conversations about our sustainability problems. Do we actually have one? We’ll lead a discussion and debate around how we as a community can think about these issues, while drawing out the nuanced aspects of each as well as their potential solutions.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Dependency Management URL:https:/fosdem.org/2020/schedule/2020/schedule/event/foss_sustainability_issues/ LOCATION:UD2.119 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Carol Smith":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Duane O'Brien":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:9669@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T160000 DTEND:20200201T163000 SUMMARY:Comparing dependency management issues across packaging ecosystems DESCRIPTION:In the last couple of years, the Software Engineering Lab of the University of Mons has extensively studied different aspects of dependency management within and across different package management ecosystems, including Cargo, npm, Packagist, Rubygems, CPAN, CRAN and NuGet. These ecosystems contain a large number of package releases with many interdependencies. They face challenges related to their scale, complexity, and rate of evolution. Typical problems are backward incompatible package updates, and the increasing proportion of fragile packages due to an excessive number of transitive dependencies.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Dependency Management URL:https:/fosdem.org/2020/schedule/2020/schedule/event/comparing_dependency_management_issues/ LOCATION:UD2.119 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Tom Mens":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10064@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T163000 DTEND:20200201T170000 SUMMARY:Building Confidence & Overcoming Insecurity DESCRIPTION: CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Dependency Management URL:https:/fosdem.org/2020/schedule/2020/schedule/event/building_confidence_in_security/ LOCATION:UD2.119 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Jeff McAffer":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10574@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T170000 DTEND:20200201T173000 SUMMARY:Precise, cross-project code navigation at GitHub scale DESCRIPTION:GitHub has recently added Code Navigation features (jump to definition and find all references) that let you navigate code directly on github.com. For the languages that we support, we extract and store symbol information for every named branch and tag, of every repository, public or private, with no configuration necessary. The compute and storage requirements to do this for all of the code on GitHub are quite large. In this talk, we'll discuss some of the trade-offs we've made to make this tractable at GitHub's scale, to be able to operate and monitor this service effectively, and to let us add support for new languages quickly and easily. We'll also talk about our ongoing work to extend Code Navigation to handle links that cross package and repository boundaries.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Dependency Management URL:https:/fosdem.org/2020/schedule/2020/schedule/event/github_cross_project_code_navigation/ LOCATION:UD2.119 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Douglas Creager":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10581@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T173000 DTEND:20200201T180000 SUMMARY:Spack's new Concretizer DESCRIPTION:Dependency resolution is deceptively complex; simply selecting a set of compatible versions for an arbitrary network of dependencies is NP-hard. Much effort has been spent on this problem for modern single-language ecosystems, but many of these ecosystems rely on natively compiled libraries, and dependency mangers often fail at managing the additional complexities that native libraries entail. Further, dependency resolution has traditionally been modeled as a SAT problem, where the package manager should find any workable solution to satisfy package constraints. However, any solution may not be good enough. Users want the most tested, most optimized, or most secure configuration, and this is a SAT problem coupled with complex optimization.
Spack is a package/dependency manager rapidly gaining popularity in High Performance Computing (HPC) that aims to address many of the complexities of native, multi-language, cross-platform dependency management. Spack has recently been reworked to use Answer Set Programming (ASP), a declarative logic programming paradigm that also provides sophisticated facilities for optimization. This talk will cover how we’ve been able to model the compiler toolchain, ISA, build options, ABI, and other constraints on native libraries. We’ll also talk about how ASP has been a useful tool for finding optimized dependency configurations. This work can be used to improve dependency resolvers in general — so that they can prefer more secure or tested configurations instead of simply selecting the most recent workable versions.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Dependency Management URL:https:/fosdem.org/2020/schedule/2020/schedule/event/dependency_solving_not_just_sat/ LOCATION:UD2.119 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Todd Gamblin":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10063@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T180000 DTEND:20200201T184500 SUMMARY:Package managers: resolve differences DESCRIPTION:Package managers have become the default way for managing dependencies for most projects but they’re not without their challenges and risks. In this panel we bring together experts representing several popular package managers for a lively discussion on package management best practices, the state of package management communities, and a look forward at what we can expect to see in the future.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Dependency Management URL:https:/fosdem.org/2020/schedule/2020/schedule/event/package_management_panel/ LOCATION:UD2.119 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="William Bartholomew":invalid:nomail END:VEVENT END:VCALENDAR