Russ Cox
- Baldwin, A. Details about the event-stream incident. The npm Blog (Nov. 2018); https://bit.ly/2DRjySJGoogle Scholar
- Cox, R. Go & Versioning, 2018; https://research.swtch.com/vgo.Google Scholar
- Cox, R. The principles of versioning in Go. GopherCon Singapore (May 2018); https://www.youtube.com/watch?v=F8nrpe0XWRg.Google Scholar
- Cox, R. RE2: A principled approach to regular expression matching. Google Open Source Blog (Mar. 2010); https://bit.ly/2XoLFzC.Google Scholar
- Cox, R. Regular expression matching with a trigram index or how Google Code Search worked. Swtch.com (Jan. 2012); https://swtch.com/~rsc/regexp/regexp4.html.Google Scholar
- Facebook. Infer: A tool to detect bugs in Java and C/ C++/Objective-C code before it ships; https://fbinfer.com/.Google Scholar
- GNU Project. GNU General Public License, version 1, 1989; https://www.gnu.org/licenses/old-licenses/gpl-1.0.html.Google Scholar
- Go Project. Go 1 and the future of Go programs, 2013; https://golang.org/doc/go1compat.Google Scholar
- Google Open Source. Using third-party licenses; https://opensource.google.com/docs/thirdparty/licenses/#banned.Google Scholar
- Hipp, D. R. How SQLite is tested; https://www.sqlite.org/testing.html.Google Scholar
- Lacasse, N., Open-sourcing gVisor, a sandboxed container runtime. Google Cloud (May 2018); http://bit.ly/2wzA84D.Google Scholar
- Langley, A. Chromium's seccomp sandbox. ImperialViolet (Aug. 2009); https://www.imperialviolet.org/2009/08/26/seccomp.html.Google Scholar
- National Institute of Standards and Technology. National Vulnerability Database---Search and Statistics; https://nvd.nist.gov/vuln/search.Google Scholar
- Pike, R. Go Proverbs, 2015; https://go-proverbs.github.io/.Google Scholar
- Pike, R., Dorward, S., Griesemer, R. and Quinlan, S. Interpreting the data: Parallel analysis with Sawzall. Scientific Programming J. 13, 4 (2005), 277--298 Google ScholarDigital Library
- Potapenko, A. Testing Chromium: ThreadSanitizer v2, a next-gen data race detector. Chromium Blog (Apr. 2014); http://bit.ly/2WN29o0.Google Scholar
- Potvin, R., Levenberg, J. Why Google stores billions of lines of code in a single repository. Commun. ACM 59, 7 (July 2016), 78--87 Google ScholarDigital Library
- Reis, C. Multi-process architecture. Chromium Blog (Sept. 2008); https://blog.chromium.org/2008/09/multi-process-architecture.html.Google Scholar
- SpotBugs: Find bugs in Java programs; https://spotbugs.github.io/.Google Scholar
- Thompson, K. Reflections on trusting trust. Commun. ACM 27, 8 (Aug. 1984), 761--763 Google ScholarDigital Library
- U.S. House of Representatives Committee on Oversight and Government Reform. The Equifax Data Breach, Majority Staff Report, 115th Congress (Dec. 2018); http://bit.ly/2Gf53IJ.Google Scholar
- Willis, N. A single Node of failure. LWN.net (Mar. 2016); https://lwn.net/Articles/681410/.Google Scholar
- Winters, T. SD-8: Standard library compatibility, C++ standing document, 2018; http://bit.ly/2QNhT5k.Google Scholar
Index Terms
- Surviving software dependencies
Recommendations
Surviving Software Dependencies: Software reuse is finally here but comes with risks.
Knowledge GraphsSoftware reuse is finally here, and its benefits should not be understated, but we’ve accepted this transformation without completely thinking through the potential consequences. The Copay and Equifax attacks are clear warnings of real problems in the ...
Reusability of Mathematical Software: A Contribution
Mathematical software is devoted to solving problems involving matrix computation and manipulation. The main problem limiting the reusability of existing mathematical software is that programs are often not initially designed for being reused. Therefore,...
Reviews
Anthony Joseph Duben
Software has been reused since the days of exchanging decks of punched cards wrapped in listings printed on green bar paper. Packages (that is, libraries) of code are everywhere and are used in an overwhelming number of applications. Starting with a blank screen and writing a major self-contained program is a rarity. Since software reuse is commonplace, the correctness, ability to be understood, security, and robustness of the software package used are paramount. Depending on a package with uncritical trust is dangerous. Russ Cox shows how one can intelligently and cautiously gain and maintain control of potential problems arising from dependencies on imported software packages. He identifies several considerations in examining a package intended to be incorporated in a project: design (especially the quality of documentation), quality of the code, testing protocols distributed with the package, bug reports and fixes, maintenance, usage, security, licensing, and indirect dependencies to still other packages. He recommends several measures to gain control of dependencies: testing them alone and in competition with other packages offering the same capabilities, abstracting the dependency to limit the direct invocation of features peculiar to the package (to make substituting other packages easier), isolating the package at runtime, avoiding the dependency by copying code directly (when legal), and anticipating the problems that may arise when packages are upgraded. In short: inspect, analyze, test, and repeat. Trust, but verify.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments