Open Source Development Course
Lifecycle of open source contribution, project management
Vojtˇech Trefn´y
vtrefny@redhat.com
16. 3. 2022
twitter.com/vojtechtrefny
github.com/vojtechtrefny
ɭ gitlab.com/vtrefny
Open source contribution lifecycle
Contribution lifecycle
1. Issue
Reporting your own bug or RFE or picking
an existing issue to work on.
2. Fork
Getting the code to work in your own
“workspace”.
3. Development
The easy part :-)
4. Tests
CI test results and/or manual testing.
5. Code review
Code review by the maintainer and making
changes.
6. Rebase & merge
Adjust to the current master and merging
the changes.
1 / 34
Disclaimer
• These topics are usually diﬀerent for
each project, always check contributor
guidelines for speciﬁc use cases and
workﬂows.
• This part of the lecture is highly based
on GitHub workﬂow. It applies to
similar services like GitLab as well, but
projects that don’t use these
“advanced” code hosting services and
rely mostly on emails and mailing list
are very diﬀerent.
https://github.com/tensorflow/tensorflow/blob/master/CONTRIBUTING.md
2 / 34
Issue trackers
• Code hosting services like GitHub and GitLab oﬀer integrated issues trackers.
• Some projects use separate tools like Bugzilla or JIRA for tracking bugs and RFEs.
• Issues allow you to discuss the bug/feature with other developers and users.
• Starting with an issue or bug report is not necessary but not doing that increases
the risk of your contribution being ignored or rejected.
3 / 34
GitHub Issues
• GitHub helps ﬁrst-time contributors to discover good ﬁrst issues to help the
project with.
https://github.com/microsoft/vscode/contribute
4 / 34
GitHub Issues
→
• Do not forget to assign the issue to yourself to let others know you are working on
it.
5 / 34
Fork
• A fork is your own “copy” of the upstream repository.
• On GitHub (and similar sites) having a fork is needed to be able to open a pull
request later.
→ →
6 / 34
Fork
• It’s a good practice to clone the upstream repository and add your fork as a
second remote.
• This will help you when rebasing to the latest upstream version.
$ git remote -v
origin git@github.com:rhinstaller/dasbus.git (fetch)
origin git@github.com:rhinstaller/dasbus.git (push)
vtrefny_GH git@github.com:vojtechtrefny/dasbus.git (fetch)
vtrefny_GH git@github.com:vojtechtrefny/dasbus.git (push)
7 / 34
Pull request
• After committing your changes, simply push them to your fork and open a pull
request (in GitLab terminology a merge request) using the link provided by the git
push hook.
$ git push vtrefny_GH master_my-feature
...
remote:
remote: Create a pull request for ’master_my-feature’ on GitHub by visiting:
remote: https://github.com/vojtechtrefny/dasbus/pull/new/master_my-feature
remote:
To github.com:vojtechtrefny/dasbus.git
* [new branch] master_my-feature -> master_my-feature
8 / 34
Pull request
9 / 34
Automated tests
• If the project has CI conﬁgured, automated tests will run on your PR.
• Multiple diﬀerent tests and checks, including static analysis and builds, may be
applied.
• Some projects can reject or ignore PRs with failing tests.
• More about tests and CI next week.
10 / 34
Code review
• During code review, other project contributors and maintainers will review your
changes to either approve or reject them or request changes.
• When changes are requested you can either change the existing commits or add
ﬁx commits that will be squashed later.
• At least one approve review from a project maintainer is usually needed for the
change to be merged.
• For more complicated changes, long back and forth reviews with multiple
discussions are not uncommon.
11 / 34
Code review
12 / 34
Rebase & merge
• If the CI and review phases take a long time, merge conﬂicts can occur, especially
in more active projects.
• git can solve some conﬂicts automatically, but you might need to resolve some
manually.
• Pull requests with conﬂicts cannot be merged.
13 / 34
Release
• After the contribution is merged, it should be included in the next release.
• Depending on project release schedule and development state, this might happen
immediately or take few weeks or months.
• At some stages, projects might not accept other contributions than bug ﬁxes and
new features might be accepted only for development branches/releases or not at
all.
14 / 34
Release life cycle
1. Planning
Gathering use cases. Product and
objectives deﬁnition.
2. Pre-Alpha
Early development, usually not meant for
public.
3. Alpha/Beta
Pre-releases for testing purposes and early
adopters.
4. Release candidate (RC)
Candidate for the stable release.
5. Stable release
Stable release targeted for end-users.
6. Mature project/Maintenance
Maintenance and bug ﬁxing. EOL or
continuous development.
15 / 34
Fedora release cycle
Rawhide starts Fedora Linux 37 development 2022-02-08
Proposal submission deadline (System Wide Changes) 2022-06-28
Proposal submission deadline (Self Contained Changes) 2022-07-19
Completion deadline (testable) 2022-08-09
Branch Fedora Linux 37 from Rawhide 2022-08-09
Change Checkpoint: 100 % Code Complete Deadline 2022-08-23
Beta Release 2022-09-13
Final Freeze 2022-10-04
Final 2022-10-18
Rawhide starts Fedora Linux 38 development 2022-08-09
Fedora Linux 37 EOL 2023-11-14
https://fedorapeople.org/groups/schedule/f-37/f-37-key-tasks.html
16 / 34
Fedora release cycle
Planning
Rawhide starts Fedora Linux 37 development 2022-02-08
Proposal submission deadline (System Wide Changes) 2022-06-28
Proposal submission deadline (Self Contained Changes) 2022-07-19
Pre-alpha
Completion deadline (testable) 2022-08-09
Branch Fedora Linux 37 from Rawhide 2022-08-09
Alpha/Beta
Change Checkpoint: 100 % Code Complete Deadline 2022-08-23
Beta Release 2022-09-13
RC Final Freeze 2022-10-04
Stable release Final 2022-10-18
Maintenance
Rawhide starts Fedora Linux 38 development 2022-08-09
Fedora Linux 37 EOL 2023-11-14
17 / 34
Software dependencies
Software dependencies
• Using existing libraries and tools can save a lot of time when building a new
project.
• Managing third party dependencies can be tricky, but when done properly, it’s
better and safer than writing code from scratch.
• When working with dependencies it’s crucial to make sure your
• code is up to date,
• system is secure,
• service/project works as intended.
18 / 34
Types of dependencies
Direct dependencies
Libraries that your code directly depends
upon. These require some eﬀort to control
but are sort of manageable.
Transitive dependencies
Dependencies of the dependencies.
Usually quite hard to control.
Third party dependencies
A special kind. These are the dependencies
that you don’t own and that are not part of
your organization.
19 / 34
Transitive dependencies
pocketlint
- polib [Any]
- pylint [Any]
- astroid [>=2.5.1,<2.6]
- lazy-object-proxy [>=1.4.0]
- wrapt [>=1.11,<1.13]
- isort [>=4.2.5,<6]
- mccabe [>=0.6,<0.7]
- toml [>=0.7.1]
20 / 34
Dependency management
• Dependencies are usually managed using a project or language-speciﬁc tool which
takes care of resolving and pulling in third-party dependencies, including transitive
dependencies.
• Dependencies can be downloaded during the build (for build and built-in
dependencies) or project or service installation or deployment.
• Dependencies can be available either in a public or project-speciﬁc repository.
• Some dependency management can also detect required dependencies from the
code.
21 / 34
Package repositories
• Diﬀerent package repositories exist for
diﬀerent programming languages or
frameworks:
• Python Package Index (PyPI) for
Python with pip tool.1
• Rust crate registry for Rust with
cargo tool.2
• Node Package Manager (NPM) with
npm tool.3
1
https://pypi.org
2
https://crates.io
3
https://www.npmjs.com
22 / 34
PyPI
setup(
name=’pocketlint’, version=’0.20’,
description=’Support for running ...
url=’https://github.com/...
install_requires=[’pylint’, ’polib’],
...
)
23 / 34
PyPI
$ pip install pocketlint
Collecting pocketlint
Using cached pocketlint-0.20-py3-none-any.whl (32 kB)
Collecting pylint
Using cached pylint-2.7.2-py3-none-any.whl (342 kB)
Collecting polib
Using cached polib-1.1.0-py2.py3-none-any.whl (25 kB)
...
Collecting astroid<2.6,>=2.5.1
Using cached astroid-2.5.1-py3-none-any.whl (222 kB)
Collecting wrapt<1.13,>=1.11
Using cached wrapt-1.12.1.tar.gz (27 kB)
Collecting lazy-object-proxy>=1.4.0
Using cached lazy_object_proxy-1.5.2-cp39-cp39-manylinux1_x86_64.whl (53 kB)
Installing collected packages: mccabe, isort, toml, wrapt, lazy-object-proxy,
astroid, pylint, polib, pocketlint 24 / 34
What could go wrong?
Missing package that “broke” the Internet
In 2016 Azer Ko¸culu unpublished more than 250 of his packages from NPM, including
a very popular left-pad package which many big JavaScript projects (including
React) depended on.4 5
4
https://www.theregister.com/2016/03/23/npm_left_pad_chaos/
5
https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm
25 / 34
What could go wrong?
Security vulnerabilities (CVE)
Old versions of dependencies with unﬁxed
vulnerabilities.
Version conﬂicts
Circular dependencies and dependency hell.
Missing/removed dependency
Packages removed from repositories.
API/ABI changes
New versions with backwards-incompatible
changes.
Broken third-party dependencies
Bugs in code that is not under your control.
License conﬂicts
Incompatible open source licenses.
26 / 34
Version conﬂicts
• Two or more packages depending on
the same package but a diﬀerent
version.
• Unsolvable if multiple versions of the
same package cannot be installed
together.
• Sometimes referred to as “dependency
hell” (especially in relation to
distributions and solving of
dependencies during package
installation or upgrade).
https://research.swtch.com/version-sat
27 / 34
API/ABI stability
• Backward incompatible changes
should happen only in major versions.
• Keeping compatibility with multiple
API versions require additional code
and tests.
• For compiled languages with dynamic
libraries, ABI stability is also crucial.
Rebuilding the entire project because
of a single dependency ABI change
might not be possible.
https://abi-laboratory.pro/?view=timeline&l=cryptsetup
28 / 34
CVEs
• Both security vulnerabilities and “normal” bugs
in dependencies can easily compromise your
application.
• Recent bugs like Heartbleed6in OpenSSL
showed that many essential opensource
libraries are understaﬀed and have many
unﬁxed vulnerabilities.
• Bundled dependencies needs to be closely
monitored for CVEs and quickly updated.
6
https://heartbleed.com/
29 / 34
Log4Shell
• Security vulnerability (remote code execution) in
Log4j, Java logging framework, discovered in
November 2021 (disclosed in December). 7 8
• Aﬀected many projects including AWS, Cloudﬂare and iCloud. Up to 93 % of
cloud environments were aﬀected.
• Similarly to Heartbleed, Log4Shell again draw attention to open source projects
that are heavily depended on but not properly staﬀed and ﬁnanced.9
• Log4Shell being a way smaller project than OpenSSL and often being bundled in
biggers project also showed how hard is to track and manage dependencies.
7
https://www.nukib.cz/cs/infoservis/hrozby/1781-upozorneni-na-zranitelnost-apache-log4j-log4shell/
8
https://www.nukib.cz/cs/infoservis/hrozby/1785-nukib-vydava-reaktivni-opatreni-v-souvislosti-se-zranitelnosti-log4shell/
9
https://gizmodo.com/after-log4j-open-source-software-is-now-a-national-sec-1848356403
30 / 34
Dead and abandoned projects
• Especially smaller projects can very quickly
become unmaintained or abandoned.
• Upstream source can be even completely
lost after service or domain expiration.
• Upstream can move to a diﬀerent fork or
cease to exist without replacement.
• For actively maintained projects, older
stable versions can be abandoned long
before your product EOL.
https://www.open-fcoe.org/git
31 / 34
License compatibility
• Not all free and/or opensource licenses are compatible.
• Some licenses require the result to be released under the “stronger” license.
• Diﬀerent rules might apply for diﬀerent types of dependencies – copying code vs.
linking vs. calling.
• More about licenses in the Open source licenses lecture.
32 / 34
License compatibility
https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility 33 / 34
Questions
Questions
Thank you for your attention.
https://github.com/crocs-muni/open-source-development-course
34 / 34