Frédéric Fleurial Monfils, Jacques Flamand, Nicolas Devos, Jean-Christophe Deprez, Evaluating Maintainability Related Risks of Free/Open Source Software Component Integration, 8th BElgianNEtherlands software eVOLution seminar (BENEVOL ’09), Louvain-la-neuve, Belgium, Dec. 18, 2009.
The Software Industry gives an increasing attention to free/open source software (F/OSS). However before integrating a F/OSS component in its software product, a company wants to determine its quality. From a business viewpoint, an interesting approach to assess quality is to capture the risks of integrating a F/OSS component in a software product. Incidentally, companies augment their their benefits of a F/OSS based development approach if they learn to fully collaborate with the existing F/OSS endeavor, that is, not simply fork the code but learn to interact with the existing F/OSS community and follow its software processes. In such a case, a fair risk assessment should not be limited to source code analysis of a single snapshot in time but also study the past behavior of the F/OSS community on its F/OSS component.
An important cost item in software development is maintainability hence assessing risks related to maintainability is of great interest to software companies. Maintainability of a FlOSS component has a different meaning to each role involved in the integration of the open source piece of code inside a larger application. Certain roles are concerned about the short term such as the developer who needs to integrate the select F/OSS component version in the application while other roles are more concerned with the mid and long terms. In this paper, we focus on the mid and long term concerns of the product manager, the project manager and the developers. In particular, we used the GoalQuestionMetric methodology to identify role relevant questions related to the evolution of certain software metrics. Subsequently, indicators specify metrics thresholds and a risk color is inferred for each indicator from a 4-color scale. In practice, based on the definition of these indicators, the needed software metrics are computed on the main data sources managed by the F/OSS endeavor such as the bug tracking system or the version control system.
The risk indicators presented have been calibrated on a set of 4 open source Java projects.