[关键词]
[摘要]
开源软件已经成为现代社会的一项关键基础设施, 支撑着几乎所有领域的软件开发. 通过安装依赖、API调用、项目fork、文件拷贝和代码克隆等形式的代码复用, 开源软件之间形成了错综复杂的供应(依赖)关系网络, 被称为开源软件供应链. 一方面, 开源软件供应链为软件开发提供了便利, 已然成为软件行业的基石. 另一方面, 上游软件的风险可以沿着开源软件供应链波及众多的下游软件, 使开源软件供应链呈现牵一发而动全身的特点. 开源软件供应链近年来逐渐成为学术界和工业界的关注焦点. 为了帮助增进研究人员对开源软件供应链的认识, 从整体性的角度, 对开源软件供应链给出定义和研究框架; 然后, 对国内外的研究工作进行系统文献调研, 总结结构与演化、风险传播与管理、依赖管理3个方面的研究现状; 最后, 展望开源软件供应链的研究挑战和未来研究方向.
[Key word]
[Abstract]
Open source software has been a key infrastructure of modern society, supporting software development in almost every field. Through various kinds of code reuse such as install dependency, API call, project fork, file copy, and code clone, open source software forms an intricate supply (i.e., dependency) network, which is referred to as an open source software supply chain. On the one hand, software supply chains facilitate software development and have become the foundation of the software industry. On the other hand, risks from upstream software can affect downstream software along the supply chain, leading to the ripple effect in open source software supply chains. Open source software supply chains have attracted more and more attention from both the academia and the industry. To help advance researchers’ knowledge of open source software supply chains, this study provides a definition and research framework of open source software supply chains from a holistic perspective. Then, it conducts a systematic literature review on worldwide research and summarizes the status quo of research from three aspects: structure and evolution, risk propagation and management, and dependency management. Finally, the study summarizes the challenges and opportunities of future research on open source software supply chains.
[中图分类号]
[基金项目]
国家自然科学基金(61825201)