PVAC: Package Version Activity Categorizer, Leveraging Semantic Versioning in a Heterogeneous System

Context: Modern open-source software ecosystems, such as those managed by GNU/Linux distributions, are composed of numerous packages developed independently by diverse communities. These ecosystems employ package management tools to facilitate software installation and dependency resolution. However, these tools lack robust mechanisms for systematically evaluating the development activity and versioning dynamics within their heterogeneous software environments.Objective: This research aims to introduce a systematic method and a prototype tool for assessing version activity within heterogeneous package manager ecosystems, enabling quantitative analysis of software package updates.Method: We developed PVAC,a Package Version Activity Categorizer, a novel approachthat leverages semantic versioning to surface the activity of software packages at both the system level using the Version Number Delta (VND) metric and at the package level using the Activity Categorizer. PVAC utilizes tailored regular expressions to parse semantic versioning details (epoch, major, minor, and patch versions) from diverse package version strings, thereby enabling consistent categorization and quantitative scoring of version changes.Results: PVAC was empirically evaluated using a dataset of 22,535 packages drawn fromrecent releases of Debian and Ubuntu GNU/Linux distributions. Our findingsdemonstrate PVAC's effectiveness for accurately categorizing versioning schemes and quantitatively measuring version activity across releases. We provide empirical evidence confirming that semantic versioning, including adapted variations, is predominantly employed across these ecosystems.Conclusions: PVAC represents an effective solution for systematically assessing andmonitoring the software package version activity within heterogeneous ecosystems. By providing clear metrics for software activity, PVAC aids practitioners and researchers in identifying packages requiring attention, thereby reducing security risks and technical debt.

背景：现代开源软件生态系统，例如由GNU/Linux发行版所管理的生态系统，由众多不同社区独立开发的软件包组成。此类生态系统借助软件包管理工具实现软件安装与依赖项解析，但这些工具缺乏能够在异构软件环境中系统性评估开发活跃度与版本演进动态的可靠机制。 研究目标：本研究旨在提出一种可用于评估异构软件包管理生态系统内版本活跃度的系统性方法与原型工具，以实现对软件包更新的量化分析。 研究方法：我们开发了PVAC（软件包版本活跃度分类器，Package Version Activity Categorizer），这是一种新颖的方法：它借助语义化版本控制（Semantic Versioning），通过版本号差值（Version Number Delta, VND）指标在系统层面、通过活跃度分类器在软件包层面，揭示软件包的活跃度情况。PVAC采用定制化正则表达式，从多样化的软件包版本字符串中解析语义化版本控制的相关细节（纪元、主版本、次版本、修订版本），从而实现版本变更的标准化分类与量化评分。 研究结果：本研究采用取自近期发布的Debian与Ubuntu GNU/Linux发行版的22535个软件包数据集，对PVAC进行了实证评估。研究结果证实，PVAC能够准确对版本控制方案进行分类，并量化度量不同发布版本间的软件包版本活跃度。本研究还通过实证数据证实，包括适配变体在内的语义化版本控制方案，在上述生态系统中占据主流地位。 研究结论：PVAC为异构生态系统内软件包版本活跃度的系统性评估与监控提供了高效解决方案。通过为软件活跃度提供清晰的量化指标，PVAC可帮助从业者与研究人员快速识别需要关注的软件包，进而降低安全风险与技术债务。