TY - GEN
T1 - A Strategic Model of Software Dependency Networks
AU - Fritz, Cornelius
AU - Georg, Co Pierre
AU - Mele, Angelo
AU - Schweinberger, Michael
N1 - Publisher Copyright:
© 2024 Copyright held by the owner/author(s).
PY - 2024/12/17
Y1 - 2024/12/17
N2 - Software development is a collaborative effort that leverages existing code, which reduces the cost of developing new software. That said, leveraging existing code exposes coders to vulnerabilities, because existing code might contain programming bugs. We study the formation of dependency networks among software repositories, guided by a strategic model of network formation with observable and unobservable heterogeneity. We estimate costs, benefits, and link externalities of a network of 696, 790 directed dependencies between 35, 473 repositories of the Rust programming language using a scalable statistical algorithm. We find evidence of a positive externality exerted on other coders when coders create dependencies. What is more, we show that coders are likely to link to more popular packages of the same and of other software types. We adopt models for the spread of infectious diseases to measure a package’s systemicness as the number of downstream packages a vulnerability would affect. Systemicness is highly skewed with the most systemic repository affecting almost 90% of all repositories only two steps away. Finally, we show that protecting only the ten most important repositories reduces vulnerability contagion by nearly 40%.
AB - Software development is a collaborative effort that leverages existing code, which reduces the cost of developing new software. That said, leveraging existing code exposes coders to vulnerabilities, because existing code might contain programming bugs. We study the formation of dependency networks among software repositories, guided by a strategic model of network formation with observable and unobservable heterogeneity. We estimate costs, benefits, and link externalities of a network of 696, 790 directed dependencies between 35, 473 repositories of the Rust programming language using a scalable statistical algorithm. We find evidence of a positive externality exerted on other coders when coders create dependencies. What is more, we show that coders are likely to link to more popular packages of the same and of other software types. We adopt models for the spread of infectious diseases to measure a package’s systemicness as the number of downstream packages a vulnerability would affect. Systemicness is highly skewed with the most systemic repository affecting almost 90% of all repositories only two steps away. Finally, we show that protecting only the ten most important repositories reduces vulnerability contagion by nearly 40%.
UR - https://www.scopus.com/pages/publications/85215320874
UR - https://www.scopus.com/inward/citedby.url?scp=85215320874&partnerID=8YFLogxK
U2 - 10.1145/3670865.3673519
DO - 10.1145/3670865.3673519
M3 - Conference contribution
AN - SCOPUS:85215320874
T3 - EC 2024 - Proceedings of the 25th Conference on Economics and Computation
SP - 863
EP - 892
BT - EC 2024 - Proceedings of the 25th Conference on Economics and Computation
PB - Association for Computing Machinery, Inc
T2 - 25th Conference on Economics and Computation, EC 2024
Y2 - 8 July 2024 through 11 July 2024
ER -
