WP1 DIGIT B1 - EP Pilot Project 645 Deliverable 4: Analysis of Software Development Methodologies Used in the FOSS Communities Specific contract n°226 under Framework Contract n° DI/07172 – ABCIII February 2016 DIGIT Fossa WP1 – Governance and Quality of Software Code – Auditing of Free and Open Source Software. Deliverable 4: Analysis of Software Development Methodologies Used in the FOSS Communities Author: Disclaimer The information and views set out in this publication are those of the author(s) and do not necessarily reflect the official opinion of the Commission. The content, conclusions and recommendations set out in this publication are elaborated in the specific context of the EU – FOSSA project. The Commission does not guarantee the accuracy of the data included in this study. All representations, warranties, undertakings and guarantees relating to the report are excluded, particularly concerning – but not limited to – the qualities of the assessed projects and products. Neither the Commission nor any person acting on the Commission’s behalf may be held responsible for the use that may be made of the information contained herein. © European Union, 2016. Reuse is authorised, without prejudice to the rights of the Commission and of the author(s), provided that the source of the publication is acknowledged. The reuse policy of the European Commission is implemented by a Decision of 12 December 2011. Document elaborated in the specific context of the EU – FOSSA project. Reuse or reproduction authorised without prejudice to the Commission’s or the authors’ rights. Page 2 of 146 DIGIT Fossa WP1 – Governance and Quality of Software Code – Auditing of Free and Open Source Software. Deliverable 4: Analysis of Software Development Methodologies Used in the FOSS Communities Contents CONTENTS............................................................................................................................................. 3 LIST OF TABLES ................................................................................................................................... 6 LIST OF FIGURES ................................................................................................................................. 7 ACRONYMS AND ABBREVIATIONS ................................................................................................... 8 1 INTRODUCTION .............................................................................................................................. 9 1.1. OBJECTIVE OF THIS DOCUMENT AND INTENDED AUDIENCE ............................................................. 9 1.2. SCOPE ........................................................................................................................................ 9 1.3. DOCUMENT STRUCTURE .............................................................................................................. 9 1.4. KEY SUCCESS FACTORS ............................................................................................................ 10 1.5. DELIVERABLES .......................................................................................................................... 10 2 METHODOLOGICAL APPROACH TO BUILDING THE ANALYSIS ........................................... 11 2.1. SELECTION OF PROJECTS, ENGAGEMENT WITH FREE AND OPEN SOURCE SOFTWARE COMMUNITIES AND INFORMATION GATHERING ............................................................................................................. 11 2.2. INFORMATION CLASSIFICATION AND FILTERING PROCESS ............................................................ 12 2.3. ANALYSIS OF THE INFORMATION ................................................................................................. 12 3 SOFTWARE DEVELOPMENT METHODOLOGIES, BEST PRACTICES, FRAMEWORKS, LIBRARIES AND TOOLS USED IN THE PROJECTS ANALYSED FROM THE FOSS COMMUNITIES ..................................................................................................................................... 14 3.1. METHODOLOGIES USED BY THE ANALYSED FOSS COMMUNITIES DURING THE SOFTWARE DEVELOPMENT LIFECYCLE .................................................................................................................... 15 3.2. BEST PRACTICES USED BY THE ANALYSED FOSS COMMUNITIES DURING THE SOFTWARE DEVELOPMENT LIFECYCLE .................................................................................................................... 19 3.3. TOOLS USED BY THE ANALYSED FOSS COMMUNITIES DURING THE SOFTWARE DEVELOPMENT LIFECYCLE ........................................................................................................................................... 74 3.4. LIBRARIES AND BUILDING BLOCKS USED BY THE ANALYSED FOSS COMMUNITIES DURING THE SOFTWARE DEVELOPMENT LIFECYCLE ................................................................................................ 110 3.5. PROGRAMMING LANGUAGES USED BY THE ANALYSED FOSS COMMUNITIES DURING THE SOFTWARE DEVELOPMENT LIFECYCLE .................................................................................................................. 116 4 ANALYSIS OF IDENTIFIED SOFTWARE DEVELOPMENT METHODOLOGIES USED IN FOSS COMMUNITIES ................................................................................................................................... 122 4.1. PROJECT MANAGEMENT .......................................................................................................... 123 Document elaborated in the specific context of the EU – FOSSA project. Reuse or reproduction authorised without prejudice to the Commission’s or the authors’ rights. Page 3 of 146 DIGIT Fossa WP1 – Governance and Quality of Software Code – Auditing of Free and Open Source Software. Deliverable 4: Analysis of Software Development Methodologies Used in the FOSS Communities 4.1.1. Methodologies ................................................................................................................ 123 4.1.2. Conclusion ...................................................................................................................... 125 4.2. SOFTWARE DEVELOPMENT LIFECYCLE ..................................................................................... 125 4.2.1. Software Development Lifecycle Methodologies ........................................................... 125 4.2.1.1. Methodologies ............................................................................................................. 125 4.2.1.2. Tools ........................................................................................................................... 126 4.2.1.3. Conclusion .................................................................................................................. 127 4.2.2. Security Definition ........................................................................................................... 127 4.2.2.1. Security Requirements ................................................................................................ 127 4.2.2.2. Security Awareness .................................................................................................... 128 4.2.2.3. Conclusion .................................................................................................................. 130 4.2.3. Testing and Validation .................................................................................................... 130 4.2.3.1. Automatic Testing ....................................................................................................... 131 4.2.3.2. Security Testing .......................................................................................................... 131 4.2.3.3. Validation Testing ........................................................................................................ 132 4.2.3.4. Tools and Methods...................................................................................................... 132 4.2.4. Release Management .................................................................................................... 132 4.2.4.1. Conclusion .................................................................................................................. 133 4.2.4.2. Release Planning ........................................................................................................ 133 4.2.4.3. Continuous Testing and Validation ............................................................................. 133 4.2.4.4. Channels and Tools Used ........................................................................................... 134 4.2.4.5. Conclusion .................................................................................................................. 134 4.2.5. Inspection and Code Review .......................................................................................... 135 4.2.5.1. Code Review ............................................................................................................... 135 4.2.5.2. Tools ........................................................................................................................... 135 4.2.5.3. Projects Reviewed by Security Experts ...................................................................... 136 4.2.5.4. Phase Where the Project is Reviewed by Security Experts ....................................... 136 4.2.5.5. Conclusion .................................................................................................................