Uncovering and Mitigating the Impact of Frozen Package Versions for Fixed-Release Linux

TL;DR

This paper analyzes the evolution of Debian's package dependency graph to identify compatibility and security issues caused by fixed-release Linux ecosystems, and proposes a novel environment separation approach with a prototype tool.

Contribution

It provides a comprehensive study of Debian's dependency evolution and introduces ccenv, a new package management approach to mitigate ecosystem gaps.

Findings

Identified compatibility issues in fixed-release Linux ecosystems.

Detected security threats linked to dependency evolution.

Proposed a new environment separation method with a working prototype.

Abstract

Towards understanding the ecosystem gap of fixed-release Linux that is caused by the evolution of mirrors, we conducted a comprehensive study of the Debian ecosystem. This study involved the collection of Debian packages and the construction of the dependency graph of the Debian ecosystem. Utilizing historic snapshots of Debian mirrors, we were able to recover the evolution of the dependency graph for all Debian releases, including obsolete ones. Through the analysis of the dependency graph and its evolution, we investigated from two key aspects: (1) compatibility issues and (2) security threats in the Debian ecosystem. Our findings provide valuable insights into the use and design of Linux package managers. To address the challenges revealed in the empirical study and bridge the ecosystem gap between releases, we propose a novel package management approach allowing for separate dependency environments based on native Debian mirrors. We present a working prototype, named ccenv, which can effectively remedy the inadequacy of current tools.