Slashdot Mirror

← Back to Stories (view on slashdot.org)

QA Under The Open Source Development Model

Posted by timothy on from the sound-the-pdf-klaxon dept.

carrowood writes "A survey was conducted questioning open source developers from both large and small projects concerning their quality assurance practices. A research paper based on the survey result was just published in the Journal of Systems and Software. Some comparisions between QA practices of open vs closed source projects are made with some interesting observations. While on the whole it looks like open source QA can be as good as that in traditional software development, there were a few areas pointed out where the open source community does not do so well, such as regression testing and setting release dates. A thought provoking read."

20 of 180 comments (clear)

  1. If you want a release date.... by Boss,+Pointy+Haired · · Score: 4, Insightful

    ...then you can go and buy software developed out of a motivation for financial gain.

    Surely open source projects exist for other motivations, and hence have less (if any) need to aim towards release dates.

    After all, in the business world the sheer fact that you _have_ to get something out by a particular date (because marketing / the bean counters said so) contributes significantly to the quality problems.

    1. Re:If you want a release date.... by iabervon · · Score: 2, Insightful

      If you want a release date, go for nightly builds. They're always released on time.

      The focus on release dates, I think, is due to not allowing access to the code at other times. If you've implemented some functionality, and people want it, and they can't get it because you haven't released the next version, there's pressure to hurry the next version. If anyone can get the current code at any time, there's no reason to change the version number without implementing everything you want to get into this release. Having an official release only makes sense when you've managed to implement and stabilize a chunk of new functionality, and want to make this available to more conservative users. This is not really a function of time.

  2. QA is harrrrd by The+Bungi · · Score: 5, Insightful
    It's hard when everyone is sitting on the same floor of the same building - it must certainly be a *lot* harder under the distributed development model.

    Ultimately, while development can, in certain cases, be done in a vacuum, QA cannot (and should not). It's by nature a collaborative and interactive process.

    I have nothing but respect for the few (good) QA engineers I've worked with.

    1. Re:QA is harrrrd by bentcd · · Score: 2, Insightful

      I don't believe in having a programmer do the formal QA of his own code. He's already fixed the bugs that pop up when it's being used in the way he uses it and I even suspect that we subcounsciously avoid using it in ways that we suspect may touch upon flakey bits of code.

      Having the programmer do the QA on something written by an altogether different programmer is something else entirely though. Programmers tend to be more expensive than testers though, so it might get a tad on the costly side.

      --
      sigs are hazardous to your health
    2. Re:QA is harrrrd by __past__ · · Score: 2, Insightful
      Donald Knuth wrote, about TeX, that a programmer should also do QA, use the program, and write the manual.
      He also said that hard programs can only be written by a single programmer. This is just not an option in a world where you can't just take 10 years off to write TeX because the look of your books isn't satisfying. Most people just aren't Don Knuth - they are neither geniuses nor professors for the Art of Computer Programming.
      --
      Programming can be fun again. Film at 11.
  3. Not setting releases dates ? by roard · · Score: 4, Insightful

    Well, the fact that no releases dates are setted are more a good point than a bad one ! Of course, in an ideal world where software would be released on dates (!), they won't have bugs either. But in the real world, must proprietary software aren't on schedules, and anyway, when they are, this is often at the detriment of the number of remaining bugs and/or dismiss of some features.
    In the free software world, the software is released when ready. So, of course they don't set release date (generally speaking -- some projects have regular releases). But I hardly see that as an obvious bad point. It could be on the contrary one of the strength of the free software.
    At least, programmers on free software releases when they are happy with the code.

  4. Re:ISO by zagy · · Score: 5, Insightful

    I suspect clients requiring ISO 9001 just go for commercial software. One part of OSS often is to refuse warranty and alike - IMO this does not quite fit into ISO 9001.

  5. hmmm..... by Xtifr · · Score: 4, Insightful

    In my many years of experience, I have to say that regression testing is not as common in proprietary software development as it should be (and frequently not as common as claimed). Furthermore, while I don't want to say that regression testing is less important for Libre Software, I will say that I think it's probably more important for proprietary software, where the programmers are writing for a paycheck, rather than for pride, and are frequently under intense deadline pressure (which in turn, frequently leads to testing/QA of all types being skimped).

    As for no release dates, anyone who doesn't recognise that as an advantage of Libre Software simply lacks any clue about the process. Sure, there are downsides, but nothing's perfect. Free, reliable, on-time, pick any two. :)

    1. Re:hmmm..... by deranged+unix+nut · · Score: 2, Insightful

      I only have three years of professional software testing experience, and the company that I work for seems to be good about running regression tests every week, sometimes every day and even though there are deadline pressures they do let testing drive the release schedule.

      I have chatted with testers at other companies who have disasterous process and for which testing isn't taken seriously, so it isn't universal.

      I would venture to say that software quality is only as good as the people in charge of it's development and their commitment to quality.

  6. If your not trying to sell it... by Faith_Healer · · Score: 3, Insightful

    When I release code I realy dont care about getting any certifications and accridations linked to it. I write code to be usefull not to be noticed. You use open source at your own risk, and the beauty of it is if you dont like it you can just change it. Why would you need a quality assurance process in place for open source. If its open and its quality people will use it. If it doesnt work then people will just blow it off. Does any one else share in my oppinion?

    --
    Faith_Healer -- The antethsis to almost everything, and the worlds worst speller.
  7. Re:Free Doctoral Thesis by Xtifr · · Score: 3, Insightful

    Free software is not used by "ALL possible users", it's used by interested users. The size of the user-base varies greatly from project to project. And no, speaking from experience, I can assure you that not all bugs are found w/in 4 months. Subtle timing or edge-case bugs can lurk for years before leaping out to destroy someone's critical data. (And this is true with both proprietary and libre software.)

    One thing this study didn't seem to look at though, was the size of the user-base of the projects studied (of course, this is a hard thing to measure, but interesting). I think it would be useful to see what sorts of correlations (if any) there are between QA practices of a project, size of the user-base (popularity), and the overall quality of a project. Can a large user-base help make up for poor QA practices, or is a project with better QA more likely to attract users due to its higher reliability? Do users even care about quality and reliability, or do they just say they do? Interesting questions for which I don't have answers.

  8. Re:ISO by Surak · · Score: 2, Insightful

    Do any open source projects get audited for ISO 9001 compliance?

    Who would pay for it? ISO 9001 auditing is VERY expensive.

    --
    My journal has hot /. gossip.
  9. OSS QA will always be two-faced. by Dthoma · · Score: 4, Insightful

    The open source development model allows tremendous flexibility, allowing members of a development team to be dropped or added at a moment's notice. With the source readily available, one can become familiar with a project's code before applying to be given access to the CVS or equivalent repository. Gradual accretion may produce code in a style not unlike that of James A. A. Joyce's Ulysses manuscripts, but, like James A. A. Joyce, all of the core developers can easily jump from point to point in the code and comprehend the necessary sections and the C/PHP/Python/Java equivalent of their allusions.

    Unfortunately, as a result of this decentralised development system, commercial QA, support and RHQ are not as readily available. I'm a middle manager and my company has had a double-sided experience with the MySQL AB organization. They produce a fine product which is perfect for a medium sized corporation such as the one I work for (which shall remain nameless). MySQL worked very well for us, but unfortunately at one point we started receiving segmentation faults when there were more than 30 connections or if a query was greater than 2,048 characters in length. We have reported these bugs to MySQL AB but they have not yet fixed them in their latest gamma/production release. However, they have been very polite and are always willing to cooperate with us; even if small portions of the code are not yet fixable and have escaped the relatively poor QA of the EOD, their TOS have always been reasonable and our MD has always been able to CWT regarding the slight problems and BS our way around them.

    --

    Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".

  10. Not Open Source at all by kenneth_martens · · Score: 2, Insightful

    I'm tired of all this talk about open source development vs. closed source development. That's not the issue here.

    It doesn't matter so much whether the source is open or closed as it does who is in charge of the project. Any company could use standard software development methods to produce open source software. Similarly, any company could hire developers all over the world, and have them work together on a project without ever having met.

    It's not an open vs. closed thing, and it has little to do with licensing. It just happens that most companies use standard development techniques and don't release as open source.

  11. No surprise to QA folks by Anonymous Coward · · Score: 5, Insightful
    QA is a weak point of OSS. Over the years I've occasionally tested OSS to check out what seemed to be inflated claims of quality. Everything I've tested so far has more or less failed to pass muster. The biggest failures are in complexity metrics such as the Halstead or McCabe tests. I don't mean marginal failures or borderline cases. I'm talking huge blowouts. Nothing seems to be immune, from nasm to the OpenBSD ftpd. And fixing the problem is usually so simple--decompose a complex function or procedure into several simpler ones.

    Other areas of problems are attributable to slovenly or "don't give a damn" attitudes--unused variables, unreachable code, "magic number" constants, and so on. Ignoring values returned by a function are very common. Maybe it is acceptable with a library function, but why return a value if you aren't going to use it? It's better to make the function into a procedure by returning void. On a more theoretical level, the use of weak typing even when the language allows for tighter specification of variables. Strong typing is designed to prevent such oddities and inadvertently multiplying a color by date.

    However, in the end it all comes back to complexity. And that is where the biggest improvement in OSS quality can be obtained.

  12. Re:Release Dates ????? by Anonymous Coward · · Score: 1, Insightful

    For example, anyone with half a clue in the IT profession is aware that you NEVER NEVER NEVER take on board a x.0 release of any Microsoft product

    ..while those with 1/1 clue complete their internal tests and then decides whether to deploy or not?

    Sure, there are bugs in any "x.0" release, and not just from Microsoft. Still, every company has its own IT environment, and in many cases even a first release may be stable enough -- YMMV, each one has to decide for themselves.

    Also, you have to compare the risk of an "early" deployment with the potential benefits that you'll get with the upgrade, such as better performance, security, new features or whatever.

    Mattias

  13. Re:Free Doctoral Thesis by deranged+unix+nut · · Score: 2, Insightful

    And no, speaking from experience, I can assure you that not all bugs are found w/in 4 months. Subtle timing or edge-case bugs can lurk for years before leaping out to destroy someone's critical data. (And this is true with both proprietary and libre software.)

    I'll second that! I have been responsible for, and paid to test a reasonably large administration tool for the last three years. This product was developed and tested for at least 4 years prior to my employment. Even after 4 years of someone else actively testing it, and another 3 years of active testing, I am *STILL* finding new bugs in scenarios that I hadn't previously considered.

    I have been noticing a rather disturbing trend:
    First, a new feature or large code change is introduced.
    Second, I spend at least as much time developing a test plan and doing an initial test pass as the developer spent coding the change, and frequently up to 5 times as long. I probably find 40 percent of the bugs in this pass, and when I am finished, all of the major scenarios that I can initially think about work correctly.
    Third, I spend another block of time writing automated tests while the developer fixes some of the lower priority bugs. I might find another 5 percent of the bugs in this stage.
    Fourth, I work on some other area of testing for a while, and then I hit this feature again looking for test holes and I find another 5 percent.
    Fifth, I repeat this loop of looking for test holes and discuss the features with other testers, do testcase reviews, etc. and find another 20 percent of the bugs over a period of months.
    Sixth, sometime later the developer mentions what seems to be an innocuous little bit of information, that turns out to be a critical omission in the spec and I find another 15 percent of the bugs.

    At this point, it is several months later and we have only found 85 percent of the bugs.

    Ten percent of the remaining bugs will be found by co-workers, beta testers and customers.

    The final five percent, might not be found for a number of years even with heavy testing.

    Even with years of time, every possible combination of inputs in every possible configuration and every possible usage scenario is not possible to test. For the program that I happen to test, this works out to be in the range of 10^85 unique tests. In order to test every possible input, I'd be testing until after the sun burns out and this program isn't that big.

    Fortunately, equivalence classes bring this down very significantly, and I can complete a test pass in about 40 days. The danger is in incorrently assuming that a set of values all belong to an equivalence class.

  14. Re:ISO by ClosedSource · · Score: 2, Insightful

    I would say that the process used is predicatable but the outcome for each project can still be better, worse, or the same as a previous project.

    Why? Because using the same process to develop different projects is like using the same algorithm for every mathematical problem, in general it's going to be inappropriate most of the time.

    Each project typically has its own goals, deadlines, customers, implementors, managers and economics. To be successful, the process has to reflect those realities.

    Trying to come up with a single process that handles all situations optimally requires that you deeply understand all the projects you will ever create in the future.

    The practical reality is if you feed the ISO beast enough money and make the right kind of politically correct noises you get entry into the club and get to use your certification as a marketing tool.

    Sometimes government agencies require ISO or CSI certification which is a great way for old, large and slow companies to hold off their more nimple competitors by requiring complicated processes that are too expensive for smaller companies to afford and are likely to slow them down.

  15. Regression tests just aren't part of the objective by slank · · Score: 2, Insightful

    In my experience, most (not all, of course) Open Source projects aren't concerned with backward compatibility outside of the scope of the project itself. Regression testing in OSS is folded into the bug testing.

    That's one of the downsides of OSS. The biggest example: When you upgrade your libc, you have to recompile all of your dependent apps. One thing Windows and Solaris have going for them is that you can run a 5 year old binary on the newest version of the OS and it will almost always work.

    It's a big burden on the development team to provide support for old interfaces, but this sort of thing is where OSS has a long way to go. It gets really expensive for individual persons/companies to support (bugfix, etc.) packages that are a few revisions old.

  16. Re:ISO 9001 et al. by Anonymous Coward · · Score: 1, Insightful

    Translation:

    It's really just a shiny bullet point for PHBs that the ISO is selling.