Embedded Files
RQ4 delve into the reasons behind their occurrence. We have reached out to the community with questionnaires regarding four questions: (1) Why not release the patch version after the fixing commits; (2) Why did it take a long time to release the patch versions; (3) Why not index the patch versions; (4) Why not fix the vulnerable dependencies in the Golang repositories.
Findings
Absent Patch Version Releases.
4.4.1.xlsxFinding-8: Considering that developers from 3 repositories have not explicitly disclosed their vulnerability fixes, it could facilitate the adoption of patches if maintainers explicitly mention the vulnerability fixing in patch releases.
Delayed Patch Version Releases.
rq4.4.2.xlsxFinding-9: Two primary factors hinder patch version releases: testing-phase issues and inadequate features. To expedite patch releases, maintainers can utilize pre-releases for vulnerability patches. Moreover, explicitly exposing vulnerability patches is recommended for swift patch adoption by the community.
Not Pushing Patch Version to Golang Index.
4.4.3.xlsxFinding-10: All maintainers who responded agreed with our observations and suggestions. Nevertheless, to facilitate patch propagation, the Golang release mechanism should index new versions as soon as possible without relying on self-motivated maintainers.
Not Fixing the Vulnerability.
4.4.4.xlsxFinding-11: The majority of maintainers addressed the vulnerabilities in a timely manner once they became aware of the presence of vulnerabilities in their projects.
Page updated
Google Sites
Report abuse