{"id":"https://openalex.org/W3196277935","doi":"https://doi.org/10.1145/3468264.3468592","title":"LastPyMile: identifying the discrepancy between sources and packages","display_name":"LastPyMile: identifying the discrepancy between sources and packages","publication_year":2021,"publication_date":"2021-08-18","ids":{"openalex":"https://openalex.org/W3196277935","doi":"https://doi.org/10.1145/3468264.3468592","mag":"3196277935"},"language":"en","primary_location":{"id":"doi:10.1145/3468264.3468592","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3468264.3468592","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3468264.3468592","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5080304452","display_name":"Duc\u2010Ly Vu","orcid":"https://orcid.org/0000-0002-5445-2729"},"institutions":[{"id":"https://openalex.org/I193223587","display_name":"University of Trento","ror":"https://ror.org/05trd4x28","country_code":"IT","type":"education","lineage":["https://openalex.org/I193223587"]}],"countries":["IT"],"is_corresponding":true,"raw_author_name":"Duc-Ly Vu","raw_affiliation_strings":["University of Trento, Italy"],"raw_orcid":"https://orcid.org/0000-0002-5445-2729","affiliations":[{"raw_affiliation_string":"University of Trento, Italy","institution_ids":["https://openalex.org/I193223587"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5085639552","display_name":"Fabio Massacci","orcid":"https://orcid.org/0000-0002-1091-8486"},"institutions":[{"id":"https://openalex.org/I193223587","display_name":"University of Trento","ror":"https://ror.org/05trd4x28","country_code":"IT","type":"education","lineage":["https://openalex.org/I193223587"]},{"id":"https://openalex.org/I865915315","display_name":"Vrije Universiteit Amsterdam","ror":"https://ror.org/008xxew50","country_code":"NL","type":"education","lineage":["https://openalex.org/I865915315"]}],"countries":["IT","NL"],"is_corresponding":false,"raw_author_name":"Fabio Massacci","raw_affiliation_strings":["University of Trento, Italy / Vrije Universiteit Amsterdam, Netherlands"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Trento, Italy / Vrije Universiteit Amsterdam, Netherlands","institution_ids":["https://openalex.org/I865915315","https://openalex.org/I193223587"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5080305727","display_name":"Ivan Pashchenko","orcid":"https://orcid.org/0000-0001-8202-576X"},"institutions":[{"id":"https://openalex.org/I193223587","display_name":"University of Trento","ror":"https://ror.org/05trd4x28","country_code":"IT","type":"education","lineage":["https://openalex.org/I193223587"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Ivan Pashchenko","raw_affiliation_strings":["University of Trento, Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Trento, Italy","institution_ids":["https://openalex.org/I193223587"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5064821194","display_name":"Henrik Plate","orcid":"https://orcid.org/0000-0001-8862-3488"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Henrik Plate","raw_affiliation_strings":["SAP Security Research, France"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"SAP Security Research, France","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5040107971","display_name":"Antonino Sabetta","orcid":"https://orcid.org/0000-0003-3506-8374"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Antonino Sabetta","raw_affiliation_strings":["SAP Security Research, France"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"SAP Security Research, France","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5080304452"],"corresponding_institution_ids":["https://openalex.org/I193223587"],"apc_list":null,"apc_paid":null,"fwci":5.2433,"has_fulltext":false,"cited_by_count":45,"citation_normalized_percentile":{"value":0.96487824,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":94,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"780","last_page":"792"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9988999962806702,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9988999962806702,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9983000159263611,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9821000099182129,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8032946586608887},{"id":"https://openalex.org/keywords/python","display_name":"Python (programming language)","score":0.7757443189620972},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.7102481126785278},{"id":"https://openalex.org/keywords/open-source","display_name":"Open source","score":0.6989027261734009},{"id":"https://openalex.org/keywords/javascript","display_name":"JavaScript","score":0.692594051361084},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.5375807881355286},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.5076223611831665},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.4745122790336609},{"id":"https://openalex.org/keywords/software-package","display_name":"Software package","score":0.4711165428161621},{"id":"https://openalex.org/keywords/source-lines-of-code","display_name":"Source lines of code","score":0.4553469121456146},{"id":"https://openalex.org/keywords/compiler","display_name":"Compiler","score":0.4542660117149353},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.44785550236701965},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.4166979193687439},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.41533300280570984},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.37154316902160645}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8032946586608887},{"id":"https://openalex.org/C519991488","wikidata":"https://www.wikidata.org/wiki/Q28865","display_name":"Python (programming language)","level":2,"score":0.7757443189620972},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.7102481126785278},{"id":"https://openalex.org/C3018397939","wikidata":"https://www.wikidata.org/wiki/Q3644502","display_name":"Open source","level":3,"score":0.6989027261734009},{"id":"https://openalex.org/C544833334","wikidata":"https://www.wikidata.org/wiki/Q2005","display_name":"JavaScript","level":2,"score":0.692594051361084},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.5375807881355286},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.5076223611831665},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.4745122790336609},{"id":"https://openalex.org/C3020440742","wikidata":"https://www.wikidata.org/wiki/Q1176855","display_name":"Software package","level":3,"score":0.4711165428161621},{"id":"https://openalex.org/C199519371","wikidata":"https://www.wikidata.org/wiki/Q942695","display_name":"Source lines of code","level":3,"score":0.4553469121456146},{"id":"https://openalex.org/C169590947","wikidata":"https://www.wikidata.org/wiki/Q47506","display_name":"Compiler","level":2,"score":0.4542660117149353},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.44785550236701965},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.4166979193687439},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.41533300280570984},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.37154316902160645},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.0}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1145/3468264.3468592","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3468264.3468592","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering","raw_type":"proceedings-article"},{"id":"pmh:oai:research.vu.nl:openaire/255b4a00-9815-4ec2-93be-e0489641cc14","is_oa":true,"landing_page_url":"https://research.vu.nl/en/publications/255b4a00-9815-4ec2-93be-e0489641cc14","pdf_url":null,"source":{"id":"https://openalex.org/S4306401107","display_name":"VU Research Portal","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I865915315","host_organization_name":"Vrije Universiteit Amsterdam","host_organization_lineage":["https://openalex.org/I865915315"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Vu, D L, Massacci, F, Pashchenko, I, Plate, H & Sabetta, A 2021, LastPyMile: Identifying the discrepancy between sources and packages. in D Spinellis (ed.), ESEC/FSE 2021 : Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. Association for Computing Machinery, Inc, pp. 780-792, 29th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2021, Virtual, Online, Greece, 23/08/21. https://doi.org/10.1145/3468264.3468592","raw_type":"info:eu-repo/semantics/publishedVersion"},{"id":"pmh:oai:iris.unitn.it:11572/323677","is_oa":true,"landing_page_url":"https://dl.acm.org/doi/10.1145/3468264.3468592","pdf_url":null,"source":{"id":"https://openalex.org/S4306401913","display_name":"Institutional Research Information System (Universit\u00e0 degli Studi di Trento)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I193223587","host_organization_name":"University of Trento","host_organization_lineage":["https://openalex.org/I193223587"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"info:eu-repo/semantics/conferenceObject"}],"best_oa_location":{"id":"doi:10.1145/3468264.3468592","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3468264.3468592","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering","raw_type":"proceedings-article"},"sustainable_development_goals":[{"score":0.5099999904632568,"id":"https://metadata.un.org/sdg/9","display_name":"Industry, innovation and infrastructure"}],"awards":[{"id":"https://openalex.org/G2507725256","display_name":null,"funder_award_id":"952647","funder_id":"https://openalex.org/F4320332999","funder_display_name":"Horizon 2020 Framework Programme"},{"id":"https://openalex.org/G2531238691","display_name":null,"funder_award_id":"No. 830892","funder_id":"https://openalex.org/F4320332999","funder_display_name":"Horizon 2020 Framework Programme"},{"id":"https://openalex.org/G3840859003","display_name":null,"funder_award_id":"830892","funder_id":"https://openalex.org/F4320332999","funder_display_name":"Horizon 2020 Framework Programme"},{"id":"https://openalex.org/G6384328479","display_name":null,"funder_award_id":"830929","funder_id":"https://openalex.org/F4320332999","funder_display_name":"Horizon 2020 Framework Programme"},{"id":"https://openalex.org/G7331901853","display_name":null,"funder_award_id":"EU H2020","funder_id":"https://openalex.org/F4320332999","funder_display_name":"Horizon 2020 Framework Programme"}],"funders":[{"id":"https://openalex.org/F4320332999","display_name":"Horizon 2020 Framework Programme","ror":"https://ror.org/00k4n6c32"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":12,"referenced_works":["https://openalex.org/W1979848034","https://openalex.org/W2289139338","https://openalex.org/W2361575844","https://openalex.org/W2742244373","https://openalex.org/W2953558274","https://openalex.org/W3046453918","https://openalex.org/W3081194266","https://openalex.org/W3106855263","https://openalex.org/W3109094705","https://openalex.org/W3120009375","https://openalex.org/W3124116687","https://openalex.org/W6912440877"],"related_works":["https://openalex.org/W2097492617","https://openalex.org/W2461078469","https://openalex.org/W2753240997","https://openalex.org/W123790205","https://openalex.org/W1764168690","https://openalex.org/W2537959205","https://openalex.org/W2085515337","https://openalex.org/W2740895074","https://openalex.org/W2772446090","https://openalex.org/W4387456547"],"abstract_inverted_index":{"Open":[0],"source":[1,4,46,148],"packages":[2,18,84,121,144],"have":[3],"code":[5,47,69,95,149,175],"available":[6],"on":[7,12],"repositories":[8,23],"for":[9,27,30,34,126,135,164],"inspection":[10],"(e.g.":[11,56,66],"GitHub)":[13],"but":[14,119],"developers":[15],"use":[16],"pre-built":[17],"directly":[19],"from":[20],"the":[21,74,100,137,146,174],"package":[22,71,161],"(such":[24],"as":[25],"npm":[26],"JavaScript,":[28],"PyPI":[29,86],"Python,":[31],"or":[32],"RubyGems":[33],"Ruby).":[35],"Such":[36],"convenient":[37],"practice":[38],"assumes":[39],"that":[40],"there":[41],"are":[42],"no":[43],"discrepancies":[44],"between":[45,139],"and":[48,63,114,145],"packages.":[49],"These":[50],"differences":[51,98,138],"pose":[52],"both":[53],"operational":[54],"risks":[55,65],"making":[57],"dependent":[58],"projects":[59],"unable":[60],"to":[61,107,124,158],"compile)":[62],"security":[64],"deploying":[67],"malicious":[68,108],"during":[70],"installation)":[72],"in":[73,85,99],"software":[75,143],"supply":[76],"chain.":[77],"Our":[78],"empirical":[79],"assessment":[80],"of":[81,90,94,142,173,176],"2438":[82],"popular":[83],"with":[87],"an":[88],"analysis":[89],"around":[91],"10M":[92],"lines":[93],"shows":[96],"several":[97],"wild:":[101],"modifications":[102],"cannot":[103],"be":[104,156],"just":[105],"attributed":[106],"injections.":[109],"Yet,":[110],"scanning":[111,162],"again":[112],"all":[113],"whole":[115],"\u2018most":[116],"likely":[117],"good":[118],"modified\u2019":[120],"is":[122],"hard":[123],"manage":[125],"FOSS":[127],"downstream":[128],"users.":[129],"We":[130,151],"propose":[131],"a":[132],"methodology,":[133],"LastPyMile,":[134],"identifying":[136],"build":[140],"artifacts":[141],"respective":[147],"repository.":[150],"show":[152],"how":[153],"it":[154],"can":[155],"used":[157],"extend":[159],"current":[160],"practices":[163],"malware":[165],"injection":[166],"(which":[167],"only":[168],"covers":[169],"less":[170],"than":[171],"1%":[172],"deployed":[177],"packages).":[178]},"counts_by_year":[{"year":2025,"cited_by_count":11},{"year":2024,"cited_by_count":11},{"year":2023,"cited_by_count":11},{"year":2022,"cited_by_count":10},{"year":2021,"cited_by_count":2}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}