Machine Learning Containers are Bloated and Vulnerable

Today's software is bloated leading to significant resource wastage. This bloat is prevalent across the entire software stack, from the operating system, all the way to software backends, frontends, and web-pages. In this paper, we study how prevalent bloat is in machine learning containers. We develop MMLB, a framework to analyze bloat in machine learning containers, measuring the amount of bloat that exists on the container and package levels. Our tool quantifies the sources of bloat and removes them. We integrate our tool with vulnerability analysis tools to measure how bloat affects container vulnerabilities. We experimentally study 15 machine learning containers from the official Tensorflow, Pytorch, and NVIDIA container registries under different tasks, (i.e., training, tuning, and serving). Our findings show that machine learning containers contain bloat encompassing up to 80\% of the container size. We find that debloating machine learning containers speeds provisioning times by up to $3.7\times$ and removes up to 98\% of all vulnerabilities detected by vulnerability analysis tools such as Grype. Finally, we relate our results to the larger discussion about technical debt in machine learning systems.

Software Quality Assessment for Robot Operating System

Robot Operating System (ROS) is widely used in academia and industry, and importantly is leveraged in safety-critical robotic systems. The quality of ROS software can affect the safety and security properties of robotics systems; therefore, reliability and quality are imperative to guarantee. Source code static analysis is a key approach to formally perform software verification. We address two concerns in this paper: (1) conducting a systematic literature review study to provide a complete picture of the existing methods that analyze different aspects of ROS software, (2) performing empirical study to evaluate software properties that can influence the functionality of ROS. We leverage PMD1, an off-the-shelf static analysis tool, to conduct our empirical study over a set of ROS repositories implemented using Java. The survey analysis shows a significant shortcoming in the body of research by the lack of tailored analysis mechanisms for assessing ROS2 code and reveals that the majority of research efforts are centered around ROS1. Our empirical study shows that the Java code of ROS2 does not suffer from serious issues and the majority of the detected alerts are code style issues.