Security is a requirement of utmost importance to produce high-quality software. However, there is still a considerable amount of vulnerabilities being discovered and fixed almost weekly. We hypothesize that developers affect the maintainability of their codebases when patching vulnerabilities. This paper evaluates the impact of patches to improve security on the maintainability of open-source software. Maintainability is measured based on the Better Code Hub's model of 10 guidelines on a dataset, including 1300 security-related commits. Results show evidence of a trade-off between security and maintainability for 41.90% of the cases, i.e., developers may hinder software maintainability. Our analysis shows that 38.29% of patches increased software complexity and 37.87% of patches increased the percentage of LOCs per unit. The implications of our study are that changes to codebases while patching vulnerabilities need to be performed with extra care; tools for patch risk assessment should be integrated into the CI/CD pipeline; computer science curricula needs to be updated; and, more secure programming languages are necessary.

中文翻译：

---

修复漏洞可能会阻碍可维护性

安全性是生产高质量软件的最重要的要求。然而，几乎每周仍有大量漏洞被发现和修复。我们假设开发人员在修补漏洞时会影响其代码库的可维护性。本文评估了补丁提高安全性对开源软件可维护性的影响。可维护性是根据 Better Code Hub 的数据集 10 条准则模型来衡量的，其中包括 1300 次与安全相关的提交。结果表明，在 41.90% 的情况下，安全性和可维护性之间存在权衡，即开发人员可能会阻碍软件的可维护性。我们的分析表明，38.29% 的补丁增加了软件复杂性，37.87% 的补丁增加了每单位 LOC 的百分比。我们研究的意义在于，在修补漏洞的同时更改代码库需要格外小心；补丁风险评估工具应集成到 CI/CD 管道中；计算机科学课程需要更新；并且，需要更安全的编程语言。