Implications of Open Source Software Use (or Let's Talk Open Source)

Let’s Talk Open Source

or…

Implications of Open Source Software Use

Gail C. Murphy University of British Columbia

Tasktop Technologies@gail_murphy

A restrictive license has been chosen given unpublished work, and descriptions of others work

2

Who Are You?


Code multiple days a week

Ü

Mostly Organize Coding

Ü

Something Else

Ü

3Let’s Talk Open Source

Here’s My Plan

Integral and Critical!

Managing Useá

Implications„

4

The Take-Aways


Open source: does not mean

free

Open source: use requiresknowledge

Open source: the fabric on which

software development occurs

STARTKeynote Presentation Template

Welcome to the best experience ı have in this presentation

Where a variety of sections, easy and to understand is demonstrated !

Integral and Critical

6

Supply of Open Source Components

Let’s Talk Open Source: Integral and Critical

suppliers total components

>105K >834K

( Java) central repository GitHub project dependences2015 State of the Software: Supply Chain Report (Sonatype)

7

Why Use Open Source Components?


build products (and other components) faster

higher-quality components

lower cost to (re)use

ongoing updates

8

Use of Open Source Components


17.2 Billion Requests Served

Java components in 2014

to >106K organizations

2015 State of the Software: Supply Chain Report (Sonatype)

9

What Happens When Open Source Components Fail?


https://xkcd.com/1354/

10




11




12



Economist, Apr 12, 2014

13

Even When Better Versions of Components Exist…


CVE-2007-6721CVSS 10Exploitability 10

since identification…

11,236 organizations have downloaded the vulnerable component 214,484 times


14

Even When Better Versions of Components Exist…



of 240,757 component downloads by large

financial or technology firms in 2014…

were of known defective part

and or those with a defective part, the defects were older than 2013

7.5%

66%

15

Availability Matters Too


16

The Take-Aways: Integral and Critical

Let’s Talk Open Source: Managing Use





Where a variety of sections, easy and to understand is demonstrated

Managing Use

á

18

Murphy, Personnel Correspondence, 2016

Interviews with Engineering Leaders

SME

4 1 2

19

Interviews with Engineering Leaders


Open beforeClosed

Investigate open source - who else is using? - how many contributors? - support model? - security profile?

Know they might need to fork Some place committers on project

Murphy, Personnel Correspondence, 2016

20

Need for Controls


21

The Take-Aways: Managing Use



free




Implications

„




Analysis of 1000s of GitHub Projects

24

What Kind of Component You Are Depending On?

Let’s Talk Open Source: Implications

Guava

Vault

Junit0%

25%

50%

75%

100%

4 32 256 2048Number of user projects

Rs:

Rat

io o

f use

r pro

ject

s ha

ving

soc

ial i

nter

actio

ns

Palyart, Murphy, Masrani 2016, in progress

25

Set Your Expectations


0

500

1000

1500

4 32 256 2048Number of user projects

Med

ian

invo

lvem

ent t

ime


26



Technical dependence before social interaction

Social interaction before technical dependencePalyart, Murphy, Masrani 2016, in progress

27



1

10

100

1000

10000

Social before technical Technical before social

Num

ber o

f con

trib

utio

ns





Survey about Software Licenses

29

Know the Impact of Choosing an Open Source Component


John has been working on ToDoApp, his own personal task managementapplication. ToDoApp is going to be a desktop-based application that willbe used exclusively by John on his own computer. To make sure he does notlose any of his very special tasks, John is planning to use a lightweightlibrary called LightDB to persist ToDoApp’s data.If LightDB is distributed under the following licenses, would John beallowed to use it as part of ToDoApp?GNU GPL 3.0 GNU LGPL 3.0 MPL 2.0

UnsureNoYesUnsureNoYesUnsureNoYes

Almedia, Murphy, Wilson, Hoye, 2016, under submission

30



If LightDB is distributed under the following licenses, would John beallowed to use it as part of ToDoApp?GNU GPL 3.0 GNU LGPL 3.0 MPL 2.0

YesYes

Yes 375respondents


31



As the lead developer of a new product at GreatSoftware Inc., Laura decided touse an existing authentication library she found on the web called SafeAuth.She realizes that SafeAuth could be improved using a stronger cryptographicalgorithm when storing users’ information. The product is going to be releasedunder a commercial software license, but Laura would like to release theimproved version of SafeAuth as open source.If SafeAuth is distributed under MPL, would Laura and her team be allowed to release the improved version of SafeAuth as open source.GNU GPL 3.0 GNU LGPL 3.0 MPL 2.0

UnsureNoYesUnsureNoYesUnsureNoYes


32



If SafeAuth is distributed under MPL, would Laura and her team be allowed to release the improved version of SafeAuth as open source.GNU GPL 3.0 GNU LGPL 3.0 MPL 2.0

NoNo

Yes 375respondents


33

The Take-Aways: Implications



Illustration copyright Nenov Brothers Images

/Shutterstock

35

The Take-AwaysLet’s Talk Open Source


free




@gail_murphy

Implications of Open Source Software Use (or Let's Talk Open Source)

Software

Transcript of Implications of Open Source Software Use (or Let's Talk Open Source)