A talk given to the UBC Computer Science Alumni group discussing a number of implications of the use of open source as part of the global software supply chain.
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Implications of Open Source Software Use (or Let's Talk Open Source)
1. Let’s Talk
Open Source
or…
Implications of Open Source Software Use
Gail C. Murphy
University of British Columbia
Tasktop Technologies
@gail_murphy
A restrictive license has been
chosen given unpublished work,
and descriptions of others work
2. 2
Who Are You?
Let’s Talk Open Source
Code multiple
days a week
Ü
Mostly Organize
Coding
Ü
Something
Else
Ü
3. 3Let’s Talk Open Source
Here’s My Plan
Integral and Critical
!
Managing Use
á
Implications
„
4. 4
The Take-Aways
Let’s Talk Open Source
Open source:
does not mean
free
Open source:
use requires
knowledge
Open source:
the fabric on which
software development
occurs
5. START
Keynote Presentation Template
Welcome to the best experience ı have in this presentation
Where a variety of sections, easy and to understand is demonstrated !
Integral and Critical
6. 6
Supply of Open Source Components
Let’s Talk Open Source:
Integral and Critical
suppliers
total
components
>105K >834K
(Java) central repository GitHub project dependences
2015 State of the Software: Supply Chain Report (Sonatype)
7. 7
Why Use Open Source Components?
Let’s Talk Open Source:
Integral and Critical
build products (and other components) faster
higher-quality components
lower cost to (re)use
ongoing updates
8. 8
Use of Open Source Components
Let’s Talk Open Source:
Integral and Critical
17.2 Billion
Requests Served
Java components in 2014
to >106K organizations
2015 State of the Software: Supply Chain Report (Sonatype)
9. 9
What Happens When Open Source Components Fail?
Let’s Talk Open Source:
Integral and Critical
https://xkcd.com/1354/
10. 10
What Happens When Open Source Components Fail?
Let’s Talk Open Source:
Integral and Critical
https://xkcd.com/1354/
11. 11
What Happens When Open Source Components Fail?
Let’s Talk Open Source:
Integral and Critical
https://xkcd.com/1354/
12. 12
What Happens When Open Source Components Fail?
Let’s Talk Open Source:
Integral and Critical
Economist, Apr 12, 2014
13. 13
Even When Better Versions of Components Exist…
Let’s Talk Open Source:
Integral and Critical
CVE-2007-6721
CVSS 10
Exploitability 10
since identification…
11,236 organizations have downloaded the vulnerable
component 214,484 times
2015 State of the Software: Supply Chain Report (Sonatype)
14. 14
Even When Better Versions of Components Exist…
Let’s Talk Open Source:
Integral and Critical
2015 State of the Software: Supply Chain Report (Sonatype)
of 240,757 component
downloads by large
financial or technology
firms in 2014…
were of known
defective part
and or those with
a defective part,
the defects were
older than 2013
7.5%
66%
16. 16
The Take-Aways: Integral and Critical
Let’s Talk Open Source:
Managing Use
Open source:
the fabric on which
software development
occurs
17. START
Keynote Presentation Template
Welcome to the best experience ı have in this presentation
Where a variety of sections, easy and to understand is demonstrated
Managing Use
á
19. 19
Interviews with Engineering Leaders
Let’s Talk Open Source:
Managing Use
Open before
Closed
Investigate open source
- who else is using?
- how many contributors?
- support model?
- security profile?
Know they might need to fork
Some place committers on project
Murphy, Personnel Correspondence, 2016
22. START
Keynote Presentation Template
Welcome to the best experience ı have in this presentation
Where a variety of sections, easy and to understand is demonstrated
Implications
„
23. START
Keynote Presentation Template
Welcome to the best experience ı have in this presentation
Where a variety of sections, easy and to understand is demonstrated
Analysis of 1000s of GitHub Projects
24. 24
What Kind of Component You Are Depending On?
Let’s Talk Open Source:
Implications
Guava
Vault
Junit
0%
25%
50%
75%
100%
4 32 256 2048
Number of user projects
Rs:Ratioofuserprojectshavingsocialinteractions
Palyart, Murphy, Masrani 2016, in progress
25. 25
Set Your Expectations
Let’s Talk Open Source:
Implications
0
500
1000
1500
4 32 256 2048
Number of user projects
Medianinvolvementtime
Palyart, Murphy, Masrani 2016, in progress
26. 26
Set Your Expectations
Let’s Talk Open Source:
Implications
Technical dependence before social interaction
Social interaction before technical dependence
Palyart, Murphy, Masrani 2016, in progress
27. 27
Set Your Expectations
Let’s Talk Open Source:
Implications
1
10
100
1000
10000
Social before technical Technical before social
Numberofcontributions
Palyart, Murphy, Masrani 2016, in progress
28. START
Keynote Presentation Template
Welcome to the best experience ı have in this presentation
Where a variety of sections, easy and to understand is demonstrated
Survey about Software Licenses
29. 29
Know the Impact of Choosing an Open Source Component
Let’s Talk Open Source:
Implications
John has been working on ToDoApp, his own personal task management
application. ToDoApp is going to be a desktop-based application that will
be used exclusively by John on his own computer. To make sure he does not
lose any of his very special tasks, John is planning to use a lightweight
library called LightDB to persist ToDoApp’s data.
If LightDB is distributed under the following licenses, would John be
allowed to use it as part of ToDoApp?
GNU GPL 3.0
GNU LGPL 3.0
MPL 2.0
UnsureNoYes
UnsureNoYes
UnsureNoYes
Almedia, Murphy, Wilson, Hoye, 2016, under submission
30. 30
Know the Impact of Choosing an Open Source Component
Let’s Talk Open Source:
Implications
If LightDB is distributed under the following licenses, would John be
allowed to use it as part of ToDoApp?
GNU GPL 3.0
GNU LGPL 3.0
MPL 2.0
Yes
Yes
Yes 375
respondents
Almedia, Murphy, Wilson, Hoye, 2016, under submission
31. 31
Know the Impact of Choosing an Open Source Component
Let’s Talk Open Source:
Implications
As the lead developer of a new product at GreatSoftware Inc., Laura decided to
use an existing authentication library she found on the web called SafeAuth.
She realizes that SafeAuth could be improved using a stronger cryptographic
algorithm when storing users’ information. The product is going to be released
under a commercial software license, but Laura would like to release the
improved version of SafeAuth as open source.
If SafeAuth is distributed under MPL, would Laura and her team be allowed to
release the improved version of SafeAuth as open source.
GNU GPL 3.0
GNU LGPL 3.0
MPL 2.0
UnsureNoYes
UnsureNoYes
UnsureNoYes
Almedia, Murphy, Wilson, Hoye, 2016, under submission
32. 32
Know the Impact of Choosing an Open Source Component
Let’s Talk Open Source:
Implications
If SafeAuth is distributed under MPL, would Laura and her team be allowed to
release the improved version of SafeAuth as open source.
GNU GPL 3.0
GNU LGPL 3.0
MPL 2.0
No
No
Yes 375
respondents
Almedia, Murphy, Wilson, Hoye, 2016, under submission
35. 35
The Take-Aways
Let’s Talk Open Source
Open source:
does not mean
free
Open source:
use requires
knowledge
Open source:
the fabric on which
software development
occurs
@gail_murphy