Software development depends a lot on open source projects. From operating systems to editors, we use open source software everywhere. Nevertheless, we should be careful about what we are using. We should potentially go through a checklist to see if the software meets our expectations. If there doesn’t exist a guideline for the company or the team, we should set up one. So, without further ado, let’s see what we should check before using open-source software.
Security
A problematic open source software can open up a huge risk for your product. What should developers do for potential vulnerabilities? The least that can be done is to use the national vulnerability database, common vulnerabilities and exposures, and OWASP dependency check. Unfortunately, security vulnerabilities often get discovered months later. Even worse, there are cases where the vulnerabilities discovered after years. Thus, we should constantly check the dependent libraries and possibly automate it by OWASP dependency check plugins.
Correct Solution
Open source projects are written to address different problems. Nevertheless, there are times where the open source software struggles to deliver the very premise of a correct solution. For example, one can expect a distributed lock to provide atomicity over threads and processes. In reality, you can find out this isn’t case. It can be hard to realize such problems since the project can have big community support or many stars… I suggest reading a bit of code of the project before committing to it. I know it would take time to dive into the code but it’s better than getting paged for an unforeseen reason.
License
Open source software development licensing is one of the first things you need to check. If you aren’t comfortable with licensing, I recommend checking out common licenses. The way you would handle the licensing part depends on the intent etc. For some cases, you might need to get some legal advice as well. On the other hand, there are standard licenses like Apache that you can expect you won’t have many headaches. The trouble here is about checking dependent software licenses since one project depends on another. You can though automate license checking as well by using different tools based on the languages and platforms.
Community Support
An active community is an important aspect of open source software. Before deciding to adopt a solution, you should check if issues being addressed, if bugs being tracked, and if it has guidelines or sufficient documentation. A quick research on the project page and potentially StackOverflow might give you some idea about the community support. Yet, sometimes it’s hard to find an open source solution with a good community. In that case, the question is whether you want to contribute back to the project when you hit a dead end. Contributing to open source project is always fun, so why not?
Stability
The stability is another aspect to look for. If the open source software changes a lot and you don’t think you can keep up with the changes. Perhaps, this isn’t a good choice for you. Even in the stable open source software, you should lean towards stable releases. For example: if you have a new version of a project, I would recommend waiting a bit than upgrading since for every new release there would be potential problems. It’s better to wait for issues to be fixed and hope to get the release to reach some maturity.
Today’s software development can’t be done without the help of open source projects and products. Whenever we want to introduce an open source dependency, we should go through at least some of the topics discussed here. Personally, I recommend checking out security and then the solution. Both security and correct solution matter a lot since you don’t want your product to have security holes as well as unexplained bugs.