Can my friends come too?

Can my friends come too?

Presented at Brighton Ruby Conf 2017

8ddbf811da78bb0daeeb3cacd7cf743f?s=128

Andrew Nesbitt

July 07, 2017
Tweet

Transcript

  1. Can my friends come too? Brighton Ruby 2017

  2. Andrew Nesbitt Hello! @teabass

  3. Libraries.io Open Data This talk is powered by https://libraries.io

  4. None
  5. Libraries.io indexes 2.3 million libraries from 33 package managers

  6. Libraries.io indexes 25 million repos from GitHub, GitLab and Bitbucket

  7. 96 million links between repositories and libraries Libraries.io indexes It’s

    like Google PageRank for Software
  8. 25GB Open Source Metadata Last month we released https://libraries.io/data

  9. Open Source is huge! 2017

  10. Avg 10,000 versions every day Libraries.io statistics Avg 2,000 brand

    new projects every day
  11. 78% of companies say their customer facing software is built

    on Open Source According to a 2015 survey https://www.blackducksoftware.com/2015-future-of-open-source
  12. Stop reinventing the wheel Open Source helps us

  13. Share knowledge Open Source helps us

  14. Focus on the New and Unique Open Source helps us

  15. The Shoulders of Giants We’re standing on

  16. Free as in Freedom Open Source is Free to run,

    copy, distribute, study, change and improve
  17. There is a problem… but

  18. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY

    KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Excerpt from the MIT License
  19. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY

    KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Excerpt from the MIT License
  20. You are responsible for the open source software that you

    choose to use. That means
  21. You are responsible for the open source software that you

    choose to use. That means
  22. - Maintenance - Security - Licensing - Sustainability Evaluating Open

    Source
  23. What are the hidden costs in using this software? Evaluating

    Open Source
  24. Software doesn’t exist in a vacuum

  25. None
  26. Software doesn’t exist in a vacuum

  27. https://twitter.com/ourfounder/status/770075137332932608

  28. - Testing against 3rd party API changes - Security reviews

    - Checking against new language features - Triaging issues and support requests - Review performance for regressions - Updating dependencies - and more… Software regularly needs
  29. https://twitter.com/davecheney/status/616931340466786304

  30. Free as in Puppy Open Source is

  31. None
  32. Blossom Mabel Felix

  33. Blossom Mabel Felix Poppy*

  34. - Feeding - Walking - Grooming - Worming - Flea

    treatment - and more… Puppies regularly need
  35. https://twitter.com/teabass/status/882895864586547201

  36. “Refactored”

  37. None
  38. “Legacy code”

  39. “I get lost in the carpet”

  40. Dependencies Let’s talk about

  41. Software that your software needs build, test or run Dependencies:

  42. - Libraries - Frameworks - Languages - Databases - APIs

    - Operating systems Dependencies:
  43. gems that our Ruby code requires to run correctly For

    this talk lets focus on
  44. 133,797 gems Rubygems.org statistics Collectively downloaded 14,749,546,331 times

  45. 658,499 Gemfiles From Libraries.io Found across open source repos on

    Github, GitLab and Bitbucket
  46. Avg 11 gems per Gemfile From Libraries.io 7,413,699 total across

    all open source repositories
  47. Transitive dependencies We have to go deeper

  48. Puppy on Rails

  49. Puppy on Rails

  50. Puppy on Rails PuppyRecord

  51. Puppy on Rails PuppyRecord ActionPupper

  52. Puppy on Rails PuppyRecord Pupogiri ActionPupper

  53. Puppy on Rails

  54. Puppy on Rails

  55. Puppy on Rails

  56. Puppy on Rails

  57. Puppy on Rails *head size not an indicator of lines

    of code
  58. 481,483 Gemfile.lock From Libraries.io Found in open source repos on

    Github, GitLab and Bitbucket
  59. Avg 52 gems per Gemfile.lock From Libraries.io 24,805,249 total across

    all open source repositories
  60. None
  61. - Maintenance - Security - Licensing - Sustainability Evaluating Open

    Source
  62. Maintenance Evaluating Dependencies Looking after your new pet

  63. 46% gems haven’t been updated in over 3 years Maintenance

  64. Time since last release over 3 years 3 years 2

    years 1 year 6 months 1 month Gems 0 17500 35000 52500 70000
  65. Bus Factor Maintenance Higher is better

  66. How many people can publish a bugfix? Maintenance Who’s going

    to walk the dog?
  67. Gems 0 30000 60000 90000 120000 Owners 1 2 3

    4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 24 28 30 31 32 Owners per Gem
  68. 90% gems have a bus factor 1 Maintenance Average gem

    has 1.2 owners
  69. Security Evaluating Dependencies Dogs must be kept on a lead

    at all times
  70. ruby-advisory-db https://rubysec.com Security 287 advisories across 147 gems

  71. $ gem install bundler-audit There’s a gem for that Automatically

    check your Gemfile.lock for security issues
  72. $ gem install arbitrary code execution via extconf.rb Security http://incolumitas.com/2016/06/08/typosquatting-package-managers/

  73. Every gem is a potential attack vector Security It’s not

    a bug, it’s a feature!
  74. None
  75. Licensing Evaluating Dependencies I am not a lawyer

  76. Open Source License compatibility https://timreview.ca/article/416

  77. Unlicensed code Copyright by default Like walking someone else’s dog

    without permission
  78. 28% have no license declared Rubygems.org statistic 37,547 gems

  79. $ gem install license_finder There’s a gem for that Automatically

    check your dependencies for license issues
  80. Sustainability Evaluating Dependencies How are you going to pay for

    the dog food?
  81. https://twitter.com/mperham/status/880835731874168832

  82. - Volunteer time - Consulting - Sponsorship - Dual licensing

    - Advertising - Training - Bounties - SaaS - Venture Capital How is support funded?
  83. Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure

    https://www.fordfoundation.org/library/reports-and-studies/roads-and-bridges-the-unseen-labor-behind- our-digital-infrastructure/ Nadia Eghbal
  84. Javascript The elephant in the room It’s puppies all the

    way down
  85. 478,953 modules NPM statistics Downloads over 1 billion times per

    week
  86. 1,527,361 package.json NPM usage statistics Found in 2,556,333 open source

    repos on Github, GitLab and Bitbucket
  87. Avg 12 modules per package.json NPM usage statistics 18,890,641 total

    across all open source repositories
  88. 53,720 lockfiles NPM usage statistics package-lock.json, npm-shrinkwrap.json and yarn.lock

  89. Avg 307 modules per lockfile NPM usage statistics Javascript dependency

    trees are 6 times bigger than ruby
  90. None
  91. $ npm install Arbitrary code execution NPM Security https://www.infoq.com/news/2016/03/npm-infection

  92. 6 times more chance of attack NPM Security https://www.infoq.com/news/2016/03/npm-infection “It’s

    not a bug, it’s a feature”
  93. None
  94. Final thoughts Wrapping up A puppy is for life, not

    just for christmas
  95. Vet your dependencies Wrapping up Over using a metaphor much?

  96. Review your dependencies Wrapping up Check for updates and issues

    on a regular basis
  97. Prune your dependencies Wrapping up Remove unused dependencies

  98. Support your dependencies Wrapping up Help keep Ruby sustainable

  99. Libraries.io Open Data This talk was powered by https://libraries.io/data

  100. Small Title Text Subtitle text Thanks!