Can my friends come too?

Transcript

1. Can my friends come too? Brighton Ruby 2017

2. Andrew Nesbitt Hello! @teabass

3. Libraries.io Open Data This talk is powered by https://libraries.io

4. None

5. Libraries.io indexes 2.3 million libraries from 33 package managers

6. Libraries.io indexes 25 million repos from GitHub, GitLab and Bitbucket

7. 96 million links between repositories and libraries Libraries.io indexes It’s

   like Google PageRank for Software

8. 25GB Open Source Metadata Last month we released https://libraries.io/data

9. Open Source is huge! 2017

10. Avg 10,000 versions every day Libraries.io statistics Avg 2,000 brand

    new projects every day

11. 78% of companies say their customer facing software is built

    on Open Source According to a 2015 survey https://www.blackducksoftware.com/2015-future-of-open-source

12. Stop reinventing the wheel Open Source helps us

13. Share knowledge Open Source helps us

14. Focus on the New and Unique Open Source helps us

15. The Shoulders of Giants We’re standing on

16. Free as in Freedom Open Source is Free to run,

    copy, distribute, study, change and improve

17. There is a problem… but

18. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY

    KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Excerpt from the MIT License

19. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY

    KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Excerpt from the MIT License

20. You are responsible for the open source software that you

    choose to use. That means

21. You are responsible for the open source software that you

    choose to use. That means

22. - Maintenance - Security - Licensing - Sustainability Evaluating Open

    Source

23. What are the hidden costs in using this software? Evaluating

    Open Source

24. Software doesn’t exist in a vacuum

25. None

26. Software doesn’t exist in a vacuum

27. https://twitter.com/ourfounder/status/770075137332932608

28. - Testing against 3rd party API changes - Security reviews

    - Checking against new language features - Triaging issues and support requests - Review performance for regressions - Updating dependencies - and more… Software regularly needs

29. https://twitter.com/davecheney/status/616931340466786304

30. Free as in Puppy Open Source is

31. None

32. Blossom Mabel Felix

33. Blossom Mabel Felix Poppy*

34. - Feeding - Walking - Grooming - Worming - Flea

    treatment - and more… Puppies regularly need

35. https://twitter.com/teabass/status/882895864586547201

36. “Refactored”

37. None

38. “Legacy code”

39. “I get lost in the carpet”

40. Dependencies Let’s talk about

41. Software that your software needs build, test or run Dependencies:

42. - Libraries - Frameworks - Languages - Databases - APIs

    - Operating systems Dependencies:

43. gems that our Ruby code requires to run correctly For

    this talk lets focus on

44. 133,797 gems Rubygems.org statistics Collectively downloaded 14,749,546,331 times

45. 658,499 Gemfiles From Libraries.io Found across open source repos on

    Github, GitLab and Bitbucket

46. Avg 11 gems per Gemfile From Libraries.io 7,413,699 total across

    all open source repositories

47. Transitive dependencies We have to go deeper

48. Puppy on Rails

49. Puppy on Rails

50. Puppy on Rails PuppyRecord

51. Puppy on Rails PuppyRecord ActionPupper

52. Puppy on Rails PuppyRecord Pupogiri ActionPupper

53. Puppy on Rails

54. Puppy on Rails

55. Puppy on Rails

56. Puppy on Rails

57. Puppy on Rails *head size not an indicator of lines

    of code

58. 481,483 Gemfile.lock From Libraries.io Found in open source repos on

    Github, GitLab and Bitbucket

59. Avg 52 gems per Gemfile.lock From Libraries.io 24,805,249 total across

    all open source repositories
60. None

61. - Maintenance - Security - Licensing - Sustainability Evaluating Open

    Source

62. Maintenance Evaluating Dependencies Looking after your new pet

63. 46% gems haven’t been updated in over 3 years Maintenance

64. Time since last release over 3 years 3 years 2

    years 1 year 6 months 1 month Gems 0 17500 35000 52500 70000

65. Bus Factor Maintenance Higher is better

66. How many people can publish a bugfix? Maintenance Who’s going

    to walk the dog?

67. Gems 0 30000 60000 90000 120000 Owners 1 2 3

    4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 24 28 30 31 32 Owners per Gem

68. 90% gems have a bus factor 1 Maintenance Average gem

    has 1.2 owners

69. Security Evaluating Dependencies Dogs must be kept on a lead

    at all times

70. ruby-advisory-db https://rubysec.com Security 287 advisories across 147 gems

71. $ gem install bundler-audit There’s a gem for that Automatically

    check your Gemfile.lock for security issues

72. $ gem install arbitrary code execution via extconf.rb Security http://incolumitas.com/2016/06/08/typosquatting-package-managers/

73. Every gem is a potential attack vector Security It’s not

    a bug, it’s a feature!
74. None

75. Licensing Evaluating Dependencies I am not a lawyer

76. Open Source License compatibility https://timreview.ca/article/416

77. Unlicensed code Copyright by default Like walking someone else’s dog

    without permission

78. 28% have no license declared Rubygems.org statistic 37,547 gems

79. $ gem install license_finder There’s a gem for that Automatically

    check your dependencies for license issues

80. Sustainability Evaluating Dependencies How are you going to pay for

    the dog food?

81. https://twitter.com/mperham/status/880835731874168832

82. - Volunteer time - Consulting - Sponsorship - Dual licensing

    - Advertising - Training - Bounties - SaaS - Venture Capital How is support funded?

83. Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure

    https://www.fordfoundation.org/library/reports-and-studies/roads-and-bridges-the-unseen-labor-behind- our-digital-infrastructure/ Nadia Eghbal

84. Javascript The elephant in the room It’s puppies all the

    way down

85. 478,953 modules NPM statistics Downloads over 1 billion times per

    week

86. 1,527,361 package.json NPM usage statistics Found in 2,556,333 open source

    repos on Github, GitLab and Bitbucket

87. Avg 12 modules per package.json NPM usage statistics 18,890,641 total

    across all open source repositories

88. 53,720 lockfiles NPM usage statistics package-lock.json, npm-shrinkwrap.json and yarn.lock

89. Avg 307 modules per lockfile NPM usage statistics Javascript dependency

    trees are 6 times bigger than ruby
90. None

91. $ npm install Arbitrary code execution NPM Security https://www.infoq.com/news/2016/03/npm-infection

92. 6 times more chance of attack NPM Security https://www.infoq.com/news/2016/03/npm-infection “It’s

    not a bug, it’s a feature”
93. None

94. Final thoughts Wrapping up A puppy is for life, not

    just for christmas

95. Vet your dependencies Wrapping up Over using a metaphor much?

96. Review your dependencies Wrapping up Check for updates and issues

    on a regular basis

97. Prune your dependencies Wrapping up Remove unused dependencies

98. Support your dependencies Wrapping up Help keep Ruby sustainable

99. Libraries.io Open Data This talk was powered by https://libraries.io/data

100. Small Title Text Subtitle text Thanks!