Can my friends come too?

Can my friends come too?
Brighton Ruby 2017

View Slide

Andrew Nesbitt
Hello!
@teabass

View Slide

Libraries.io Open Data
This talk is powered by
https://libraries.io

View Slide

View Slide

Libraries.io indexes
2.3 million libraries from
33 package managers

View Slide

25 million repos from
GitHub, GitLab and Bitbucket

View Slide

96 million links between
repositories and libraries
It’s like Google PageRank for Software

View Slide

25GB Open Source Metadata
Last month we released
https://libraries.io/data

View Slide

Open Source is huge!
2017

View Slide

Avg 10,000 versions every day
Libraries.io statistics
Avg 2,000 brand new projects every day

View Slide

78% of companies say their
customer facing software is
built on Open Source
According to a 2015 survey
https://www.blackducksoftware.com/2015-future-of-open-source

View Slide

Stop reinventing the wheel
Open Source helps us

View Slide

Share knowledge

View Slide

Focus on the New and Unique

View Slide

The Shoulders of Giants
We’re standing on

View Slide

Free as in Freedom
Open Source is
Free to run, copy, distribute, study, change and improve

View Slide

There is a problem…
but

View Slide

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Excerpt from the MIT License

View Slide

You are responsible for the
open source software that you
choose to use.
That means

View Slide

- Maintenance
- Security
- Licensing
- Sustainability
Evaluating Open Source

View Slide

What are the hidden costs
in using this software?

View Slide

Software doesn’t
exist in a vacuum

View Slide

View Slide

Software doesn’t
exist in a vacuum

View Slide

https://twitter.com/ourfounder/status/770075137332932608

View Slide

- Testing against 3rd party API changes
- Security reviews
- Checking against new language features
- Triaging issues and support requests
- Review performance for regressions
- Updating dependencies
- and more…
Software regularly needs

View Slide

https://twitter.com/davecheney/status/616931340466786304

View Slide

Free as in Puppy
Open Source is

View Slide

View Slide

Blossom Mabel Felix

View Slide

Blossom Mabel Felix
Poppy*

View Slide

- Feeding
- Walking
- Grooming
- Worming
- Flea treatment
- and more…
Puppies regularly need

View Slide

https://twitter.com/teabass/status/882895864586547201

View Slide

“Refactored”

View Slide

View Slide

“Legacy code”

View Slide

“I get lost in the carpet”

View Slide

Dependencies
Let’s talk about

View Slide

Software that your software
needs build, test or run
Dependencies:

View Slide

- Libraries
- Frameworks
- Languages
- Databases
- APIs
- Operating systems
Dependencies:

View Slide

gems that our Ruby code
requires to run correctly
For this talk lets focus on

View Slide

133,797 gems
Rubygems.org statistics
Collectively downloaded 14,749,546,331 times

View Slide

658,499 Gemﬁles
From Libraries.io
Found across open source repos on Github, GitLab and Bitbucket

View Slide

Avg 11 gems per Gemﬁle
From Libraries.io
7,413,699 total across all open source repositories

View Slide

Transitive dependencies
We have to go deeper

View Slide

Puppy on Rails

View Slide

Puppy on Rails
PuppyRecord

View Slide

Puppy on Rails
PuppyRecord ActionPupper

View Slide

Puppy on Rails
PuppyRecord Pupogiri
ActionPupper

View Slide

Puppy on Rails

View Slide

Puppy on Rails
*head size not an indicator of lines of code

View Slide

481,483 Gemﬁle.lock
From Libraries.io
Found in open source repos on Github, GitLab and Bitbucket

View Slide

Avg 52 gems per Gemﬁle.lock
From Libraries.io

View Slide

View Slide

- Maintenance
- Security
- Licensing
- Sustainability

View Slide

Maintenance
Evaluating Dependencies
Looking after your new pet

View Slide

46% gems haven’t been
updated in over 3 years
Maintenance

View Slide

Time since last release
over 3 years
3 years
2 years
1 year
6 months
1 month
Gems
0 17500 35000 52500 70000

View Slide

Bus Factor
Maintenance
Higher is better

View Slide

How many people can publish a bugﬁx?
Maintenance
Who’s going to walk the dog?

View Slide

Gems
0
30000
60000
90000
120000
Owners
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 24 28 30 31 32
Owners per Gem

View Slide

90% gems have a bus factor 1
Maintenance
Average gem has 1.2 owners

View Slide

Security
Dogs must be kept on a lead at all times

View Slide

ruby-advisory-db
https://rubysec.com
Security
287 advisories across 147 gems

View Slide

$ gem install bundler-audit
There’s a gem for that
Automatically check your Gemﬁle.lock for security issues

View Slide

$ gem install
arbitrary code execution
via extconf.rb
Security
http://incolumitas.com/2016/06/08/typosquatting-package-managers/

View Slide

Every gem is a potential
attack vector
Security
It’s not a bug, it’s a feature!

View Slide

View Slide

Licensing
I am not a lawyer

View Slide

Open Source License compatibility
https://timreview.ca/article/416

View Slide

Unlicensed code
Copyright by default
Like walking someone else’s dog without permission

View Slide

28% have no license declared
Rubygems.org statistic
37,547 gems

View Slide

$ gem install license_ﬁnder
There’s a gem for that
Automatically check your dependencies for license issues

View Slide

Sustainability
How are you going to pay for the dog food?

View Slide

https://twitter.com/mperham/status/880835731874168832

View Slide

- Volunteer time
- Consulting
- Sponsorship
- Dual licensing
- Advertising
- Training
- Bounties
- SaaS
- Venture Capital
How is support funded?

View Slide

Roads and Bridges:
The Unseen Labor Behind Our
Digital Infrastructure
https://www.fordfoundation.org/library/reports-and-studies/roads-and-bridges-the-unseen-labor-behind-
our-digital-infrastructure/
Nadia Eghbal

View Slide

Javascript
The elephant in the room
It’s puppies all the way down

View Slide

478,953 modules
NPM statistics
Downloads over 1 billion times per week

View Slide

1,527,361 package.json
NPM usage statistics
Found in 2,556,333 open source repos on Github, GitLab and Bitbucket

View Slide

Avg 12 modules per package.json

View Slide

53,720 lockﬁles
package-lock.json, npm-shrinkwrap.json and yarn.lock

View Slide

Avg 307 modules per lockﬁle
Javascript dependency trees are 6 times bigger than ruby

View Slide

View Slide

$ npm install
Arbitrary code execution
NPM Security
https://www.infoq.com/news/2016/03/npm-infection

View Slide

6 times more
chance of attack
NPM Security
https://www.infoq.com/news/2016/03/npm-infection
“It’s not a bug, it’s a feature”

View Slide

View Slide

Final thoughts
Wrapping up
A puppy is for life, not just for christmas

View Slide

Vet your dependencies
Wrapping up
Over using a metaphor much?

View Slide

Review your dependencies
Wrapping up
Check for updates and issues on a regular basis

View Slide

Prune your dependencies
Wrapping up
Remove unused dependencies

View Slide

Support your dependencies
Wrapping up
Help keep Ruby sustainable

View Slide

Libraries.io Open Data
This talk was powered by
https://libraries.io/data

View Slide

Small Title Text
Subtitle text
Thanks!

View Slide

Can my friends come too?

Can my friends come too?

Andrew Nesbitt

More Decks by Andrew Nesbitt

Other Decks in Programming

Featured

Transcript