Tweet
Tweet

Slide 1

Slide 1 text

Can my friends come too? Brighton Ruby 2017

Slide 2

Slide 2 text

Andrew Nesbitt Hello! @teabass

Slide 3

Slide 3 text

Libraries.io Open Data This talk is powered by https://libraries.io

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Libraries.io indexes 2.3 million libraries from 33 package managers

Slide 6

Slide 6 text

Libraries.io indexes 25 million repos from GitHub, GitLab and Bitbucket

Slide 7

Slide 7 text

96 million links between repositories and libraries Libraries.io indexes It’s like Google PageRank for Software

Slide 8

Slide 8 text

25GB Open Source Metadata Last month we released https://libraries.io/data

Slide 9

Slide 9 text

Open Source is huge! 2017

Slide 10

Slide 10 text

Avg 10,000 versions every day Libraries.io statistics Avg 2,000 brand new projects every day

Slide 11

Slide 11 text

78% of companies say their customer facing software is built on Open Source According to a 2015 survey https://www.blackducksoftware.com/2015-future-of-open-source

Slide 12

Slide 12 text

Stop reinventing the wheel Open Source helps us

Slide 13

Slide 13 text

Share knowledge Open Source helps us

Slide 14

Slide 14 text

Focus on the New and Unique Open Source helps us

Slide 15

Slide 15 text

The Shoulders of Giants We’re standing on

Slide 16

Slide 16 text

Free as in Freedom Open Source is Free to run, copy, distribute, study, change and improve

Slide 17

Slide 17 text

There is a problem… but

Slide 18

Slide 18 text

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Excerpt from the MIT License

Slide 19

Slide 19 text

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Excerpt from the MIT License

Slide 20

Slide 20 text

You are responsible for the open source software that you choose to use. That means

Slide 21

Slide 21 text

You are responsible for the open source software that you choose to use. That means

Slide 22

Slide 22 text

- Maintenance - Security - Licensing - Sustainability Evaluating Open Source

Slide 23

Slide 23 text

What are the hidden costs in using this software? Evaluating Open Source

Slide 24

Slide 24 text

Software doesn’t exist in a vacuum

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

Software doesn’t exist in a vacuum

Slide 27

Slide 27 text

https://twitter.com/ourfounder/status/770075137332932608

Slide 28

Slide 28 text

- Testing against 3rd party API changes - Security reviews - Checking against new language features - Triaging issues and support requests - Review performance for regressions - Updating dependencies - and more… Software regularly needs

Slide 29

Slide 29 text

https://twitter.com/davecheney/status/616931340466786304

Slide 30

Slide 30 text

Free as in Puppy Open Source is

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

Blossom Mabel Felix

Slide 33

Slide 33 text

Blossom Mabel Felix Poppy*

Slide 34

Slide 34 text

- Feeding - Walking - Grooming - Worming - Flea treatment - and more… Puppies regularly need

Slide 35

Slide 35 text

https://twitter.com/teabass/status/882895864586547201

Slide 36

Slide 36 text

“Refactored”

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

“Legacy code”

Slide 39

Slide 39 text

“I get lost in the carpet”

Slide 40

Slide 40 text

Dependencies Let’s talk about

Slide 41

Slide 41 text

Software that your software needs build, test or run Dependencies:

Slide 42

Slide 42 text

- Libraries - Frameworks - Languages - Databases - APIs - Operating systems Dependencies:

Slide 43

Slide 43 text

gems that our Ruby code requires to run correctly For this talk lets focus on

Slide 44

Slide 44 text

133,797 gems Rubygems.org statistics Collectively downloaded 14,749,546,331 times

Slide 45

Slide 45 text

658,499 Gemfiles From Libraries.io Found across open source repos on Github, GitLab and Bitbucket

Slide 46

Slide 46 text

Avg 11 gems per Gemfile From Libraries.io 7,413,699 total across all open source repositories

Slide 47

Slide 47 text

Transitive dependencies We have to go deeper

Slide 48

Slide 48 text

Puppy on Rails

Slide 49

Slide 49 text

Puppy on Rails

Slide 50

Slide 50 text

Puppy on Rails PuppyRecord

Slide 51

Slide 51 text

Puppy on Rails PuppyRecord ActionPupper

Slide 52

Slide 52 text

Puppy on Rails PuppyRecord Pupogiri ActionPupper

Slide 53

Slide 53 text

Puppy on Rails

Slide 54

Slide 54 text

Puppy on Rails

Slide 55

Slide 55 text

Puppy on Rails

Slide 56

Slide 56 text

Puppy on Rails

Slide 57

Slide 57 text

Puppy on Rails *head size not an indicator of lines of code

Slide 58

Slide 58 text

481,483 Gemfile.lock From Libraries.io Found in open source repos on Github, GitLab and Bitbucket

Slide 59

Slide 59 text

Avg 52 gems per Gemfile.lock From Libraries.io 24,805,249 total across all open source repositories

Slide 60

Slide 60 text

No content

Slide 61

Slide 61 text

- Maintenance - Security - Licensing - Sustainability Evaluating Open Source

Slide 62

Slide 62 text

Maintenance Evaluating Dependencies Looking after your new pet

Slide 63

Slide 63 text

46% gems haven’t been updated in over 3 years Maintenance

Slide 64

Slide 64 text

Time since last release over 3 years 3 years 2 years 1 year 6 months 1 month Gems 0 17500 35000 52500 70000

Slide 65

Slide 65 text

Bus Factor Maintenance Higher is better

Slide 66

Slide 66 text

How many people can publish a bugfix? Maintenance Who’s going to walk the dog?

Slide 67

Slide 67 text

Gems 0 30000 60000 90000 120000 Owners 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 24 28 30 31 32 Owners per Gem

Slide 68

Slide 68 text

90% gems have a bus factor 1 Maintenance Average gem has 1.2 owners

Slide 69

Slide 69 text

Security Evaluating Dependencies Dogs must be kept on a lead at all times

Slide 70

Slide 70 text

ruby-advisory-db https://rubysec.com Security 287 advisories across 147 gems

Slide 71

Slide 71 text

$ gem install bundler-audit There’s a gem for that Automatically check your Gemfile.lock for security issues

Slide 72

Slide 72 text

$ gem install arbitrary code execution via extconf.rb Security http://incolumitas.com/2016/06/08/typosquatting-package-managers/

Slide 73

Slide 73 text

Every gem is a potential attack vector Security It’s not a bug, it’s a feature!

Slide 74

Slide 74 text

No content

Slide 75

Slide 75 text

Licensing Evaluating Dependencies I am not a lawyer

Slide 76

Slide 76 text

Open Source License compatibility https://timreview.ca/article/416

Slide 77

Slide 77 text

Unlicensed code Copyright by default Like walking someone else’s dog without permission

Slide 78

Slide 78 text

28% have no license declared Rubygems.org statistic 37,547 gems

Slide 79

Slide 79 text

$ gem install license_finder There’s a gem for that Automatically check your dependencies for license issues

Slide 80

Slide 80 text

Sustainability Evaluating Dependencies How are you going to pay for the dog food?

Slide 81

Slide 81 text

https://twitter.com/mperham/status/880835731874168832

Slide 82

Slide 82 text

- Volunteer time - Consulting - Sponsorship - Dual licensing - Advertising - Training - Bounties - SaaS - Venture Capital How is support funded?

Slide 83

Slide 83 text

Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure https://www.fordfoundation.org/library/reports-and-studies/roads-and-bridges-the-unseen-labor-behind- our-digital-infrastructure/ Nadia Eghbal

Slide 84

Slide 84 text

Javascript The elephant in the room It’s puppies all the way down

Slide 85

Slide 85 text

478,953 modules NPM statistics Downloads over 1 billion times per week

Slide 86

Slide 86 text

1,527,361 package.json NPM usage statistics Found in 2,556,333 open source repos on Github, GitLab and Bitbucket

Slide 87

Slide 87 text

Avg 12 modules per package.json NPM usage statistics 18,890,641 total across all open source repositories

Slide 88

Slide 88 text

53,720 lockfiles NPM usage statistics package-lock.json, npm-shrinkwrap.json and yarn.lock

Slide 89

Slide 89 text

Avg 307 modules per lockfile NPM usage statistics Javascript dependency trees are 6 times bigger than ruby

Slide 90

Slide 90 text

No content

Slide 91

Slide 91 text

$ npm install Arbitrary code execution NPM Security https://www.infoq.com/news/2016/03/npm-infection

Slide 92

Slide 92 text

6 times more chance of attack NPM Security https://www.infoq.com/news/2016/03/npm-infection “It’s not a bug, it’s a feature”

Slide 93

Slide 93 text

No content

Slide 94

Slide 94 text

Final thoughts Wrapping up A puppy is for life, not just for christmas

Slide 95

Slide 95 text

Vet your dependencies Wrapping up Over using a metaphor much?

Slide 96

Slide 96 text

Review your dependencies Wrapping up Check for updates and issues on a regular basis

Slide 97

Slide 97 text

Prune your dependencies Wrapping up Remove unused dependencies

Slide 98

Slide 98 text

Support your dependencies Wrapping up Help keep Ruby sustainable

Slide 99

Slide 99 text

Libraries.io Open Data This talk was powered by https://libraries.io/data

Slide 100

Slide 100 text

Small Title Text Subtitle text Thanks!