Using 3rd party libraries always have risks. If you buy them from a company you might have the fuzzy feeling that you will be supported no matter what. However, at the end if the supplier company goes out of business, decides to discontinue the project, or just does not have the bandwidth to provide prompt service you are out of luck.
If this is a security issue and you don't get prompt fix for it, you are at a risk. If the problem is "just" a serious flaw in the software, you don't have any control over how fast you will get a fix.
You might have legal options, but do you as a CTO, a tech lead, or a developer want to wait till the legal options bear fruit? Probably not.
Using Open Source will not give you that fuzzy feeling, but it will give you controls. You can fix any problem yourself or you can hire someone to do it for you. Open Source has its own risks that I'll discuss in another post, but here are a few.
Legal
- Does the package have an open source license compatible with the way you will want to use it?
- Does the package contain code that comes from other source that might not be open source or might have different licenses?
Technical
- Do you really have access to the latest source code?
- Is it written in a language that you are familiar with?
- Does it have a good test coverage? Do you have access to it? Do you know how to run it?
- How many people maintain the project? How many people are familiar with the code-base?
- Does the project have an up-to-date public VCS?
- When was the last change recorded?
- How many open issues are there?
- How many open Pull-Request are there?
- How fast are PRs and Issues addressed?
- What is the complexity of the code?
Do open source projects have more risk factors?
Seeing the above list one might think that Open Source have more risk factors, but in reality proprietary packages have similar risk-factors, but they are hidden from you and in most cases you cannot alleviate them.
What do you think?
- What other risk factors do you see?
Top comments (1)
What comes to mind is: can you work out what its dependencies are? Including which version of things it will work with, where that might be about the language it's written in or on other libraries.
A particular catch in the Open Source context is whether those are documented/annotated already, or if it will require experiment and/or code reading to determine.