Should we be concerned about this? I think so. Here's why:
- Coders aren't implementing open-source code properly. In my experience, any open-source code dependencies should be referenced locally. Many coders fail to do this and reference external code libraries in their code. What happens when that external 'point of origin' has a DNS issue, or is hit with a DDOS attack, or is just taken down? Your site can break.
Case in point - check out this article on msn.ca 'How One Programmer Broker the Internet' In a nutshell, one open-source programmer got frustrated with a company over trademark name issue. This developer's open-source project had the same name as a messaging app from a company in Canada. He ended up retaliating by removing his project from the web. It turned out his project had been leveraged by millions of coders the world over for their websites, and once his code was removed, their websites displayed this error:
npm ERR! 404 'left-pad' is not in the npm registry
I believe if developers had downloaded the NPM javascript libraries and referenced them locally on their servers, they wouldn't have run into this issue (as they'd have a local copy of the open-source code).
Another case in point - I worked on a project a number of years ago that had dependencies on jakarta.org - an open source site at the time that was hosting a bunch of libraries and schemas for large open-source projects like Struts and Spring. Some of the code in those projects had linked references to schemas (rules) that pointed to http://jakarta.org. Unfortunately we didn't think of changing those links and one day jakarta.org went down.... and with it went our web site, because it couldn't reference those simple schemas off of jakarta.org. After everything recovered we quickly downloaded those schemas (and any other external references we found) and referenced them locally. - Security Do you know what is in that open-source system you're using? Over 60 million web sites have been developed on an open-source content management system called WordPress. Because it is open source, everyone can see the code - all the code - that it is built with. This could potentially allow hackers to see weaknesses in the system. However, WordPress has pretty strict code review and auditing in place to ensure that this kind of thing doesn't happen. They also patch any issues that are found quickly, and release those patches to everyone. The question then becomes: Does your website administrator patch your CMS?
Another issue I ran into related to security was with a different Content Management System. I discovered an undocumented 'back-door' buried in the configuration that gave anyone who knew about it administrative access to the system (allowing them to log into the CMS as an Administrator and giving them the power to delete the entire site if they new what they were doing. Some time later, I found out that some developers who had used this CMS weren't aware of that back door and left it open. I informed them about it, and they quickly (and nervously) slammed it shut. Get familiar with the code you are implementing! - Code Bloat (importing a bunch of libraries for one simple bit of functionality) Sometimes developers will download a large open-source library to take advantage of a sub-set of functionality to help save time. Unfortunately, this can lead to code bloat - your application is running slow because its loading up a monster library to take advantage of a small piece of functionality.
- Support (or the lack of it) Developers need to be discerning when they decide to use an open-source library. There are vast numbers of open-source projects out there, but one needs to be wise about which one to use. Some simple guidelines to choosing an open-source project are:
- How many downloads (implementations) does it have? The more, the better, because that means its popular and likely reviewed more.
- Is there good support for it? In other words, if you run into issues or errors trying to use it, will it be easy to find a solution for your issue in forums or from the creators?
- Is it well documented? If the documentation is thorough, or if there have been published books written about the project, you're likely in good hands.
- Is it easy to implement? You don't want to waste your time trying to get your new open-source implementation up and working. The facilities and resources are out there for project owners to provide either the documentation or VM snapshots (or what have you) to make setting up your own implementation quick and easy.
- How long has it been around? Developers should wait to implement open-source projects with a short history. Bleeding-edge isn't always the cutting edge. Wait for projects to gain a critical mass in the industry before implementing them if you can help it.