Founda'onsofSo,wareEngineering

Lecture24:OpenSourceClaireLeGoues

1

Learninggoals•  Understandtheterminology“freeso?ware”andexplainopensourcecultureandprinciples.

•  Expressaneducatedopiniononthephilosophical/poliFcaldebatebetweenopensourceandproprietaryprinciples.

•  Reasonaboutthetradeoffsoftheopensourcemodelonissueslikequalityandrisk,bothingeneralandinaproprietarycontext.

2

Mo'va'ontounderstandopensource.•  Companiesworkonopensourceprojects.•  Companiesuseopensourceprojects.•  Companiesarebasedaroundopensourceprojects.•  Principlespercolatethroughoutindustry.•  PoliFcal/philosophicaldebate,andbeinginformedishealthy.

3

Quickandeasydefini'ons

•  Proprietaryso?ware–so?warewhichdoesn’tmeettherequirementsoffreeso?wareoropensourceso?ware

•  Freeso?ware–so?warewithastrongemphasisonuserrights

•  Opensourceso?ware–so?warewherethesourcecodeissharedwiththecommunity

•  DoesFreeSo?ware=OpenSource?4

“Freeasinfreespeech.”

5

6

Stallmanvs.Gates

7

FreeSo,warevsOpenSource•  Freeso?wareorigins(70-80s~Stallman)

–  PoliFcalgoal–  So?warepartoffreespeech

•  freeexchange,freemodificaFon•  proprietaryso?wareisunethical•  security,trust

–  GNUproject,Linux,GPLlicense•  Opensource(1998~O'Reilly)

–  RebrandingwithoutpoliFcallegacy–  Emphasisoninternetandlargedev./userinvolvement–  Opennesstowardproprietaryso?ware/coexist–  (Think:NetscapebecomingMozilla)

8

TheCathedralandtheBazaar

9

TheCathedralandtheBazaar

•  Cathedral(closedsource)– Top-downdesignwithfocusonplanning

•  Bazaar(opensource)– Organicbohom-upmovement– Codealwayspublicoverinternet– Linux/Fetchmailstories

10EricRaymond.Essay1997

TheCathedralandtheBazaar–Lessons(selec'on)•  Everygoodworkofso?warestartsbyscratchingadeveloper'spersonalitch

•  TosolveaninteresFngproblem,startbyfindingaproblemthatisinteresFngtoyou

•  Releaseearly,releaseo?en•  Givenalargeenoughbeta-testerandco-developerbase,almosteveryproblemwillbecharacterizedquicklyandthefixobvioustosomeone

•  Thenextbestthingtohavinggoodideasisrecognizinggoodideasfromyourusers.SomeFmesthelaherisbeher.

11EricRaymond.Essay1997

OpenSourceTeams

•  PotenFallyopenforeverybody•  ProcesstovetcontribuFons•  Typicallymanycontributorsbutsmallcoreteams

12

13ApacheStudy–Herbsleb,CMU

SocialCoding•  Github,Bitbucket,etc.•  Addsocialnetworkingfeaturestocoding–  Followusers– Watchrepositories

•  Allowsteamstructuretoemergeasopposedtopreviousplanning

14

Howdoopensourceprogramsmakemoney?

• RedHat–revenuesofabout$2Billionlastyearandisworthapproximately$15Billion.

• Mozilla–hasrevenuesof$300Millionannually

• ApacheSo?wareFoundaFon–recentrevenueof$1Million

15

OpenSourceBusinessModels

•  Opensourceashobby;resumebuilding•  Sellingsupport/experFseinsteadofso?ware– RedHat

•  Sellingcomplementaryservices– Wordpress

•  Developershiredasconsultants,forextensions

16

OtherOpenSourceBusinessModels•  Companiesdedicateresourcestoprojectswhichhelpthemandthecommunity– ApachereceivesdonaFons

•  Sellingmerchandise–Canonical(Ubuntu)•  SellingadverFsingorcustomertraffic–Mozilla

17

Quality?!

“TherearenotechnicalrequirementsforthepluginsasidefromthembeingabletobeinstalledonafreshEclipseplaoorm.Weleaveittothecommunitytofindandreportbugsrelatedtotechnicalfeaturesandconflicts.”-EclipseMarketplace,Dec2014

18

OpenSourceFamousPhrases

Linus’sLaw-Manyeyesmakeallbugsshallow

CollaboraFonoverCompeFFon…isopensourcecodeofhigherquality?– Howwouldwebeabletotell?

19

ACaseStudyofOpenSourceSo,wareDevelopment:TheApacheServerMeasure Apache Proprietary

SystemAProprietarySystemC

ProprietarySystemD

Post-releasedefects/KLOCA

2.64 0.11 0.1 0.7

Post-releasedefects/KDelta

40.8 4.3 14 2.8

Post-featuretestDefects/KLOCA

2.64 * 5.7 6.0

Post-featuretestDefects/KLOCA

40.8 * 164 196

20

CoverityReportofOpenSource

[Coverity,2012,hhp://www.coverity.com/press-releases/annual-coverity-scan-report-finds-open-source-and-proprietary-so?ware-quality-beher-than-industry-average-for-second-consecuFve-year/]

OnlytestedprogramswhichuseCoverityDefectdensity:defectsper1,000linesAveragedefectdensityof0.69foropensourceand0.68forproprietaryso?ware,surpassingtheindustrystandardof1orless

Proprietary OpenSource

500,000-1,000,000(LOC)

0.98 0.44

1,000,000+(LOC) 0.66 0.75

DefectDensityBasedonSize

21

Twoyearslater…

•  In2014,opensourcedefectdensitywentdownto0.61from0.69in2012•  Proprietarydefectdensitywentupto0.76from0.68in2012

•  …verdict?

22

OPENSOURCEINAPROPRIETARYCONTEXT(BENEFITSVS.RISK)

23

hhps://www.tesla.com/blog/all-our-patent-are-belong-you

24

Hilariousirony

25

hhps://mailman.cs.umd.edu/pipermail/findbugs-discuss/2016-November/004321.html

26

27

OpenSSL/Heartbleed.•  In2013,OpenSSLmade

$2,000indonaFons(andsomefromothersources)

•  OnefullFmeprogrammer•  Heartbleed(2014):

Vulnerabilitywasfoundthateffectedabout17.5%ofwebservers(halfamillion)

•  UsedbyYahoo,Twiher,Google

•  Whoisresponsible?

28

CaseStudy:OpenSSL

•  WhenHeartBleedoccurred,Googlereportedthebugandlatersubmihedapatch

•  A?ertheHeartBleedbug,morethan17companiesagreedtoeachcontribute$100,000annuallyfor3yeartotheCoreInfrastructureIniFaFve.

•  CoreInfrastructureIniFaFvedistributesfundstoneedybutimportantprojects

29

BugBoun'es•  Facebook,Google,Yahoo,Microso?,andothercompanieshaverewardsforfindingbugsandreporFngthem

•  Usually$100ormoreforsimplebugsandhigherrewardsformoreseriousbugs

•  BounFescansavethecompanyfrommaliciousexploits,whichcancostthecompanymuchmore.– PonemonInsFtutereportsaveragecostof$3.79millionpercompanydatabreech(2014)

30

Risksofnotopensourcingsomething?

31

Proprietarymethodstogaincommunitybenefits•  Releaseearly,releaseo?en;ConFnuousorsmallupdatesinsteadofbigversionchanges

•  “Manyeyesmakeallbugsshallow”•  Recognizegoodideasfromyourusers.•  CollaboraFonovercompeFFon•  Promoteuserstoreportbugsandmonitornewreleases(easierifusingso?wareasaservice)

•  Allowuserstowritemodsfortheproduct(usuallyinacontrolledway)orpromotefeaturerequests

32

ONEMORERISKINPROPRIETARYCONTEXT:LICENSES

33

Whylearnaboutlicenses?

•  Companieswillavoidcertainlicenses–commonlythecopyle?licenses•  SpecificlicensesmayprovidecompeFFveadvantages•  Youmayeventuallywanttoreleaseopensourceso?wareorbecomemoreinvolvedinanopensourceproject

34

OpenSourceLicensesSo,ware Percentage

MITLicense 24%

GNUGeneralPublicLicense(GPL)2.0 23%

ApacheLicense2.0 16%

GNUGeneralPublicLicense(GPL)3.0 9%

BSDLicense2.0(3-clause,NeworRevised)License

6%

GNULessorGeneralPublicLicense(LGPL)2.1

5%

ArFsFcLicense(Perl) 4%

GNULesserGeneralPublicLicense(LGPL)3.0

2%

Microso?PublicLicense 2%

EclipsePublicLicense 2%

Listfrom:hhps://www.blackduckso?ware.com/resources/data/top-20-open-source-licenses

35

GNUGeneralPublicLicense:TheCopyle,License•  Nobodyshouldberestrictedbytheso?waretheyuse.Therearefourfreedomsthateveryusershouldhave:–  thefreedomtousetheso?wareforanypurpose,–  thefreedomtochangetheso?waretosuityourneeds,–  thefreedomtosharetheso?warewithyourfriendsandneighbors,and

–  thefreedomtosharethechangesyoumake.•  Codemustbemadeavailable•  AnymodificaFonsmustberelicensedunderthesamelicense(copyle?)

36

GPL2.0and3.0–Addressesfreeso,wareproblems•  2.0-CourtrulingcannotnullifythelicenseandifacourtdecisionandthislicensecontradictindistribuFonrequirements,thentheso?warecannotbedistributed

•  3.0–patentgrantandpreventTivoizaFon•  NotcompaFblewitheachother;Can’tcopyle?bothatthesameFme–phrase:“GLPVersion3oranylaterversion”

37

Whywouldprojectschooseonelicenseoveranother?

[Fromhhp://choosealicense.com/licenses/]38

DualLicenseBusinessModel

• ReleasedasGPLwhichrequiresacompanyusingtheopensourceproducttoopensourceit’sapplicaFon

• Orcompaniescanpay$2,000to$10,000annuallytoreceiveacopyofMySQLwithamorebusinessfriendlylicense 39

Risk:Incompa'bleLicenses•  SunopensourcedOpenOffice,butwhenSunwasacquiredbyOracle,Oracletemporarilystoppedtheproject.

•  ManyofthecommunitycontributorsbandedtogetherandcreatedLibreOffice

•  OracleeventuallyreleasedOpenOfficetoApache•  LibreOfficechangedtheprojectlicensesoLibreOfficecancopychangesfromOpenOfficebutOpenOfficecannotdothesameduetolicenseconflicts

40

MITLicense

•  Mustretaincopyrightcredit•  So?wareisprovidedasis•  Authorsarenotliableforso?ware•  NootherrestricFons

41

LGPL

•  So?waremustbealibrary•  SimilartoGPLbutnocopyle?requirement

42

BSDLicense

•  Noliabilityandprovidedasis.•  Copyrightstatementmustbeincludedinsourceandbinary•  Thecopyrightholderdoesnotendorseanyextensionswithoutexplicitwrihenconsent

43

ApacheLicense

•  Apache– SimilartoGPLwithafewdifferences– Notcopyle?– Notrequiredtodistributesourcecode– Doesnotgrantpermissiontouseproject’strademark– DoesnotrequiremodificaFonstousethesamelicense

44

PercepFon:•  Anarchy•  Demagoguery•  Ideology•  Altruism•  Manyeyes

45

OpenSourceReality•  AggressivecollaboraFvetooluse– versioncontrol,CI,issuetracker,reviews,…

•  Carefulmanagementofpeople•  Processrigor•  O?enaimedatexpertusers

•  Intellectualproperty•  O?enindustrysupported•  O?enaddressingcommonassets

46