founda’ons of so,ware engineeringckaestne/15313/2016/25-1-dec-open-source.pdf · stallman vs....
TRANSCRIPT
Founda'onsofSo,wareEngineering
Lecture24:OpenSourceClaireLeGoues
1
Learninggoals• Understandtheterminology“freeso?ware”andexplainopensourcecultureandprinciples.
• Expressaneducatedopiniononthephilosophical/poliFcaldebatebetweenopensourceandproprietaryprinciples.
• Reasonaboutthetradeoffsoftheopensourcemodelonissueslikequalityandrisk,bothingeneralandinaproprietarycontext.
2
Mo'va'ontounderstandopensource.• Companiesworkonopensourceprojects.• Companiesuseopensourceprojects.• Companiesarebasedaroundopensourceprojects.• Principlespercolatethroughoutindustry.• PoliFcal/philosophicaldebate,andbeinginformedishealthy.
3
Quickandeasydefini'ons
• Proprietaryso?ware–so?warewhichdoesn’tmeettherequirementsoffreeso?wareoropensourceso?ware
• Freeso?ware–so?warewithastrongemphasisonuserrights
• Opensourceso?ware–so?warewherethesourcecodeissharedwiththecommunity
• DoesFreeSo?ware=OpenSource?4
“Freeasinfreespeech.”
5
6
Stallmanvs.Gates
7
FreeSo,warevsOpenSource• Freeso?wareorigins(70-80s~Stallman)
– PoliFcalgoal– So?warepartoffreespeech
• freeexchange,freemodificaFon• proprietaryso?wareisunethical• security,trust
– GNUproject,Linux,GPLlicense• Opensource(1998~O'Reilly)
– RebrandingwithoutpoliFcallegacy– Emphasisoninternetandlargedev./userinvolvement– Opennesstowardproprietaryso?ware/coexist– (Think:NetscapebecomingMozilla)
8
TheCathedralandtheBazaar
9
TheCathedralandtheBazaar
• Cathedral(closedsource)– Top-downdesignwithfocusonplanning
• Bazaar(opensource)– Organicbohom-upmovement– Codealwayspublicoverinternet– Linux/Fetchmailstories
10EricRaymond.Essay1997
TheCathedralandtheBazaar–Lessons(selec'on)• Everygoodworkofso?warestartsbyscratchingadeveloper'spersonalitch
• TosolveaninteresFngproblem,startbyfindingaproblemthatisinteresFngtoyou
• Releaseearly,releaseo?en• Givenalargeenoughbeta-testerandco-developerbase,almosteveryproblemwillbecharacterizedquicklyandthefixobvioustosomeone
• Thenextbestthingtohavinggoodideasisrecognizinggoodideasfromyourusers.SomeFmesthelaherisbeher.
11EricRaymond.Essay1997
OpenSourceTeams
• PotenFallyopenforeverybody• ProcesstovetcontribuFons• Typicallymanycontributorsbutsmallcoreteams
12
13ApacheStudy–Herbsleb,CMU
SocialCoding• Github,Bitbucket,etc.• Addsocialnetworkingfeaturestocoding– Followusers– Watchrepositories
• Allowsteamstructuretoemergeasopposedtopreviousplanning
14
Howdoopensourceprogramsmakemoney?
• RedHat–revenuesofabout$2Billionlastyearandisworthapproximately$15Billion.
• Mozilla–hasrevenuesof$300Millionannually
• ApacheSo?wareFoundaFon–recentrevenueof$1Million
15
OpenSourceBusinessModels
• Opensourceashobby;resumebuilding• Sellingsupport/experFseinsteadofso?ware– RedHat
• Sellingcomplementaryservices– Wordpress
• Developershiredasconsultants,forextensions
16
OtherOpenSourceBusinessModels• Companiesdedicateresourcestoprojectswhichhelpthemandthecommunity– ApachereceivesdonaFons
• Sellingmerchandise–Canonical(Ubuntu)• SellingadverFsingorcustomertraffic–Mozilla
17
Quality?!
“TherearenotechnicalrequirementsforthepluginsasidefromthembeingabletobeinstalledonafreshEclipseplaoorm.Weleaveittothecommunitytofindandreportbugsrelatedtotechnicalfeaturesandconflicts.”-EclipseMarketplace,Dec2014
18
OpenSourceFamousPhrases
Linus’sLaw-Manyeyesmakeallbugsshallow
CollaboraFonoverCompeFFon…isopensourcecodeofhigherquality?– Howwouldwebeabletotell?
19
ACaseStudyofOpenSourceSo,wareDevelopment:TheApacheServerMeasure Apache Proprietary
SystemAProprietarySystemC
ProprietarySystemD
Post-releasedefects/KLOCA
2.64 0.11 0.1 0.7
Post-releasedefects/KDelta
40.8 4.3 14 2.8
Post-featuretestDefects/KLOCA
2.64 * 5.7 6.0
Post-featuretestDefects/KLOCA
40.8 * 164 196
20
CoverityReportofOpenSource
[Coverity,2012,hhp://www.coverity.com/press-releases/annual-coverity-scan-report-finds-open-source-and-proprietary-so?ware-quality-beher-than-industry-average-for-second-consecuFve-year/]
OnlytestedprogramswhichuseCoverityDefectdensity:defectsper1,000linesAveragedefectdensityof0.69foropensourceand0.68forproprietaryso?ware,surpassingtheindustrystandardof1orless
Proprietary OpenSource
500,000-1,000,000(LOC)
0.98 0.44
1,000,000+(LOC) 0.66 0.75
DefectDensityBasedonSize
21
Twoyearslater…
• In2014,opensourcedefectdensitywentdownto0.61from0.69in2012• Proprietarydefectdensitywentupto0.76from0.68in2012
• …verdict?
22
OPENSOURCEINAPROPRIETARYCONTEXT(BENEFITSVS.RISK)
23
hhps://www.tesla.com/blog/all-our-patent-are-belong-you
24
Hilariousirony
25
hhps://mailman.cs.umd.edu/pipermail/findbugs-discuss/2016-November/004321.html
26
27
OpenSSL/Heartbleed.• In2013,OpenSSLmade
$2,000indonaFons(andsomefromothersources)
• OnefullFmeprogrammer• Heartbleed(2014):
Vulnerabilitywasfoundthateffectedabout17.5%ofwebservers(halfamillion)
• UsedbyYahoo,Twiher,Google
• Whoisresponsible?
28
CaseStudy:OpenSSL
• WhenHeartBleedoccurred,Googlereportedthebugandlatersubmihedapatch
• A?ertheHeartBleedbug,morethan17companiesagreedtoeachcontribute$100,000annuallyfor3yeartotheCoreInfrastructureIniFaFve.
• CoreInfrastructureIniFaFvedistributesfundstoneedybutimportantprojects
29
BugBoun'es• Facebook,Google,Yahoo,Microso?,andothercompanieshaverewardsforfindingbugsandreporFngthem
• Usually$100ormoreforsimplebugsandhigherrewardsformoreseriousbugs
• BounFescansavethecompanyfrommaliciousexploits,whichcancostthecompanymuchmore.– PonemonInsFtutereportsaveragecostof$3.79millionpercompanydatabreech(2014)
30
Risksofnotopensourcingsomething?
31
Proprietarymethodstogaincommunitybenefits• Releaseearly,releaseo?en;ConFnuousorsmallupdatesinsteadofbigversionchanges
• “Manyeyesmakeallbugsshallow”• Recognizegoodideasfromyourusers.• CollaboraFonovercompeFFon• Promoteuserstoreportbugsandmonitornewreleases(easierifusingso?wareasaservice)
• Allowuserstowritemodsfortheproduct(usuallyinacontrolledway)orpromotefeaturerequests
32
ONEMORERISKINPROPRIETARYCONTEXT:LICENSES
33
Whylearnaboutlicenses?
• Companieswillavoidcertainlicenses–commonlythecopyle?licenses• SpecificlicensesmayprovidecompeFFveadvantages• Youmayeventuallywanttoreleaseopensourceso?wareorbecomemoreinvolvedinanopensourceproject
34
OpenSourceLicensesSo,ware Percentage
MITLicense 24%
GNUGeneralPublicLicense(GPL)2.0 23%
ApacheLicense2.0 16%
GNUGeneralPublicLicense(GPL)3.0 9%
BSDLicense2.0(3-clause,NeworRevised)License
6%
GNULessorGeneralPublicLicense(LGPL)2.1
5%
ArFsFcLicense(Perl) 4%
GNULesserGeneralPublicLicense(LGPL)3.0
2%
Microso?PublicLicense 2%
EclipsePublicLicense 2%
Listfrom:hhps://www.blackduckso?ware.com/resources/data/top-20-open-source-licenses
35
GNUGeneralPublicLicense:TheCopyle,License• Nobodyshouldberestrictedbytheso?waretheyuse.Therearefourfreedomsthateveryusershouldhave:– thefreedomtousetheso?wareforanypurpose,– thefreedomtochangetheso?waretosuityourneeds,– thefreedomtosharetheso?warewithyourfriendsandneighbors,and
– thefreedomtosharethechangesyoumake.• Codemustbemadeavailable• AnymodificaFonsmustberelicensedunderthesamelicense(copyle?)
36
GPL2.0and3.0–Addressesfreeso,wareproblems• 2.0-CourtrulingcannotnullifythelicenseandifacourtdecisionandthislicensecontradictindistribuFonrequirements,thentheso?warecannotbedistributed
• 3.0–patentgrantandpreventTivoizaFon• NotcompaFblewitheachother;Can’tcopyle?bothatthesameFme–phrase:“GLPVersion3oranylaterversion”
37
Whywouldprojectschooseonelicenseoveranother?
[Fromhhp://choosealicense.com/licenses/]38
DualLicenseBusinessModel
• ReleasedasGPLwhichrequiresacompanyusingtheopensourceproducttoopensourceit’sapplicaFon
• Orcompaniescanpay$2,000to$10,000annuallytoreceiveacopyofMySQLwithamorebusinessfriendlylicense 39
Risk:Incompa'bleLicenses• SunopensourcedOpenOffice,butwhenSunwasacquiredbyOracle,Oracletemporarilystoppedtheproject.
• ManyofthecommunitycontributorsbandedtogetherandcreatedLibreOffice
• OracleeventuallyreleasedOpenOfficetoApache• LibreOfficechangedtheprojectlicensesoLibreOfficecancopychangesfromOpenOfficebutOpenOfficecannotdothesameduetolicenseconflicts
40
MITLicense
• Mustretaincopyrightcredit• So?wareisprovidedasis• Authorsarenotliableforso?ware• NootherrestricFons
41
LGPL
• So?waremustbealibrary• SimilartoGPLbutnocopyle?requirement
42
BSDLicense
• Noliabilityandprovidedasis.• Copyrightstatementmustbeincludedinsourceandbinary• Thecopyrightholderdoesnotendorseanyextensionswithoutexplicitwrihenconsent
43
ApacheLicense
• Apache– SimilartoGPLwithafewdifferences– Notcopyle?– Notrequiredtodistributesourcecode– Doesnotgrantpermissiontouseproject’strademark– DoesnotrequiremodificaFonstousethesamelicense
44
PercepFon:• Anarchy• Demagoguery• Ideology• Altruism• Manyeyes
45
OpenSourceReality• AggressivecollaboraFvetooluse– versioncontrol,CI,issuetracker,reviews,…
• Carefulmanagementofpeople• Processrigor• O?enaimedatexpertusers
• Intellectualproperty• O?enindustrysupported• O?enaddressingcommonassets
46