In this post, App Dev Manager Daniel Setlock reflects on the trust of open source software using the Food Truck Paradigm.
It is somewhat shocking that in 2017 I still receive questions about how open source software, libraries, plug-ins, packages, etc. can be trusted, and the pushback that such things receive from cyber security personnel at organizations. While everyone has their own job to do, and their own criteria for success, limiting the availability of a robust and organized code base or tools due to a lack of understanding in regards to what Open Source actually means only hinders and never helps.
Food trucks can get a bad rap, but I have had some absolutely delicious dishes out of a white panel van. For some people whose passion is food it makes economical sense. Rather than the big presence of a brick and mortar store and all the overhead that it brings into the business, a freelance sort of thing is appealing.
If a food truck comes to the same location regularly and you see other people partaking of the fare, it’s a reasonable assumption that it is safe to ingest. Should you be the first to try the brand-new food truck? Maybe not, unless you are the adventurous sort, but an established presence can be thought of as a safe bet for your dietary needs.
Food trucks that make people sick don’t stick around. They fade quickly and it only takes a single bad experience. People don’t make much of a habit of posting positive reviews about an experience, but will take any opportunity to vent about a poor experience, and in the age of social media and connectivity, word of mouth has been replaced with hashtags and memes. No food truck tagged with #dysentery is going to last long.
Food Truck vs OSS
The analogy makes a lot of sense to me. If you have a consistent, well known, presence serving reliable wares (whether that is food or code) that has catered to numerous individuals, you have fostered trust inside the community and that trust is rewarded by people ordering at your window, or referencing your library.
If a food truck poisons someone, or a code library goes rogue and allows malicious actions to take place, both cease to be used extremely quickly. Additionally, for an open source code base, library, plug-in, etc. you have the ability to make it your own. If it is saved locally, rather than referenced through a CDN, you know unequivocally that you have the authoritative version that you have used in the past and you trust. Think of it like this, if you forget your lunch one day, and have to venture out to the food trucks. You get your food, eat it, don’t get sick, and go on about your day. It is similar to saving the code and making it your own. You took a chance, and it worked. I am not saying that every time you use OSS, or a food truck, you are playing with fire, but it is simply another way to think about it. As a result, though, you now own that code, and whether that version had vulnerabilities or not, it must be maintained, Whether it is maintained through contributing to the code base or updating the version as new functionality or increased security is added. Studies have shown that individuals who pursue art for pleasure and passion, rather than profit, produce higher quality results. If you have a community of thousands of software developers contributing to an idea because it’s their passion, and a much smaller group of people creating an idea for profit, which idea would you think produces better results?
When I think about something as pervasive as jQuery or Bootstrap which has become an industry standard being shunned and deemed unsafe because it is open source is silly in the extreme. I have seen organizations decide to pursue .NET 4.6 instead of .NET Core or competing Entity Framework versions simply because one is open source and the other is not. While there are many reasons to prefer one framework over another, criteria for success tied to open standards unless they are deemed less secure or insufficient in some other way should be evaluated closely.
Open source software is not inherently unsecure, malicious, or riddled with bugs. It could be someone’s passion project, a good idea that lacked the funding of a larger implementation, or possibly an individual simply wanting to contribute to the larger community. Just like eating at food trucks are not like purposefully ingesting improperly cooked food. It could be someone’s passion and this is how they pursue it. Ultimately the decision to use OSS for your project, or eat at a food truck on your lunch break, is up to you, with all the risks and benefits that brings.
Premier Support for Developers provides strategic technology guidance, critical support coverage, and a range of essential services to help teams optimize development lifecycles and improve software quality. Contact your Application Development Manager (ADM) or email us to learn more about what we can do for you.