SQLServerCentral Editorial

The Pervasive Nature of Open Source

,

This week there was a headline that said "Open Source Software Powers 96% of Modern Applications, New Study Finds" and if you stopped reading there, you might think, hey, it's not in the apps I work on. Or you might think that because you use OSS software, most of the world also does. Microsoft, Oracle, etc. are headed for disaster.

If you read a little further, there's this gem: Open source components are present in 96% of codebases. That's a far cry from OSS powering most modern applications. I think a better headline might be that OSS helps build most modern software. However, this isn't an editorial on bad journalism.

I do think OSS stuff is amazing. Many of us in the Microsoft Data Platform space use sp_whoisactive or the First Responder Kit or Diagnostic Queries or some other OSS in our work. Lots of commercial products are built with OSS libraries or components, or there are free versions. Flyway (from Redgate) has an OSS version. OSS helps us build better software, though commercial packages also help.

One of the interesting things about OSS is that many very popular projects have just a few people maintaining them. If those 1 or 2 people disappear, then the project might stagnate. Or worse, if there are security issues, no one addresses them. One of the main attractions of OSS is that anyone can provide a fix or enhancement, but the reality is that most people don't. Most people just use whatever is out there.

And most people rarely upgrade their OSS. They get something that works and don't want to change. I get that, as I feel the same way often, especially in the real world. I have shoes, gadgets, tires, etc. that work and I don't want to change. In the software world, this creates vulnerabilities and security issues, as the report shows with many people still using Python 2. I both understand and don't understand why this is the case, but I do worry about security.

The other concern is that few people review changes to OSS packages, which has led to previous supply chain attacks with backdoors or vulnerabilities introduced in packages that many other software developers use. Again, OSS is supposed to be better than closed software at preventing this, but the reality is that most (the vast majority) of us are just too busy to look for issues. Even when vulnerabilities are published, far too few developers see the information. Automated scans in CI/CD systems are great, but again, too few people add these to CI/CD pipelines consistently.

Software is hard. In some sense, I'm glad databases don't have external compilers or use anything other than raw code, but plenty of people still write SQL Injection vulnerabilities in their functions and stored procedures, and many don't have good visibility into the code that is submitted to their databases, often because the code is assembled at runtime. I wish more people just used stored procedures and included more testing and vulnerability scanning, but that's a dream. For now, I suggest most of you developer patterns your staff can use and stick with them.

And use version control. At least then we can find all the old, bad code and fix it with some search and replace.

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating