Open source software and libraries are invaluable resources for programmers, but how do you know which ones are reliable, secure, and suitable for your project? In this article, you will learn some criteria and methods to evaluate open source software and libraries, and how to avoid potential pitfalls and risks.
The first thing you should check is the license of the open source software or library. The license defines the terms and conditions under which you can use, modify, and distribute the software or library. Some licenses are more permissive, such as MIT or Apache, while others are more restrictive, such as GPL or AGPL. You should understand the implications of each license and how it affects your own code and legal obligations. For example, some licenses may require you to disclose your source code, attribute the original authors, or comply with certain standards.
That's really really important. When you start coding it's usually in a college or hobby environment and it really doesn't matter what the licenses are. As soon as you make money with your work this becomes crucial. Many companies have been caught to use libraries in their product without attribution or open sourcing the own code.
The next thing you should look for is the documentation and support of the open source software or library. The documentation should be clear, comprehensive, and up-to-date, covering the features, installation, usage, configuration, and troubleshooting of the software or library. The documentation should also include examples, tutorials, and references to help you learn and apply the software or library. The support should be responsive, helpful, and active, providing you with feedback, bug fixes, and updates. You can check the support channels, such as forums, mailing lists, chat rooms, or issue trackers, and see how the developers and users interact and solve problems.
That's a really high bar for an open source project. Good documentation is one thing but having good support is usually something that you have to pay for. Sure, there are many resources on the internet that might help you out, but that's not business-grade support. Also important: Contribute to a project if you heavily use it. Improve its documentation, create some examples yourself.
Another important aspect to consider is the quality and security of the open source software or library. The quality refers to the functionality, performance, reliability, and maintainability of the software or library. The security refers to the protection against vulnerabilities, attacks, and breaches that may compromise the software or library. You can assess the quality and security by looking at the code, testing, reviews, and audits of the software or library. The code should be readable, consistent, and well-structured, following the best practices and standards of the programming language and domain. The testing should be thorough, covering different scenarios, inputs, outputs, and edge cases, using tools and frameworks to automate and verify the testing process. The reviews and audits should be independent, objective, and rigorous, evaluating the strengths and weaknesses of the software or library, and providing recommendations and improvements.
A final factor to weigh in is the popularity and reputation of the open source software or library. The popularity and reputation indicate the level of interest, adoption, and satisfaction of the software or library among the programming community. You can measure the popularity and reputation by looking at the metrics, ratings, and feedback of the software or library. The metrics include the number of downloads, stars, forks, contributors, and dependencies of the software or library, showing how widely used and supported it is. The ratings include the scores, rankings, and awards of the software or library, showing how well it performs and compares to other alternatives. The feedback includes the comments, reviews, and testimonials of the software or library, showing how users feel and think about it.
Other important aspects are the last time it was updated and whether it has both a frequent and scheduled cycle of updates. And indeed, the number of contributors is very important because it is risky to trust a library that is maintained by only one person.
Tooling that quickly identified and gives insights/observability is important. One such tool is SonarQube. But it’s licensing may require purchase to be beneficial. Even though it is open source And that leads to funding. How is open source software being funded. Volunteer yes. But more often via learning or resume portfolio building. Value of standards is another reason. Or less obvious reasons