Vet your code
Integrators and end users who are borrowing code from these sites for their projects will, of course, need to vet it to ensure that it performs well and is safe to use. Vetting should begin with an evaluation of the license.
“First determine whether it is a commercial-friendly open-source license,” says McClusky. “Make sure that it’s going to be legal to use.”
Then, he suggests determining whether modifying the source code is permitted. “Open source doesn’t necessarily mean that you can change the source,” he explains. “It just means that you can see and use it.”
Besides checking the license, also consider security. For this task, vendors advise beginning by using open-source applications and libraries that are supported and maintained by active user communities. “The more users, the better,” says Chamarelli. His reasoning is that more eyes looking for bugs and proposing fixes not only continuously improves the software, but also helps to keep the community ahead of malicious actors.
Because every community has its own character, Chamarelli also suggests investigating any that you might want to join and getting a reference from someone whom you know in the community. “Also, always find out who posted the code,” he says. “People willing to put their names behind their work are less likely to be doing anything malicious.”
Any good vetting process must also include performance testing. “When you take something from an open-source community, it’s your job to ensure that the code works for you,” notes Chamarelli. “So, always test anything that you deploy or modify.”
Yet another important aspect of vetting open-source software is to consider its cost and benefits over the lifetime of the product in which it will reside. “The ability to operate and maintain open-source software across the product life cycle becomes both more important and more challenging compared to software developed in-house,” says Takahiro Kanbe, manager of the software architecture planning department at Yokogawa Electric.
For this reason, Yokogawa has developed its own internal standards and guidelines for vetting any open-source code it is considering for incorporation into its products. “In the software evaluation phase, we check the software from many angles, such as its record in the field, product quality, comparisons with similar software, ability to provide long-term maintenance, and the structure of the license,” Kanbe explains.