The risk of using Open Source libraries - do you have the source code?
Gabor Szabo
Posted on May 23, 2023
I think most people writing code who are using 3rd party libraries blindly assume that what is installed with the appropriate package installer is indeed Open Source.
Some might check the license on the code, but even if it says it is licensed under some Open Source license, you don't know if you really get the source code.
Every popular programming language has a registry for 3rd party libraries (e.g. CPAN, npm, RubyGems, PyPI, PEAR, ...) but as far as I know, none of those systems require the authors to put an open source license on their distributions.
Neither do they require that the uploaded distributions contain the source code of the project.
- The code in the distributed package might be obfuscated.
- It might be some (partially) compiled code. (eg. PyPI packages might only contain the
pyc
files) - The code might be generated, making it effectively impossible to make changes in a reasonable manner.
Actually I think all 3 of the items I listed would make the project violate the Open Source Definition unless there are other, clearly publicized ways to obtain the source code of the project.
How do you verify that all your dependencies are open source?
- Do you check the license on the project?
- Do you look at the source code of the files that are installed?
- Do you hope that the rest of the users around the world checked it?
Let me know, how do you personally and at your employer make sure that all the packages you use are really open source and come with their source code?
Posted on May 23, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.