you can't always trust the new framework or database on its description alone. Once you find a piece of open source code that does what you need, you have to vet it in a number of ways, including for reliability, security and legal concerns. You may invest more or less time on the first two, depending on how crucial to the core of your application it will be. For example, the database that stores all of your customers' information may be more important to vet than a little JavaScript calendar widget that lets them enter their birthday.
As a natural reaction to this problem, the open source community has evolved a built-in reputation-based meritocracy. Some of the first questions you ask when evaluating a new open
source project are: how active is it? How many people are working on it? Is it one guy in his basement, or is it a worldwide community of contributors? Who else is using this? Are there real-world examples of it being used? Are there people on forums asking and answering questions? Here you are looking for reliability. It's like the old saying, "it's all about who you know," applied to software. "Oh, you're working with GitHub? Ok, you must be cool."
source project are: how active is it? How many people are working on it? Is it one guy in his basement, or is it a worldwide community of contributors? Who else is using this? Are there real-world examples of it being used? Are there people on forums asking and answering questions? Here you are looking for reliability. It's like the old saying, "it's all about who you know," applied to software. "Oh, you're working with GitHub? Ok, you must be cool."
Another big concern is security. The level of activity on the project plays a big part here too. If big companies are using it, there's a darn good chance it is very secure, because a company like Google, Twitter, etc. (who both use and contribute to open source) wouldn't survive if it was using technologies with big security holes. Another good source for security-related information is the National Vulnerability Database (NVD), which publishes alerts for known security holes in open-source projects.
Understanding legality and licensing is complicated, so we'll save for another day. Suffice to say that you need to pay attention to which license(s) the project is licensed under.
Consider this example:
Redis is an example of a shining star in the open source world. It's a great technology, it's fast and reliable, and it has a vibrant and still growing community. At OpenLogic, we have been using Redis more and more as time goes on. For little things at first, with bigger plans for the future. Here is what we like about it:
First, it serves our needs. Redis is an incredibly fast in-memory datastore. We use it when we have data that has a lot of "churn", meaning we do a lot of reads and writes of data in quick succession. Where something like MySQL would likely buckle under the pressure of 100 of queries per second, Redis can handle up to 100,000 requests per second.
Reliability is important. In the past, because Redis is an in-memory datastore, we were reticent to use it to store valuable data that could not be regenerated if it was lost. In-memory means that, when a box goes down, all the data is lost. Redis has been adding more reliability features, including near-real-time flushing of the data to disk, so (depending on the configuration) the most data you'd ever lose could be as little as 1 second's worth. Another new feature is live replication, or automatic backups to other machines. And again, big companies like GitHub are using Redis, so we felt it must be very reliable.
Redis is licensed under the BSD 3-clause license, which (disclaimer: the following does not constitute legal advice) basically lets you do anything you want with the software as long as you retain the copyright notice and don't use the name of the original software for endorsements.
Don't be scared of open source; be inspired by it! Just do your due diligence and make sure the project you select is right for your needs, reliable and secure. And remember… always comply with the license.
No comments:
Post a Comment