Trust and Open Source

They're a few train of thoughts people have regarding open source projects and trust:

  1. Don't trust them at all since it's community driven and their could be malicious code.
  2. Trust them blindly since the community would have removed any malicious code.
  3. Spend some time, review and audit the code, then install if it passes.

Most people seem to align with statements #1 and #2. The real answer should be #3; audit first. 

To those in the "Don't trust" camp. I believe this is a naive approach to the situation. Since open source code is, well open source, you can do a complete audit on the project before integrating it into your system. Of course you need to estimate the time it would take to audit it vs. building a similar tool from scratch. In most cases, auditing will be the cheaper option.

You also need to remember that most people in the community are not "bad" people and will put in good code. Since all the checkins are public and visible to everyone there's usually a second person that looks over the code before it actually is merged into the project. In most cases this "second person" is the project owner.

At OraOpenSource, if we receive any pull requests for our projects (i.e. 3rd party code submissions) we look over each of them to ensure there's not malicious code amongst other things.

To those in the "Blind Trust" camp. If you're installing an open source project in your system you should spend some time to look it over. Of course there's also the inherited trust associated to reputable projects. One example comes to mind (besides our own projects) is jQuery. I doubt most people have the time to review each line of jQuery. You just assume (and it's a fair assumption) that the code will not be malicious since it's developed by a very active community and backed by large organizations.

 

Have other thoughts on this topic? Feel free to leave a comment below.

And We're Up

Talk about putting the cart before the horse. We launched our first product (Oracle XE + APEX VM scripts) before launching this site! The good news is that it garnered a lot of interest on Twitter and we already recruited some developers to help with that project!

So what is OraOpenSource (OOS)? It's a site focused around created open source Oracle products. Products can be web sites, build scripts, training tools, or applications. If it will help Oracle developers, we'll think about building it. 

We plan to launch a lot of projects this year so be sure to sign up for our email list (form on the right side of page) to keep up to date with everything that's going on.

For more information check out the the About page and be sure to follow us on Twitter (@oraopensource).