Why I Gray-listed Github for Open Source

Most of my software development is through my professorship, where I guide my student teams in developing (mostly) open source software. We have clear rules in place for how and which open source can be used in our projects and which can’t, like any competent organization. Mostly, it is about license compliance. We owe this to the users of our open source projects as well as our industry partners.

As a small organization, we rely on rules rather than lengthy approval processes, component repositories, and the like. One rule is to look at the source (location) of the open source project and see whether we have it white-listed, gray-listed, or black-listed. The Apache Software Foundation website is white-listed and Stackoverflow is black-listed. Github is gray-listed, meaning “it depends”.

Continue reading “Why I Gray-listed Github for Open Source”

Please Help Keep our Language Precise: Single-Vendor Open Source is Neo-Proprietary Source, not Closed Source

When the Open Source Initiative defined open source, it focused only on the license, and ignored the process. Smart entrepreneurs quickly discovered that they could provide to the world their product as open source code and benefit from it, while strictly controllling the process to keep competition at bay. This is called single-vendor open source.

Single-vendor open source is not closed source, not even “the new” closed source. The following 2×2 matrix illustrates the distinction between license and process:

Continue reading “Please Help Keep our Language Precise: Single-Vendor Open Source is Neo-Proprietary Source, not Closed Source”

Challenges of Tracking and Documenting Open Source Dependencies in Products: A Case Study (OSS 2020 Paper)

Software vendors need to manage the dependencies of the open source components used in their products. Without this management, license compliance would be impossible, export restrictions could not be maintained, and security vulnerabilities would remain unknown to the vendor. The management of these dependencies has grown in an ad-hoc fashion in most companies. As such, vendors find it hard to learn from each other and improve practices. To address this problem, we performed exploratory single-case study research at one large established software vendor. We gathered and analyzed the key challenges of tracking and documenting open source dependencies in products. We wanted to understand whether these ad-hoc solutions could be based on a single unified conceptual model for managing dependencies. Our study suggests that underlying the various point solutions that we found at this vendor lies a conceptual model that we tentatively call the product (architecture) model. In future cross-vendor work, we will investigate whether this conceptual model can be expanded to become a unifying model for all open source dependency management.

Continue reading “Challenges of Tracking and Documenting Open Source Dependencies in Products: A Case Study (OSS 2020 Paper)”

The Ecosystem of openKONSEQUENZ, a User-Led Open Source Foundation (OSS 2020 Paper)

Companies without expertise in software development can opt to form consortia to develop open source software to meet their needs, as an alternative to the build-or-buy decision. Such user-led foundations are little understood, due to a limited number of published examples. In particular, almost nothing is known about the ecosystems surrounding user-led foundations. Our work seeks to address this gap, through an exploratory qualitative survey of openKONSEQUENZ, from the German energy sector. We find that the technological goals are quite homogeneous, independent of a participant’s role in the ecosystem, but that economic conflicts exist between foundation members and supplier companies due to the consortium’s efforts to transform the software market structure to limit dependency on specific vendors.

Continue reading “The Ecosystem of openKONSEQUENZ, a User-Led Open Source Foundation (OSS 2020 Paper)”

Pattern Discovery and Validation Using Scientific Research Methods (Technical Report)

Abstract: Pattern discovery, the process of discovering previously unrecognized patterns, is usually performed as an ad-hoc process with little resulting certainty in the quality of the proposed patterns. Pattern validation, the process of validating the accuracy of proposed patterns, has rarely gone beyond the simple heuristic of “the rule of three”. This article shows how to use established scientific research methods for the purpose of pattern discovery and validation. The result is an approach to pattern discovery and validation that can provide the same certainty that traditional scientific research methods can provide for the theories they are used to validate. This article describes our approach and explores its usefulness for pattern discovery and evaluation in a series of studies.

Keywords: Patterns, pattern discovery, pattern validation, theory codification, theory building and evaluation, research design

Reference: Riehle, D., Harutyunyan, N., & Barcomb, A. (2020). Pattern Discovery and Validation Using Scientific Research Methods. Friedrich-Alexander-Universität Erlangen-Nürnberg, Dept. of Computer Science, Technical Reports, CS-2020-01, February 2020.

The article is available as a PDF file and on FAU’s OPUS server.

Sorting out the Ethical Licensing Mess

Software developers who give the world, for free, usage rights to the code they write often use open source licenses to make this gift legally explicit. These free usage rights (and then some) are encoded in all valid open source licenses, next to the obligations one has to fulfill to receive the rights grant. Recently, the desire of some developers has surged to tie their gift to causes they care about. Some want to protect Chinese workers from abusive working hours, some want to stop companies from working with US immigrations, and some want to ensure that users vaccinate their children and themselves according to current medical best practice.

Continue reading “Sorting out the Ethical Licensing Mess”

Traditional Theory Building and Validation in (Computer) Science

Many computer science degree programs do a lousy job at teaching science. A high school student, entering university, often has a good idea what science is about, based on their physics and chemistry classes. At least, it involves controlled experiments. At university, this is rarely picked up, and computer science students are given the idea that programming something novel constitutes science. With that idea, they are often bewildered when I teach them rigorous research methods, in particular if those originated in the social sciences (like qualitative interviews or hypothesis-testing surveys).

The process of science
Continue reading “Traditional Theory Building and Validation in (Computer) Science”

Managing the Open Source Dependency (Tomas Gustavsson, IEEE Computer Column)

I’m happy to report that the sixth article in the Open Source Expanded column of IEEE Computer has been published.

TitleManaging the open source dependency
KeywordsComputer Applications, Open Source Software
AuthorsTomas Gustavsson, PrimeKey
PublicationComputer vol. 53, no. 2 (February 2020), pp. 83-87

Abstract: Organizations use open source software in a majority of computer application programs. Here we describe some of the technical challenges and offer recommendations about how to manage open source software dependencies and avoid the most common pitfalls that might be encountered through decision-making, automated scanning, upgrading, and strategic contributions.

As always, the article is freely available (local copy).

Also, check out the full list of articles.