Most of my software development is through my professorship, where I guide my student teams in developing (mostly) open source software. We have clear rules in place for how and which open source can be used in our projects and which can’t, like any competent organization. Mostly, it is about license compliance. We owe this to the users of our open source projects as well as our industry partners.
As a small organization, we rely on rules rather than lengthy approval processes, component repositories, and the like. One rule is to look at the source (location) of the open source project and see whether we have it white-listed, gray-listed, or black-listed. The Apache Software Foundation website is white-listed and Stackoverflow is black-listed. Github is gray-listed, meaning “it depends”.
When the Open Source Initiative defined open source, it focused only on the license, and ignored the process. Smart entrepreneurs quickly discovered that they could provide to the world their product as open source code and benefit from it, while strictly controllling the process to keep competition at bay. This is called single-vendor open source.
Single-vendor open source is not closed source, not even “the new” closed source. The following 2×2 matrix illustrates the distinction between license and process:
Software vendors need to manage the dependencies of the open source components used in their products. Without this management, license compliance would be impossible, export restrictions could not be maintained, and security vulnerabilities would remain unknown to the vendor. The management of these dependencies has grown in an ad-hoc fashion in most companies. As such, vendors find it hard to learn from each other and improve practices. To address this problem, we performed exploratory single-case study research at one large established software vendor. We gathered and analyzed the key challenges of tracking and documenting open source dependencies in products. We wanted to understand whether these ad-hoc solutions could be based on a single unified conceptual model for managing dependencies. Our study suggests that underlying the various point solutions that we found at this vendor lies a conceptual model that we tentatively call the product (architecture) model. In future cross-vendor work, we will investigate whether this conceptual model can be expanded to become a unifying model for all open source dependency management.
Companies without expertise in software development can opt to form consortia to develop open source software to meet their needs, as an alternative to the build-or-buy decision. Such user-led foundations are little understood, due to a limited number of published examples. In particular, almost nothing is known about the ecosystems surrounding user-led foundations. Our work seeks to address this gap, through an exploratory qualitative survey of openKONSEQUENZ, from the German energy sector. We find that the technological goals are quite homogeneous, independent of a participant’s role in the ecosystem, but that economic conflicts exist between foundation members and supplier companies due to the consortium’s efforts to transform the software market structure to limit dependency on specific vendors.
It is the year 2020 and my Twitterverse and other professional time sinks are still full of … comments about Copyleft. So for the first time ever, I decided to venture into that pit. I see four observable behaviors when it comes to complying with copyleft.
Abstract: Pattern discovery, the process of discovering previously unrecognized patterns, is usually performed as an ad-hoc process with little resulting certainty in the quality of the proposed patterns. Pattern validation, the process of validating the accuracy of proposed patterns, has rarely gone beyond the simple heuristic of “the rule of three”. This article shows how to use established scientific research methods for the purpose of pattern discovery and validation. The result is an approach to pattern discovery and validation that can provide the same certainty that traditional scientific research methods can provide for the theories they are used to validate. This article describes our approach and explores its usefulness for pattern discovery and evaluation in a series of studies.
Keywords: Patterns, pattern discovery, pattern validation, theory codification, theory building and evaluation, research design
Reference: Riehle, D., Harutyunyan, N., & Barcomb, A. (2020). Pattern Discovery and Validation Using Scientific Research Methods. Friedrich-Alexander-Universität Erlangen-Nürnberg, Dept. of Computer Science, Technical Reports, CS-2020-01, February 2020.
Many computer science degree programs do a lousy job at teaching science. A high school student, entering university, often has a good idea what science is about, based on their physics and chemistry classes. At least, it involves controlled experiments. At university, this is rarely picked up, and computer science students are given the idea that programming something novel constitutes science. With that idea, they are often bewildered when I teach them rigorous research methods, in particular if those originated in the social sciences (like qualitative interviews or hypothesis-testing surveys).
I’m happy to report that the sixth article in the Open Source Expanded column of IEEE Computer has been published.
Managing the open source dependency
Computer Applications, Open Source Software
Tomas Gustavsson, PrimeKey
Computer vol. 53, no. 2 (February 2020), pp. 83-87
Abstract: Organizations use open source software in a majority of computer application programs. Here we describe some of the technical challenges and offer recommendations about how to manage open source software dependencies and avoid the most common pitfalls that might be encountered through decision-making, automated scanning, upgrading, and strategic contributions.
There are lots of infographics on the web of how a professor spends their time, and they mostly miss the point. At the core, and after ten years of living it, I feel confident to say that it really is three roles that a professor in Germany has to play to be successful. I also have to say that it is pretty hard to be good at all three of them. These roles are: