Tommi's Scribbles
Why You Shouldn't Open Source
- Published on 2022-03-05
Open source has surged in popularity and has a very vocal crowd campaigning everything should be open source. Heck, even business has been built around open source. While the perceived benefits of open source garner a lot of attention, I dare say a majority of things should not be open sourced. Don't get me wrong, open source is great. To an extent. This however doesn't make open source a must.
Below are several points on why open source is not that great and you should actually give thought to whether you want to open source your thing or not.
Open source benefits others more than it benefits you
If you're not trying to impress a company with your open source work (and let's face it, they'll still have you do some silly coding test even if they bother to look), chances are your open source work benefits others more than it benefits you. That's actually the point of open source.
However, charity rarely pays the bills. If you or your company is doing something innovative or wants to make money, it hardly makes sense giving away your competitive advantage to everyone, for free.
That simple functional hobby project you don't really work on anymore? Put it out there. Want to create a framework and hope some companies pick it up and sponsorship? Sure, open source that. Doing something nobody else has done? Keep it private.
Open source does not mean better security
Despite a popular belief "if the code isn't open source it's not as secure", having the code publicly available doesn't mean the code is more secure. Take the recent log4j vulnerability as an example. Anything major and that really requires security will have proper audits in place; both external and for customers to review. You cough out the cash, you see the source code.
In the end, it is the same scenario and it is up to you to review. And be honest: how many times have you reviewed what that popular open source NPM package you use does, or what the dependencies do?
As an example, Wickr is an encrypted chat service akin to Signal (except better). But did you know their docker image uses a package called forever to run the process, which has a couple of dependencies that are no longer maintained, with both having high rated security vulnerabilities in them? When evaluated in context the vulnerabilities are minor, but still an interesting detail for something marketed as secure comms.
Oh, you haven't actually reviewed the open source code you use? You're trusting that other people have done that for you? And you trust this charity work more than you trust someone doing the reviews as a paid job? Closed source can be as or even more secure than open source. Thinking anything else is just ignorant.
You put faith in other people's charity work
Speaking of charity work. People have bills to pay and life happens. How many times have you seen a package that is no longer maintained? Or the package has gone from being a solid simple tool to an overambitious mess trying to do everything. Yet if you want to patch that bug in the version you use, you have no choice but to upgrade or DIY. Oh, but you can't upgrade, since you will have a version conflict, since that other package you used has a dependency, with a dependency to a third one, which uses the same package, but is bound to a different version.
If you're doing anything business critical, that is putting a lot of trust in your fellow man.
Closing notes
Open source still has its merits. Many AWS services we rely on are made on top of open source software. If Linux wasn't open source (or Linus Torvalds would be a rich man), Android wouldn't be a thing. Heck, I probably couldn't have learned to code in the 90s if all code was closed.
The key takeaway should be the open source is not a cure for all, and the world would not be a better place if all code was open source. If you use open source, adopt a stance where you actually review what code you are using. Don't just blindly use the libraries, and stop to consider if bringing the library and all the dependencies is actually the best option, or just the trendy one.