└── README.md


/README.md:
--------------------------------------------------------------------------------
 1 | # Hell is other people's code
 2 | 
 3 | - 1. [Dependencies](#dependencies)
 4 | - 2. [Licensing](#licensing)
 5 | - 3. [Security](#security)
 6 | - 4. [Support](#support)
 7 | - 5. [Bus Factor](#bus-factor)
 8 | - 6. [Bitrot](#bitrot)
 9 | - 7. [Risk](#risk)
10 | - 8. [Mitigation](#mitigation)
11 | 
12 | ## Intro
13 | 
14 | You probably depend on some open source code, but do you realize the potential risks of doing it?
15 | 
16 | Over 30% of all open source projects use a package manager to declare at least one dependency
17 | 
18 | The average open source ruby project has 50 dependencies and the average node.js project has over 150 dependencies on third party code.
19 | 
20 | TODO **finish dependency counting research**
21 | 
22 | There are a number of things to consider when adopting a dependency into your application
23 | 
24 | ## Dependencies
25 | 
26 | - "You don't download, or import, a software dependency, you adopt it. Like adopting pets, it's a responsibility for the life of your product." - https://twitter.com/davecheney/status/616931340466786304
27 | - package managers
28 | - transitive dependencies
29 | 
30 | ## Licensing
31 | 
32 | - Unlicensed code
33 | - Copyleft licenses
34 | - Conflicting licenses
35 | - Transitive licenses
36 | - Non-Open Source Licenses (example: greensock)
37 | 
38 | ## Security
39 | 
40 | - CVEs and NVD
41 | - default configurations (elasticsearch localhost)
42 | - There were 14,185 reported security vulnerabilities in 2015, that's an average of 38 per day
43 | 
44 | ## Support
45 | 
46 | - Deprecated libraries
47 | - Unmaintained libraries
48 | - Dead libraries
49 | - Unresponsive issue trackers
50 | - Deleted/removed code
51 | 
52 | ## Bus Factor
53 | 
54 | - How many people need to get hit by a bus to kill the project?
55 | - Commit bit
56 | - Github Admin rights
57 | - Package manager publish bit
58 | 
59 | 
60 | ## Bitrot
61 | 
62 | - Software being "Done" is like lawn being "Mowed" - https://twitter.com/ourfounder/status/770075137332932608
63 | - The gradual decay of working software
64 | - parallax train animation
65 | - OS -> system level dependencies -> application level dependencies -> application
66 | 
67 | ## Risk
68 | 
69 | - unmaintained projects
70 | - public facing
71 | - personal data
72 | 
73 | ## Mitigation
74 | 
75 | - shrinkwrapping
76 | - vendoring
77 | - automatic updating
78 | 


--------------------------------------------------------------------------------