Open source is the best way to create software: when a project brings together a community of developers actively working on it, documenting it and constantly improving it, we get a virtuous circle which, among other things, fulfills the Linus’s Law: “given enough eyeballs, all bugs are shallow”.

When a certain number of people, diverse and not belonging to a single organization, coordinate to develop a software project, the results are usually good. Much of the software we commonly use is based on open source projects, simply because it is the most appropriate way to develop software. Simply the fact of wanting to make software available in open source form obliges its creators, at the very least, to review it thoroughly and document it properly, something that few developers like to do, but which is essential if you want it to be inspected, understood and improved by others. The idea, moreover, of creating software so that anyone can benefit from it offers a glimpse of how society should work.

However, a recent study based on more than 1.2 million open source software projects found a worrying conclusion: only about 11% of them undergo minimal maintenance. The concern arises, logically, from what tends to happen when software, which is anything but isolated, stable and monolithic, is not updated: software projects usually have multiple dependencies that can change as the versions of the components on which they rely change.

Without proper periodic maintenance, vulnerabilities often appear in software, which can be actively exploited by interested parties: it is estimated that around 10% of security incidents are due to vulnerabilities in open source software.

The result of this study, however, should not disappoint anyone: the “big” open source projects remain in excellent health and are increasingly tending to become standards, solid foundations for other projects, major value generators. However, there are many kinds of open source projects: there are many small projects, sometimes set up by one-person or a small group, but which can be very important.

Sometimes, in fact, we find the paradox that those pieces created by true devotees who for a time found their motivation in their creation are used as components in many other projects, which tends to generate huge structures that, in the end, rely on a weak link, on something that its creator, often already in another phase of their life and with other interests, no longer provides active support for. In many cases, the software in question simply failed to interest enough developers to use it in their projects and to collaborate on its maintenance. It may be that the creator failed to keep up its profile, or possibly was not cut out to lead a community, or simply created something so perfect it did not seem to need anything else. There are many reasons why an open source project can fail to become a community, even if it gains popularity. Using something does not require the same level of commitment as collaborating in its development. Most people don’t give it much thought.

The point is that software allows anyone with the right ideas to add value, but that value is not always expressed conventionally. Often, a developer who creates interesting projects is rewarded with better jobs or more prestige, but not necessarily directly. From there, anything can happen to the software they created: it can simply be left behind, but it can also, if it is good, become something that other developers come to rely on regularly for their projects.

Increasingly, it is common to encounter problems of this type: small code components not maintained by their creator(s) for years, which end up generating problems. If we incorporate artificial intelligence into the equation, we can encounter algorithms that take portions of code from repositories based on a given need, but do not make clear their traceability, their license type, where they come from or how well maintained they are. The use of software components created through artificial intelligence and machine learning in corporate environments grew by 135% last year.

If already in many cases, the return to the community of projects using open source software components is little or nonexistent — little less than thanks, if at all — when it is an algorithm that decides which code to use, this return often becomes non-existent. If many developers, as we have seen, won’t even consider collaborating with the improvement or maintenance of a piece of open source software they use, what can we expect from a simple algorithm? Is the algorithm going to say “hmmm, maybe it would be interesting to help out here and improve this”? No, it is simply going to take what it needs, and leave without even saying that legendary “so long and thanks for all the fish!”

How to manage in an increasingly complex and varied environment, with more and more parts created through processes that are often voluntary, and that are managed more and more arbitrarily and without much visibility? How to provide software repositories with the appropriate intelligence to understand when it is advisable or not to reuse a component? Or better yet, how to create incentives so that a task such as maintenance, which is much less interesting than development, receives adequate attention and its value is recognized?

Photo credit: iStock.com