Developing software, especially embedded software, is one of humankind’s most complex and costly activities. As a result, many teams look to decrease complexity and cost by reusing as much software as possible, including free, open-source software. The 2019 Embedded Market Survey found that 24% of the respondents reused open-source code. At first glance, open-source software seems like a good idea, but in the end, there are several properties of open-source software that just might make it evil.
First, every open-source code base comes with a software license. The software license tells the developer how they can and cannot use the software. Many open-source projects today use an MIT license, allowing the software to be used for practically anything at no cost and with no strings attached. Unfortunately, not all code bases are like this. There are licenses out there that allow for unrestricted use for personal projects. Still, if the code is used commercially, any changes and sometimes even the new associated code must also be open sourced. If a developer, manager, etc., aren’t paying close attention, they might legally have to open-source their intellectual property. Evil?
Next, as an American, doesn’t free software go against the very core of our capitalist existence? We promote the inventor, the entrepreneur, and the companies that grow to be industry leaders and titans. The very idea of paying for software might very well get an engineer laughed out of the office. Why do we refuse to pay for commercial software and instead rely on open-source software? I’ve seen in many companies the push to use free open-source software isn’t because of better quality, shortened time-to-market, or improved customer experiences. From what I have seen, the big push seems to be corporate greed to maximize profits. Why do companies expect everyone to pay top dollar for their software when they are unwilling to pay, donate, or contribute to themselves? Evil?
Finally, open-source software is often functional but not necessarily robust, thoroughly tested, or even fit for use the way developers want it. For example, an industry favorite open-source library is FatFS. FatFS provides an easy-to-use file system integrated by many microcontroller vendors so that developers can have a file system available out-of-the-box. It pains me to pick on FatFS because it is so functionally sound and useful. However, if you start to look under the hood, you’ll discover many potential quality issues.
Figure 1: The McCabe Cyclomatic Complexity range count for the base FatFS code distribution functions. (Source: Author)
For example, if you analyze FatFS for function complexity (Cyclomatic Complexity), you’ll discover that the complexity distribution for the functions looks like Figure 1. Overall, most functions are relatively simple and have a low chance of having bugs or having bugs injected if any changes are made. However, there are seventeen functions with complexity more significant than 10, with five functions having a complexity greater than 20! What functions do you think those are? The ones most often used by developers as shown in Table 1. Evil?
Table 1: FatFS functions with a Cyclomatic Complexity of 20 or higher. (Source: Author)
So, is open-source software evil? I would argue no; however, I would encourage every team who wants to rush out to GitHub and leverage every piece of open-source software known to humankind to pause and proceed carefully. You never know what you’ll get, and you or your customers might just be worse off in the end. At a minimum, schedule the time to analyze your open-source software and test it to ensure it meets your needs. Just because someone gives it to you for free doesn’t mean it will meet your requirements.
What do you think? Is open-source software evil?
|Jacob Beningo is an embedded software consultant who specializes in real-time, microcontroller-based systems. He actively promotes software best practices through numerous articles, blogs, and webinars on topics from software architecture design, embedded DevOps, and implementation techniques. Jacob has 20 years of experience in the field and holds three degrees including a Masters of Engineering from the University of Michigan.|
- Are we ready for open-source software in safety-critical embedded systems?
- Top three tips for ensuring software supply chain security
- Open source unpredictability
- Open source licensing caveats
For more Embedded, subscribe to Embedded’s weekly email newsletter.