Abandon Ware

Philippe Coval http://purl.org/rzr/ #BreizhCamp 2020-03-27

PEXuMRib_bigger.png

$ whois Phil Coval

  • Software Engineer from Rennes, France
  • Contributed to libre communities:
    • Debian, Qt, MeeGo, Mozilla-IoT, Node…
  • Involved in industry's OSS:
    • Tizen (Intel), Yocto, IoTivity (Samsung)
  • Currently available for cooperation:

Software is never finished

37e8424057b6f792.png

Software will be abandoned

  • Abandonware is a product
    • typically software,
    • ignored by its owner and manufacturer,
    • and for which no support is available
  • Open source products include permission
    • to use the source code
    • FLOSS without community is just software

Challenges

  • Code isn't like wine,
    • it does not get better over time
  • Upstream is not users' contractor
  • Software needs users & developers !
    • Community interdependence

Lifespan of OSS

  • Author(s) publish code
    • Users use code (free riders)
    • Community improves code
  • Developers add features, fixes
  • Or fade away…
    • Ship and forget (next hype)
    • Lack of interest, funding
    • AFK or worse situations
  • Sustainability challenge

Strategies

  • OSS Users might stay, and make patches
    • not merged upstream
    • many downstream forks
      • that might be also abandoned too

(Cyber) Negligence:

109dd4d32d70191c.png

(Cyber) Insecurity:

  • Vulnerabilities in code
  • AND/OR its dependencies
    • AND/OR dependencies' dependencies…
  • Fix CVE with patches?
    • Any side effects ?
      • in un-audited (closed) code ?
  • Minimal maintenance is desirable
    • for each link of chain

Best effort cooperation

Trust

Procedure Flows

  • Track patches: URL in commit messages:
    • Origin:, Forwarded: Relate-to:
  • Forward patches to upstream first
  • Rebase on upstream ASAP
  • Setup CI/CD

CI/CD, DevOps, AI?

  • Automate (eg: GitHub actions)
  • Code is scanned by bots:
    • issues reported, patches proposed
  • Changes announced to social channels
  • Others: namespaces:
    • JS lib published to NPM:
      • "@abandonware" repository
  • Next? : AI or Collective Intelligence ?

"bluetooth-hci-socket"

"@abandonware/ bluetooth-hci-socket"

Help welcome

Ethics matters

Resources

Video of Webinar

Created by Philippe Coval