1

What reasons to companies have for open-sourcing libraries and applications?

Doing this may allow a developer to better understand the code, but could doing this allow people to find and exploit vulnerabilities in the library or application?

  • 8
    You think that security is all about obscurity? That has been shown not to work at all. You assume that everyone that can find a vulnerability is malicious and will exploit it. Experience has shown that most people are actually helpful and *report* the issue instead. – Martijn Pieters Dec 04 '12 at 18:04
  • 11
    The baseless "open source = vulnerable" FUD meme is really getting old. I'm downvoting you for perpetuating it. – user16764 Dec 04 '12 at 18:11
  • 1
    related: [Why do programmers write closed source applications and then make them free?](http://programmers.stackexchange.com/questions/3233/why-do-programmers-write-closed-source-applications-and-then-make-them-free) – gnat Dec 04 '12 at 18:56
  • 2
    One simple reason. They do not feel they can make money selling it. If they are able to make money from the service what reason is there is not make the source open? Facebook, Twitter, and LinkedIn only publish the source to an SDK for their service. The source code for Facebook is NOT open source. – Ramhound Dec 04 '12 at 19:45
  • It's interesting that all the answers to this question refer to web-based software. Maybe this software, from a balance-sheet point of view, has no value. – James Dec 05 '12 at 01:39
  • @James All the questions refer to web-based software because the question is about web-based software. – user16764 Dec 05 '12 at 15:24

3 Answers3

12

There are myriad reasons why a company would put code out into the world for anyone to see and use:

  1. Developer Relations - Putting out quality, useful code endears developers to the company.

  2. Trial by Fire - If you have code out in the wild that is used by many people, you are likely to get loads of feedback about it. Bugs, areas to improve, and maybe vulnerabilities. It can lead to more robust products in the end as you find many things that a few developers may not have found on their own.

  3. Free Developer Time - Plenty of developers are perfectly willing to spend time working on a project. By allowing developers to contribute, you get the benefit of free labor as well.

  4. Growth - Putting out an API allows other developers to create an ecosystem around the product/platform/etc. which in turn can attract more people and grow the ecosystem.

  • How about 'additional code contributions from people only looking for recognition / notoriety rather than monetary compensation'? –  Dec 04 '12 at 18:09
  • I would re order your list. free developer time is probably the biggest benefit, popular projects likely receive thousands of free hours per month. – Ryathal Dec 04 '12 at 18:15
  • "Companies use..." ? – Mike Partridge Dec 04 '12 at 18:18
  • @MikePartridge Not sure how that got there. Fixed it. –  Dec 04 '12 at 18:20
  • The question is how much the "free developer time" really works - you have to "maintain" the community by making people happy and then you add features you don't need yourself but might end up maintaining after the contrubutor ran away. Sure it can be successfull, but I think the "free" calculation often doesn't work out, other reasons I can ufully agree to, though. – johannes Dec 04 '12 at 18:47
  • @johannes At that point, you could also do a cost-benefit analysis on bug/vulnerability/feature requsts. For every good bug find, how many reports do I have to look into that are a result of reporter incompetence? –  Dec 04 '12 at 18:52
  • Some companies will, upon finding someone contributing useful code, make an employment offer to contributors. – Travis Dec 04 '12 at 19:03
  • @Nelson Is there any studies that proves empirically some of the points you listed? – H-H Dec 06 '12 at 09:53
  • @H-H If there are, I don't know of them. This is based on my subjective experience as a developer. Of course I don't know how you could empirically prove the intentions of companies without doing a case-by-case analysis of each one, which I highly doubt has been done on any grand scale. –  Dec 06 '12 at 12:50
4

Companies release code as open-source when that code isn't their core business. Facebook doesn't sell software, it sells a global social network. You can take 100% of Facebook's code, run it on your own servers, and still not be any sort of competition to them. So what do they have to lose? The reason they've beaten out rival social networks isn't because they have a super-efficient patented memory caching algorithm or the best PHP templating engine. The code isn't the only thing here.

Avner Shahar-Kashtan
  • 9,166
  • 3
  • 29
  • 37
  • Pretty much what Joel Spolsky explained in [Strategy Letter V](http://www.joelonsoftware.com/articles/StrategyLetterV.html). – user16764 Dec 04 '12 at 19:59
2

A good reason would be this:

If some 3rd party developer gets an awesome idea and integrates it in that code, it can easily boost the popularity of that company or that product; this is always desired, even if it means some (not a lot) additional security risks. It's a trade-off worth making.

Also, exposing some API of your code to literally everyone can be beneficial. The best example I can think of is what Google did with Google Maps. They can be integrated in virtually any web-page out there. This helped Google by making that service much more popular and attractive. I know this doesn't fit the criteria of publishing the code; but making an API completely public comes pretty close.

Radu Murzea
  • 1,810
  • 2
  • 18
  • 24
  • Yep. A lot of companies will rely on the popularity of applications created by 3rd party developers. I think we can learn a lot from Twitter's actions concerning their API. – duggiefresh Dec 04 '12 at 18:21