Free/Libre Open Source Software and not very free…

Open Swiss Knife

Lets look software development at languages like Python, JavaScript, Ruby, GoLang, etc.

Creators of these languages maintain their own repositories of open source software written at appropriate language. Each language have its own repository. The repository is very large and contains newest versions of software.

Repository owners (creators of an appropriate programming language) provides a powerful tools for easy search and install software from this repository.

The repository contains regular applications that you can run and so-called libraries. Programming library – is the set of functions, components and algorithms aimed to help developers to create their applications and possibly other libraries. For example, you’re writing a graphics editor and you want to introduce a blur effect. Instead of writing code of this effect from scratch, you may attach a library of functions for image processing which can do make a blur too.

Listed languages allow you to easily attach libraries from their repositories to your programs. Usually is enough to write names of wanted libraries into special file in your program directory. All the listed libraries will be installed automatically. And it’s not all – the smart installer will also install all libraries that required to work of the listed libraries. So you can easily prepare environment and begin to work on your new program, without manual searching and installation of required components.

The libraries required to work of a program (or other library) are called dependencies of this program. Dependencies may have their own dependencies and dependencies of dependencies. The full list of dependencies required by your program makes so-called dependency tree of your program.

The usage of ready code is very significant part of free/libre software development. We can say that it is the one of main aims of free software.


Ease of attaching and large amount of ready libraries for all occasions allow you to construct programs like lego buildings. You may not touch actual programming at all. Even with minimal skills you able to create very complex programs and calculation systems.


Software is free and open, but not enough. All was beauty and easy in use, but…

Book

Active usage of third-party code is making dependency tree very large. Such tree for easiest program may contain hundreds of libraries. Even you’ve attached couple of libraries – this couple may pull hundred of others.

In such conditions it is hard to just read all the names of libraries or names of their creators. But you trust them some possibly significant calculations, your or others personal data. Area of access of attached library may not be restricted only by data which is processed in your program. Depending on installation method, third-party libraries may have access to all files of current user and, sometimes, to all files at your computer.

Assume that you’ve decided to be careful with your dependency tree and now it is contains only few libraries. Now you able to read their names and know their authors. You able to make reasonable decision to trust them or not to trust. But it is the open source, it means that you do not need to believe – you can verify the code.

Here you will see the other thing. Automatic installers from language repositories are not aimed to do any verification. In usual case, after deep learning of documentation, you anyway can verify the code before installation. Usually you can ask installer to download the code without installation, after that verify it and install. But it will be not easy and sometimes you will need to disable internet connection at installation phase to avoid of possible downloading updated version of already downloaded and verified packages.

Technically you have ability to verify a source code before installation. But language developers do not foresee such usage of their installation tools. And verification process become extremely inconvenient.

*Here need to note that the process of library installation may run some scripts from this library. It depends from configuration of library package that set by the library developers. So if you want to verify code before run it, then you need to do it before running of the installation procedure.

The wide spread practice is to install dependencies without any control. Most of online courses and even programming courses in universities will teach you to an easy installation of third-party libraries, without any notes about risks related with privacy and security.


Use minimal count of dependencies in your programs, or you will be lost in your dependency tree like in a forest.


About repositories of free/libre open source software…

Distros

Almost any distribution of Linux operating system, Debian, Fedora, Gentoo, etc – is the repository of the open source software. All the software placed in such repository is the distribution of operating system (OS).

Of course the authors of distribution suggest you to install not all software, just some parts what you want to use. Nobody installs the full set of software provided by the OS distribution.

The repository provided by your operating system contains not only applications, but libraries too. The same libraries as in the repository of the programming language. But OS repository provides libraries for all languages. This repository is independent from language creators and is maintained by the creators of your OS distribution. You already decided to trust this repository when you chose your OS distribution, and you had ability to choose. You already have powerful set of tools to easy search and install applications and libraries.

So why do you need to use centralized and unique per programming language repositories from language creators?

The main reason is that these repositories contains much more libraries and applications in their latest versions. But why is it so?

Maintainers of these repositories verify only format of configuration files and directory structure. They do not verify the source code. In couple with centralization it allow to make easiest process of publishing of new libraries. Sometime programming language by it self provides functionality to publish your code in centralized repository of software on this language.

Developers of operating system distribution do their job much responsibly. They verify a source code to be compatible with other parts of OS, and modify it if need. Quality of source code and acceptability of its license are also verified. Sometimes maintainers remove parts of code with non-free license or with license that is incompatible with declared principles of OS distribution. And possibly the main point: the newest, non-verified in practice versions of software will never been included into repositories of OS distributions.


Reject of using of centralized repositories provided by creators of programming languages. Use repository of your operating system instead. It is true that sometimes you will need to install some dependencies manually, and write additional instructions for your users about this installation. But it is the price for the freedom of software and, certainly, for your freedom.


10 Jul 2021
Ivan Mahonin
email: email
diaspora*: bh@sysad.org

your comments are welcome here:
https://sysad.org/posts/9465aa80c6ce01395a111eac510f7330

Язык: English, Русский.