Report Finds Few Open Source Projects are Actively Maintained - Slashdot

Posted by EditorDavid

• • Re:

    Each of those 50 rely on another 100. Each of those 100 rely on an average of another 30 or so (made up numbers but it won't be far off - the average number of open source components for an application is around 500).

    That means you likely depend on 2500 open source projects. Which is fine, as long as we recognize that the responsibility for ensuring that all those dependencies are up to date is your software supplier such as a distribution and that the industry standard is that anyone who is responsible has

    • Re:

      On.Net, half of those are probably Newtonsoft.

    • Re:

      I don't know why this post was upvoted, but then again populism does not correlate with intelligence.

      You must have a really gaping egress port to keep pulling these random statistics from.

      I've looked at a few of the 'essential' packages (imho) and the most I've seen has 44 external dependencies, not surprisingly its a Python project.

      Most others have at most 5.

      • Re:

        There are two approaches when you see something that doesn't match with your experience. You can either just declare it wrong, move on and remain stupid forever or you can ask what could be the source of that belief [darkreading.com], perhaps question it and most likely learn something new from time to time. The number of dependencies is very language and framework dependent. Whilst I don't believe your Python numbers - I've seen lots more - they probably aren't nearly as wrong as you would be applying your experience to oth

    • Re:

      And... I imagine people probably have different projects on their lists of 50. So, all in all, it's even more in total.

  • No shit

    You write some PoC when experimenting with a technology or lib and then never touch that shitty, unfinished code ever again because you have other projects, or full time work, that demand your time.

• ›

  In my experience, open source means no more no less than allowing someone else, usually a big corporation, to steal your work and then demand you keep maintaining it for free because they rely on your project to make money. F... off.

  • In my experience, open source means no more no less than allowing someone else, usually a big corporation, to steal your work and then demand you keep maintaining it for free because they rely on your project to make money. F... off.

    If you have a problem with this then you need to fix your software license. Normally (but not always) a license like the AGPLv3 will ensure that they are contributing back to your software base. If they demand fixes without being willing to pay, rather than providing fixes and helping you, then they are customers not collaborators. Non paying customers get non-service.

• Zipf distributions seem to be everywhere. Most web pages hardly get any visitors, a few get tons. Most words in a dictionary are rarely used, a few are used all the time. And here: most OSS projects are unmaintaned, a few are very actively maintained.

  • Re:

    Also refer to "Sturgeon's law".

• Since Open Source projects don't have a sales and marketing department rending their garments for new features nor executives desperate for "shareholder value", once mature and sufficient, they tend not to be actively maintained unless or until someone actually needs another feature bad enough to submit a patch or pay someone else to.

  • Re:

    I had an employer (since passed on) who had run a contracting company dependent on the US government for many years before I came to work for him. I remember him saying to me about how he'd tried many times to work in the commercial sector exclusively but he couldn't stop sucking at the tit of government.

    I think this is hugely analogous to the open source thing. I've contributed to a number of OSS projects but I don't go back and look at what I submitted. It was single use, one shot that scratched *my* i

• So they're talking about dependency management.

  Only 11% of Open Source projects are maintained. But most of those unmaintained projects are hobby projects where the person lost interest, or internal tools from a company (that also lost interest).

  But when I'm installing a dependency in my project I'm using something like numpy or pandas. I'm not using phil_lib unless Phil did something really critical that I needed, and even then it's probably something pretty small and very specific and it probably doesn't

• by gweihir ( 88907 ) on Sunday October 15, 2023 @01:16PM (#63926671)

  There are a lot of FOSS projects that are not relevant. There are also some that are stable and do not need maintenance. For example, gzip will likely need maintenance when systems move to 128 bit.

  The metric metric is mostly bogus. This seems to be somebody that thinks they can compare commercial software and FOSS in this way. Just shows a lack of clue.

• Seriously. I read this as "there are around 130,000 projects actively supported". That is not a small number, so I am not sure why I am supposed to be worried. It's easy to submit, there is early excitement by the developers etc. etc. Seems to be human nature, not a software thing.

  From my perspective, if that number _stays_ in that range for an extended amount of time, that may just be the natural level. Besides, sometimes even a not actively supported project may be useful, at least until a major software

• All of my coursework and projects are BSD licensed, so open source. Ones that are no longer in use are still available, but "unmaintained". That's probably 30 or 40 repositories on various platforms.

  So what? Someone may still find them useful. There's no need for maintenance.

  I expect a lot of open source projects are similar. How many of you have some personal project out there, that you haven't changed recently? I have sudoku and nonogram games, they work, they're finished. Again, there's no need for any maintenance.

• Likewise, only a tiny percentage of all of the closed-source software that has ever been released is still actively maintained.

  • Re:

    And you can't even fork and maintain it yourself if you wanted.

• Many are simple and work fine without maintenance
  Many are unused and the developer lost interest
  Many simply suck mightily
  In general, creating is fun, maintaining is work, often hard, unpleasant work

  • Re:

    This right there.

    There are 2 kinds of projects that don't receive updates:

    1) Those that are finished (or at least without any relevant issues/bugs/flaws) and don't need any.
    2) Those that are abandoned and don't interest anyone.

    In case of 1, be happy and use it. In case of 2, if you need it, fork it and maintain it.

    In either case, there's zero use whining about poorly maintained projects.

• Because the giga-corporations that built their billions on the back of open source more often than not have never paid a single dime to the software programmers that made their fortunes.

  Maintaining software is work. People tend to enjoy being paid to do work. Me, I put a few open source projects out there over the decades. I worked on them as long as they were fun or solved a problem I had, and I stopped working on them when they weren't fun anymore or they were good enough to solve my problem. Pay me and I'll keep maintaining them if you want me to.

  Those who complain that open source projects aren't maintained are welcome to fork them and maintain their own fork.

• How many millions are unmaintained? Funny, I bet it won't be easy to find all those products/projects much less check for updates as easy as querying github.

• If you find a page with node.js, rejoice. At least if you want to break into it. Because it's almost a given that you will find a way to abuse that page.

  Node.js suffers from the "everyone and their dog" problem. Everyone and their dog can somehow hack together some javascript monstrosity. And I mean monstrosity in the Frankenstein sense. Cut together from bits and pieces that somehow fit together, a hodgepodge of code that works kinda-sorta, usually without the idiot hacking it together having even the first clue of what he does. After all, node.js was created when we noticed that we have a lot of webdesigners that can somehow write JS code but we don't need them, but we could use a few backend programmers.

  And thus, this monstrosity was born.

  So what you have now is a bunch of people who think they can program when all they really can do is cargo-cult some stackexchange answer together. And of course every single one of them has to write his own database module. How many "standards" for accessing PostgreSQL in node.js exist today? A dozen? More? How many of those are still maintained?

  Because the same programmers that can't be assed to learn programming also can't be assed to maintain their atrocities after they lose interest. Which is about 5 nanoseconds after they finish their projects, but not before smearing their shit all over github for everyone to download, because MY database connector is HEAPS better than the score that already exists.

  And now the really big problem starts.

  Because now people who know even less about programming than these idiots enter the ring and download their connectors. Without checking first whether there has ever been any maintenance in the past 3 years. Hell, chances are that even if they checked, they'd find out that ALL of them didn't receive a patch in the past 3 years, so pick your poison. Or, hell, create your own and add to the mess...

  And then the inevitable happens. Someone finds a security flaw in one of the more popular Frankensteins. It's not like you have to look long or far. And now you're stuck with a piece of code you'd have to fully rewrite to use some other database access code (because you don't think that they'd give a fuck about compatibility with any of the other existing code, do you?), and how many bosses will actually approve the cost of that?

  Seriously, people. I had to review quite a few of node.js pages. Not a single one of them was without a critical flaw.

  • Re:

    Nodejs is no more a "clusterfuck" than any other language or platform. Maybe loosen your tin foil hat or shave your neckbeard a little. You're just mad because you never invested the time to learn javascript and it became more popular than your favorite language. The world passed you by, and you're sad about it.

    • Re:

      left-pad...

      • Re:

        so-what...

    • Re:

      nodejs passed python in popularity? When did that happen since yesterday [tiobe.com]?

      JS may have its space to spice up webpages. But relying on this ugly, bloated mess to run webservers? That's something it was never meant to do and shouldn't do.

      • Re:

        >nodejs passed python in popularity? When did that happen since yesterday [tiobe.com]?
        
        Cherry-picking much? nodejs is not a language, python is a language. But you seem confused about that. Python has been less popular than Javascript depending on the hundereds of different surveys you care to look at. They are all flawed, so nice strawman you have there.
        
        >But relying on this ugly, bloated mess to run webservers?
        
        That's just your opinion. I find other languages far more bloated than javascript. So
• Major paradox among those who build for its own sake. People only interested in money or power are never confused about what to do next: Their greed guides them them a bright North Star. But if you make something to make it, and you feel like the job is done, you'll now want to make something else instead of sticking around to be a janitor for those who come after. The exceptions should be considered especially laudable.

• I have several open source project on my github (https://github.com/dj-on-github).

  Many of them I haven't touch for a long time because they work and no bugs have been reported. So would those count and not being maintained? They are maintained in as much as I am available to fix bugs that are reported and add features as needed, they just don't need much maintaining.

• They are all maintained to exactly the level they need to be maintained.

  If interest in using them is low then the maintenance is unjustified, if interest is high then there will be contributions back or, maybe even local patches applied. Either way the level of effort is ideal.