We all use Open Source frameworks and libraries but not everyone contributes back to the community. By contributing to Open Source, we can help the whole community and become more valuable to the market on the other hand. Hacktoberfest is an event open for everyone from beginner developers to software companies. Hacktoberfest, as a yearly month-long celebration of open source software, encourages to submit pull requests to public repositories and in exchange awards a limited edition Hacktoberfest 2019 T-Shirt for at least 4 Pull Requests marked as ready for review. Some contributors are also sharing great news about completing a challenge at #hacktoberfest on DEV.to community. The core parts of the event are local events. This year it was impressive 673 events, 8 of them in Poland. I was participating in one of them: Hacktoberfest Poznań Meetup 2019. It took place on October 12th and contained 11 talks about Free Software, Open Source, programming, and IT in general. The goal of the Poznań event was to encourage new people to join the Open Source movement. The event took place at the Sonalake office and the hosts were Aleksander Lorenc, Artur Iwicki, Karol Sejka, and Rafał Zbytniewski. I would like to tell you about some of the talks in a nutshell.
Vulnerabilities in web applications
The event started with the talk “Vulnerabilities in web applications: a case study” by Kamil Pabin. There are three most common types of website security vulnerabilities: SQL Injections, Cross Site Scripting (XSS) and Cross-Site Request Forgery (CSRF).
SQL Injection is an attack consisting of the insertion of an SQL query via web page input that is used in the SQL statements. A successful SQL injection exploit can read sensitive data from the database or modify it. It can also execute administration operations on the database. To prevent such attacks we should use Prepared Statements which enforce to first define all the SQL code, followed by passing SQL parameters which are checked by the database to ensure that they are correct for its column and allows to treat data input literally, not as SQL code. As a last resort, all user input data in an application should be escaped which helps the database to not confuse SQL code written by the developer with that input.
Cross Site Scripting is another type of injection attack which consists of injecting malicious scripts into web pages which will be executed by the end user’s browser. It is often used to steal the victim’s data. It is sometimes confused with Cross-Site Request Forgery. In this attack, the attacker controls what the client browser sends to the website. It doesn’t even require JavaScript as it exploits vulnerabilities in a web browser. The victim must be logged in and so the browser can make HTTP requests prepared by attackers. Attackers can use social engineering to encourage the victim to click some link or they can use XSS attack to inject code to a website that will POST forged request to the server as a victim. Modern browsers don’t allow POST requests from the attacker site thanks to same-origin policy restrictions.
You can read about other types of attacks and how to avoid them on OWASP page. Thanks to the sites like hack.me and rozwal.to you can also learn web security in practice.
Maintaining the Big Open Source Project
Another interesting topic was “Maintaining Big Open Source Project” by Antoni Kępiński. Antoni is a maintainer of node-fetch – an open-source library that brings window.fetch API to Node.js. It already has 47 contributors. The most important thing to keep a project in good shape is communication. Node-fetch uses Github Issues for tracking new bugs and enhancements. The most popular tools for daily communication are Slack and Spectrum. If there is a need for voice communication, Discord is one of the options. Every big open source project needs an organization that will keep repositories. Typical roles in GitHub organization are members that can create and manage repositories and teams, owners that are managers of the organization and billing managers that can only manage billing settings. The latter brings us to project financing, which is important, especially if the number of contributors is limited. A great platform for collecting and disbursing money transparently is Open Collective. It can be combined with GitHub Sponsors so that the “Sponsor” button will appear at the top of the repository. Antoni explained that large projects should have a “Code of Conduct” which is a set of rules for all collaborators that helps to keep the project healthy and community productive. Guide for new contributors is also useful as well as Issue templates which makes error reporting and reproducing easier.
Business and Open Source
Open Source is good for business. Łukasz Nawrocki in his talk “How big companies affect Open Source – is Open Source still open? Discussion on the example of React Native” started with a bit of history as in the beginning source code was often shared as public-domain software, then free software was declined by companies in favor of closed source software business model and then Richard Stallman came with GNU General Public License. The latest version of this license is 3.0. It is one of the most popular licenses on Github along with less restrictive MIT and Apache.
Nowadays hosting Open Source projects has great benefits for companies such as a better reputation and saving time. There are a lot of business models for open-source software. One of them is Support. RedHat is sharing source code for free and charges for support, maintenance, and deployment. The cons for this model is that it requires a lot of manual work, less than 1% of users are paying customers and it creates incentives for developing bad code. Another example is Open Core. GitLab has a majority of the codebase open and offers proprietary parts for enterprise customers.
Open Source can also be beneficial for software houses. Marek Tenus in his talk “The impact of Open Source solutions on interpersonal relationships at Software House” presented a variety of benefits for contributing to Open Source. It teaches how to cooperate with people around the world. It is an opportunity to develop new acquaintances, forming a community and learning from people outside the company.
Summary of Hacktoberfest 2019
This year almost 62 thousand people completed the challenge, 482 thousand Pull Requests were opened and 154 thousand repositories received contributions. During Poznań meetup, there were also a few PRs open.
I left the meetup with several stickers from Free Software Foundation Europe, Hacktoberfest 19, DEV.to community, and DigitalOcean (logo and Sammy the Shark). The last two are sponsors of Hacktoberfest.