Know your OpenSource (FOSS) consumption

In a 2022 study by Linux Foundation, It is estimated that 70-90% of any given piece of modern software contains open source components

Did you know that ?

If not then you know now that FOSS is the crown-jewel not other way around. You can gain a lot by using FOSS effectively, you might write the best quality code, follow all good practices for the 30% but imagine if you did the same for the 70%, it will move the needle a lot more in your favor.

Have a strategy to know all OSS components that the product depend upon. There is a category of tools called Software Composition Analyzers (SCA) tools which can build these manifests or some build systems like Yocto Project have this information included on day you start using it.

Now, if you have the dependency graph, you will see some of the following

• Multiple FOSS components providing same functionality e.g. libtinyxml2, libxml2 they maybe pulled by different components, but it would be good if you could just use one XML parser in the Software stack for the product.

• Some components might be out of policy, Have a plan to address this effectively.

• Some components are pulled into stack but are effectively unused, came in via over-dependencies

• Sometimes default features might enable more than required features e.g. zstd, xz, lzma dependencies are they all used in products ? if not disable them, this can also reduce the number of dependencies

• Finally consider changes to your applications to use common libraries and tools from FOSS, build a recommendation catalog and make it available to the software teams.

• Find out the bottlenecks, e.g. a FOSS component that has ceased to develop, or a new replacement is in place. Have strategy to remove such bottlenecks, they can cause a lot of grief in due course

• Find the core FOSS dependencies that are absolutely critical for the products and find ways to help keep these FOSS projects healthy for your own good.

• Have a plan to address security vulnerabilities, sooner than later. It will be required immediately after release.

  A strategy to reduce surface area of FOSS dependencies and then going all in to support their health is an effective strategy that will save you millions of dollars over life of products.