xmpp 开源项目选择_如何选择和维护安全的开源项目

xmpp 开源项目选择

评估开源项目安全性的一些技巧。 (A few tricks for assessing the security of an open source project.)

There is a rather progressive sect of the software development world called the open source community.

在软件开发领域，有一个相当先进的领域称为开源社区。

This community believes that most people would be a lot happier and get a lot more work done if they stopped building things that someone else has already built and offered up for free use. They want you to take their stuff.

该社区认为，如果大多数人停止构建别人已经建立并免费提供的东西，他们会更快乐，并且会做更多的工作。他们要您带走他们的东西。

Besides existing without you having to lift a finger, open source tools and software have some distinct advantages. Especially in the case of well-established projects, it’s highly likely that someone else has already worked out all the most annoying bugs for you.

除了无需您费力的现有工具，开源工具和软件还具有一些明显的优势。特别是对于完善的项目，很可能其他人已经为您解决了所有最烦人的错误。

Thanks to the ease with which users can view and modify source code, it’s also more likely that a program has been tinkered with, improved, and secured over time.

由于用户可以轻松查看和修改源代码，因此随着时间的流逝，程序也有可能被修改，改进和保护。

When many developers contribute, they bring their own unique expertise and experiences. This can result in a product far more robust and capable than one a single developer can produce.

当许多开发人员做出贡献时，他们会带来自己独特的专业知识和经验。这可能导致一种产品比单个开发人员可以生产的产品更加强大和强大。

Of course, being as varied as the people who build them, not all open source projects are created equal, nor maintained to be equally secure.

当然，由于开发人员的多样性，并非所有开源项目都是平等创建的，也不是维护同样安全的。

There are many factors that affect a project’s suitability for your use case. Here are a few general considerations that make a good starting point when choosing an open source project.

有许多因素会影响项目对您的用例的适合性。在选择开放源代码项目时，这里有一些一般性考虑事项是一个很好的起点。

如何选择一个开源项目 (How to choose an open source project)

As its most basic requirements, a good software project is reliable, easy to understand, and has up-to-date components and security. There are several indicators that can help you make an educated guess about whether an open source project satisfies these criteria.

作为其最基本的要求，一个好的软件项目是可靠的，易于理解的，并且具有最新的组件和安全性。有几个指标可以帮助您对开放源代码项目是否满足这些条件做出有根据的猜测。

谁在使用它 (Who’s using it)

Taken in context, the number of people already using an open source project may be indicative of how good it is.

就上下文而言，已经在使用开源项目的人数可能表明它有多好。

If a project has a hundred users, for instance, it stands to reason that someone has tried to use it at least a hundred times before you found it. Thus by the ancient customs of “I don’t know what’s in that cave, you go first,” it’s more likely to be fine.

例如，如果一个项目有一百个用户，那么在您找到它之前，有人曾尝试至少使用过一百次。因此，按照“我不知道那个洞穴里有什么，先走”的古老习俗，它可能会更好。

You can draw conclusions about a project’s user base by looking at available statistics. Depending on your platform, these may include the number of downloads, reviews, issues or tickets, comments, contributions, forks, or “stars,” whatever those are.

您可以通过查看可用统计信息得出有关项目用户群的结论。根据您的平台，这些可能包括下载，评论，问题或票证，评论，文稿，叉子或“星级”的数量，无论这些数量是多少。

Evaluate social statistics on platforms like GitHub with a grain of salt. They can help you determine how popular a project may be, but only in the same way that restaurant review apps can help you figure out if you should eat at Foo’s Grill & Bar.

一针见血地评估GitHub等平台上的社会统计数据。他们可以帮助您确定某个项目的受欢迎程度，但只有餐馆评论应用可以帮助您确定是否应该在Foo's Grill＆Bar用餐。

Depending on where Foo’s Grill & Bar is, when it opened, and how likely people are to be near it when the invariable steak craving should call, having twenty-six reviews may be a good sign or a terrible one.

根据Foo's Grill＆Bar的位置，何时打开以及当人们呼吁不变的牛排渴望时人们靠近它的可能性，有26条评论可能是一个好兆头或一个糟糕的兆头。

While you would not expect a project that addresses a very obscure use case or technology to have hundreds of users, having a few active users is, in such a case, just as confidence-inspiring.

虽然您不会期望一个解决非常模糊的用例或技术的项目拥有数百名用户，但在这种情况下拥有几个活跃用户却能激发信心。

External validation can also be useful. For example, packages that are included in a Linux operating system distribution (distro) must conform to stringent standards and undergo vetting. Choosing software that is included in a distro’s default repositories can mean it’s more likely to be secure.

外部验证也可能有用。例如，Linux操作系统发行版(发行版)中包含的软件包必须符合严格的标准并经过审查。选择发行版默认存储库中包含的软件可能意味着它更安全。

Perhaps one of the best indications to look for is whether a project’s development team is using their own project. Look for issues, discussions, or blog posts that show that the project’s creators and maintainers are using what they’ve built themselves. Commonly referred to as “eating your own dog food," or “dogfooding,” it’s an indicator that the project is most likely to be well-maintained by its developers.

可能要寻找的最佳指示之一是项目的开发团队是否正在使用自己的项目。查找表明项目的创建者和维护者正在使用他们自己构建的内容的问题，讨论或博客文章。通常被称为“吃自己的狗粮”或“ 狗食 ”，这表明该项目最有可能由其开发人员很好地维护。

谁在建 (Who’s building it)

The main enemy of good open source software is usually a lack of interest. The parties involved in an open source project can make the difference between a flash-in-the-pan library and a respected long-term utility. Multiple committed maintainers, even making contributions in their spare time, have a much higher success rate of sustaining a project and generating interest.

好的开源软件的主要敌人通常是缺乏兴趣。参与开源项目的各方可以在泛滥的库和受人尊敬的长期实用程序之间有所作为。多个致力于维护的人员，即使在业余时间也做出了贡献，在维持项目和产生兴趣方面的成功率更高。

Projects with healthy interest are usually supported by, and in turn cultivate, a community of contributors and users.

具有浓厚兴趣的项目通常由贡献者和用户组成的社区来支持和培养。

New contributors may be actively welcomed, clear guides are available explaining how to help, and project maintainers are available and approachable when people have inevitable questions.

可能会积极欢迎新的贡献者，可以使用清晰的指南来说明如何提供帮助，并且在人们遇到不可避免的问题时，项目维护人员也可以使用并且可以访问。

Some communities even have chat rooms or forums where people can interact outside of contributions. Active communities help sustain project interest, relevance, and its ensuing quality.

有些社区甚至设有聊天室或论坛，人们可以在捐款之外进行互动。活跃的社区有助于维持项目的兴趣，相关性及其后续质量。

In a less organic fashion, a project can also be sustained through organizations that sponsor it. Governments and companies with financial interest are open source patrons too, and a project that enjoys public sector use or financial backing has added incentive to remain relevant and useful.

还可以通过组织项目的组织以不那么有机的方式维持该项目。具有经济利益的政府和公司也是开放源代码的赞助者，并且，获得公共部门使用或财政支持的项目增加了保持相关性和实用性的动机。

还活着 (How alive is it)

The recency and frequency of an open source project’s activity is perhaps the best indicator of how much attention is likely paid to its security. Look at releases, commit history, changelogs, or documentation revisions to determine if a project is active. As projects vary in size and scope, here are some general things to look for.

开源项目活动的新近度和频率可能是可能对其安全性给予多大关注的最好指标。查看发行版，提交历史记录，变更日志或文档修订版，以确定项目是否处于活动状态。由于项目的大小和范围各不相同，因此这里有一些一般性的事情要寻找。

Maintaining security is an ongoing endeavor that requires regular monitoring and updates, especially for projects with third-party components. These may be libraries or any part of the project that relies on something outside itself, such as a payment gateway integration.

维护安全是一项持续的工作，需要定期监视和更新，尤其是对于具有第三方组件的项目。这些可能是库，也可能是项目的依赖于其自身外部内容的任何部分，例如支付网关集成。

An inactive project is more likely to have outdated code or use outdated versions of components. For a more concrete determination, you can research a project’s third-party components and compare their most recent patches or updates with the project’s last updates.

非活动项目更有可能具有过时的代码或使用过时的组件版本。为了更具体地确定，您可以研究项目的第三方组件，并将它们的最新补丁或更新与项目的最新更新进行比较。

Projects without third-party components may have no outside updates to apply. In these cases, you can use recent activity and release notes to determine how committed a project’s maintainers may be.

没有第三方组件的项目可能没有外部更新要应用。在这些情况下，您可以使用近期活动和发行说明来确定项目维护者的承诺程度。

Generally, active projects should show updates within the last months, with a notable release within the last year. This can be a good indication of whether the project is using an up-to-date version of its language or framework.

通常，进行中的项目应在最近几个月内显示更新，并在去年内显着发布。这可以很好地表明项目是否使用其语言或框架的最新版本。

You can also judge how active a project may be by looking at the project maintainers themselves. Active maintainers quickly respond to feedback or new issues, even if it’s just to say, “We’re on it.”

您还可以通过查看项目维护者自己来判断项目的活跃程度。积极的维护者可以快速响应反馈或新问题，即使只是说“我们在努力”。

If the project has a community, its maintainers are a part of it. They may have a dedicated website or write regular blogs. They may offer ways to contact them directly and privately, especially to raise security concerns.

如果项目有社区，则其维护者将是其中的一部分。他们可能有专门的网站或撰写常规博客。他们可能提供直接和私下联系他们的方法，特别是引起安全问题。

你能明白吗 (Can you understand it)

Having documentation is a baseline requirement for a project that’s intended for anyone but its creator to use. Good open source projects have documentation that is easy to follow, honest, and thorough.

拥有文档是该项目的基本要求，该项目旨在供项目创建者以外的任何人使用。好的开源项目的文档很容易理解，诚实和透彻。

Having well-written documentation is one way a project can stand out and demonstrate the thoughtfulness and dedication of its maintainers.

拥有编写良好的文档是项目脱颖而出并展示其维护者的体贴和奉献精神的一种方式。

A “Getting Started” section may detail all the requirements and initial set up for running the project. An accurate list of topics in the documentation enables users to quickly find the information they need. A clear license statement leaves no doubt as to how the project can be used, and for what purposes.

“入门”部分可能会详细介绍运行项目的所有要求和初始设置。文档中主题的准确列表使用户可以快速找到所需的信息。明确的许可声明毫无疑问地说明了该项目的用途以及用途。

These are characteristic aspects of documentation that serves its users.

这些是为用户服务的文档的典型方面。

A project that is following sound coding practices likely has code that is as readable as its documentation. Code that is easy to read lends itself to being understood. Generally, it has clearly defined and appropriately-named functions and variables, a logical flow, and apparent purpose. Readable code is easier to fix, secure, and build upon.

遵循合理编码实践的项目可能具有与其文档一样可读的代码。易于阅读的代码有助于理解。通常，它具有明确定义和适当命名的函数和变量，逻辑流程和明显的目的。可读的代码更易于修复，保护和构建。

兼容性如何 (How compatible is it)

A few factors will determine how compatible a project is with your goals. These are objective qualities, and can be determined by looking at a project’s repository files. They include:

一些因素将决定项目与您的目标的兼容程度。这些是客观质量，可以通过查看项目的存储库文件来确定。它们包括：

Code language
代码语言
Specific technologies or frameworks
特定技术或框架
License compatibility
许可证兼容性

Compatibility doesn’t necessarily mean a direct match. Different code languages can interact with each other, as can various technologies and frameworks. You should carefully read a project’s license to understand if it permits usage for your goal, or if it is compatible with a license you would like to use.

兼容性并不一定意味着直接匹配。不同的代码语言可以相互交互，各种技术和框架也可以。您应该仔细阅读项目的许可证，以了解它是否允许用于您的目标，或者与您要使用的许可证兼容。

Ultimately, a project that satisfies all these criteria may still not quite suit your use case. Part of the beauty of open source software, however, is that you may still benefit from it by making alterations that better suit your usage. If those alterations make the project better for everyone, you can pay it back and pay it forward by contributing your work to the project.

最终，一个满足所有这些条件的项目可能仍然不太适合您的用例。但是，开源软件的部分优点在于，您仍可以通过进行更适合您使用的更改来从中受益。如果这些更改使该项目对每个人都更好，那么您可以通过为该项目做出贡献来偿还并向前付款。

适当照顾和养活一个开源项目 (Proper care and feeding of an open source project)

Once you adopt an open source project, a little attention is required to make sure it continues to be a boon to your goals.

一旦采用了开源项目，就需要一点注意以确保它继续对您的目标有所帮助。

While its maintainers will look after the upstream project files, you alone are responsible for your own copy. Like all software, your open source project must be well-maintained in order to remain as secure and useful as possible.

虽然其维护者将负责上游项目文件，但您自己负责复制。像所有软件一样，您的开源项目必须得到良好的维护，以保持尽可能安全和有用。

Have a system that provides you with notifications when updates for your software are made available. Update software promptly, treating each patch as if it were vital to security – it may well be.

有一个系统，可在提供软件更新时为您提供通知。及时更新软件，将每个补丁视为对安全至关重要–可能会。

Keep in mind that open source project creators and maintainers are, in most cases, acting only out of the goodness of their own hearts. If you’ve got a particularly awesome one, its developers may make updates and security patches available on a regular basis. It’s up to you to keep tabs on updates and promptly apply them.

请记住，在大多数情况下，开源项目的创建者和维护者只是出于自己的良心而行。如果您有一个特别出色的软件，它的开发人员可能会定期提供更新和安全补丁。由您决定是否保留更新并及时应用它们。

As with most things in software, keeping your open source additions modular can come in handy. You might use git submodules, branches, or environments to isolate your additions. This can make it easier to apply updates or pinpoint the source of any bugs that arise.

与软件中的大多数事物一样，使您的开源附加组件模块化可以派上用场。您可以使用git子模块，分支或环境来隔离您的添加项。这样可以更轻松地应用更新或查明出现的任何错误的来源。

So although an open source project may cost no money, caveat emptor, which means, “Jimmy, if we get you a puppy, it’s your responsibility to take care of it.”

因此，尽管一个开源项目可能不花钱，但要买主，这意味着，“吉米，如果我们给您带来一只小狗，那么照顾它是您的责任。”