Some background: I’m a software developer, and I’ve never really participated in the open source software community before. (i.e. I don’t contribute to open source projects, I don’t know anyone who does, and I don’t really know anything about the companies who start these projects to begin with, or what their motivations are for being open source.)
I’m currently trying to find software that my team at work can use to solve a particular problem we have. After doing some googling, it looks like this open source product called OpenReplay is a good fit for what we need: https://openreplay.com/
But when I first visited that website, I noticed that the background artwork looks AI generated. This made me feel skeptical of the project, and it makes me wonder: what if it’s actually a huge scam and it’s actually malware? For example, maybe OpenReplay is actually a copy of a different legitimate product that I’m not aware of. Maybe all of the stars, forks, and discussions on the GitHub page are from fake accounts. When I Google OpenReplay, there aren’t a whole lot of results. How do I know if it’s trustworthy if I can’t find an authoritative source telling me it is?
Maybe I’m just being paranoid. But this is basically the first time in my career where I’ve tried to vet a new piece of software for my team to use, and I want to make sure I’m doing it right. How do you know when a product like this can be trusted?
EDIT: I don’t mean to cast doubt on OpenReplay specifically, I’m just using that as an example because it’s the product I’m currently looking into. My question applies to any piece of software that isn’t widely known about.
Personally I wouldn’t trust it.
First red flag🚩: there’s an “enterprise” self hosted version.
Second red flag🚩: It isn’t open source, the licensing structure is confusing 🚩, but it appears to be at best some mix of source available🚩 and open core🚩 (core available?).
Can you explain why the enterprise version is a red flag? Would you expect the company to make money some other way?
A lot of people who are into open source only consider some licenses to be ‘real’ open source licenses. For example MIT or GPL are FOSS, no question. But there are a whole range of other spins on the open source concept that many consider to be tools of for-profit companies freeloading on the FOSS movement. Open Reply uses the Elastic License, which is one of those. As such, some developers would not consider supporting them and consider them untrustworthy.
This is a different kind of trust than what you were referring to, though. As a consumer / user of the software you might not care about how they treat their volunteer developers as it has no direct bearing on any risks you have.
A lot of people who are into open source only consider some licenses to be ‘real’ open source licenses. For example MIT or GPL are FOSS, no question. But there are a whole range of other spins on the open source concept that many consider to be tools of for-profit companies freeloading on the FOSS movement. Open Reply uses the Elastic License, which is one of those. As such, some developers would not consider supporting them and consider them untrustworthy.
This is a different kind of trust than what you were referring to, though. As a consumer / user of the software you might not care about how they treat their volunteer developers as it has no direct bearing on any risks you have.
It’s not a big red flag, but it indicates that the product is not fully open source. You can get the full community edition from Github, but for the Self-hosted Enterprise version you have to contact sales.
So all the Enterprise features are most likely closed source, and when you buy/license it, you’ll just get the compiled version. And since their Cloud hosting model has a “Per 1,000 sessions/mo” model, their Enterprise self hosted model might have that as well. So it’ll have some kinda DRM/License managing, and maybe a “call home” to check your license or usage every once in a while
The point of the license combination they use is to allow the enterprise version to be open and live in the same repo as everything else. Dunno if that’s what they do, but that’s why the elastic license exists.
A lot of people who are into open source only consider some licenses to be ‘real’ open source licenses. For example MIT or GPL are FOSS, no question. But there are a whole range of other spins on the open source concept that many consider to be tools of for-profit companies freeloading on the FOSS movement. Open Reply uses the Elastic License, which is one of those. As such, some developers would not consider supporting them and consider them untrustworthy.
This is a different kind of trust than what you were referring to, though. As a consumer / user of the software you might not care about how they treat their volunteer developers as it has no direct bearing on any risks you have.
A lot of people who are into open source only consider some licenses to be ‘real’ open source licenses. For example MIT or GPL are FOSS, no question. But there are a whole range of other spins on the open source concept that many consider to be tools of for-profit companies freeloading on the FOSS movement. Open Reply uses the Elastic License, which is one of those. As such, some developers would not consider supporting them and consider them untrustworthy.
This is a different kind of trust than what you were referring to, though. As a consumer / user of the software you might not care about how they treat their volunteer developers as it has no direct bearing on any risks you have.