How to add a library to the project?
I read an article by a colleague from Andrey2008 about adding, or more precisely resistance to adding libraries to a project, and decided to describe the “check list” that I use in working with third-party components. While the ratio of decisions in favor of ready / written from scratch over the past 10 years roughly fits into the notorious 80/20, maybe this is just lucky for me.
Unfortunately, large companies usually have an explicit ban on the GPL / LGPL and some other licenses. This prohibition usually comes from the department of intellectual property and patents and it is almost impossible to overcome it. Sometimes dual licensing (GPL / LGPL and commercial paid license) can be the way out - but it is often easier to look for another option.
It doesn't matter - in a garage startup you work or a huge corporation - time is money. Ask your developers to estimate how long it will take them to integrate a new library compared to writing the same functionality from scratch.Multiply the second by three. Apply all possible factors and get a business case. If you write from scratch will take at least a man-week more - it is unlikely it will pay off.
Require developers to at least two alternatives to the proposed component and analysis of their advantages / disadvantages. Since few people know three different libraries for each functionality, this will force people to communicate with each other. In the course of this communication, often there are some things from previous projects or more preferable alternatives are offered.
')
Be sure to check how active the community of developers of this component. If this is a big company or a popular Open-Source project, look for blogs and other publications dedicated to it and look at the dates. This will help you understand how interesting the library or component is to both the users and the developers themselves and how they develop.
Continuing the previous point - is there official support (both free and paid). Even with the integration of a component, it is often easier to pay 100-200 dollars to one of the authors for a couple of hours of support, rather than wrestling with what version of Python is needed to run some tricky scripts without which it does not compile.
For Open-Source - look at the code, check it with at least a simple static analyzer. If the code is unreadable, has a poor structure, there are no comments, or the analyzer swears at multiple problems - it is better to refuse this immediately.
At the same stage, the availability of the code is checked at all - if it’s on the GitHub is one thing, on the homepage of the university it’s quite another.
If you decide to add something - save all of its source code and verify that it is built and works from these sources. I know a library for .NET with five incompatible forks, and the version numbering is the same.
Who and how is responsible for the added code? This could be the specific person who added it, his entire scrum team, the ambulance team on duty or someone else - but if “something goes wrong” in the integration, tests or subsequent code updates on other developers' machines be known who to contact.
Each component or library requires at least a one-page document describing the basic agreements about its use. If this is not some kind of framework, it is useful to explicitly prescribe a ban on the use of its data types anywhere else other than a “wrapper” above it. For example, HTTP clients like to define constants for the returned status - if you use them "as is" in the logic of your application, when replacing the library you will have to change a bunch of classes.
Many companies require verification of each library by the departments of IP and patents and scanning code analyzers for security - only after that a formal permission to use is issued. Some of them have archives of popular components - but usually only certain versions are stored in them. Also, some licenses require that the documentation for the product indicate the use of the relevant libraries - and some, by contrast, prohibit such links.
One way or another, it can take quite a while to resolve all of this, so if you have a release on the nose, it’s better to introduce a deadline for adding new components in order to be in time.
I hope that this checklist will help you make informed decisions and "reinvent the wheel" only where it really makes sense.
License
Unfortunately, large companies usually have an explicit ban on the GPL / LGPL and some other licenses. This prohibition usually comes from the department of intellectual property and patents and it is almost impossible to overcome it. Sometimes dual licensing (GPL / LGPL and commercial paid license) can be the way out - but it is often easier to look for another option.
Money
It doesn't matter - in a garage startup you work or a huge corporation - time is money. Ask your developers to estimate how long it will take them to integrate a new library compared to writing the same functionality from scratch.
Alternatives
Require developers to at least two alternatives to the proposed component and analysis of their advantages / disadvantages. Since few people know three different libraries for each functionality, this will force people to communicate with each other. In the course of this communication, often there are some things from previous projects or more preferable alternatives are offered.
')
Community
Be sure to check how active the community of developers of this component. If this is a big company or a popular Open-Source project, look for blogs and other publications dedicated to it and look at the dates. This will help you understand how interesting the library or component is to both the users and the developers themselves and how they develop.
Support
Continuing the previous point - is there official support (both free and paid). Even with the integration of a component, it is often easier to pay 100-200 dollars to one of the authors for a couple of hours of support, rather than wrestling with what version of Python is needed to run some tricky scripts without which it does not compile.
Code
For Open-Source - look at the code, check it with at least a simple static analyzer. If the code is unreadable, has a poor structure, there are no comments, or the analyzer swears at multiple problems - it is better to refuse this immediately.
At the same stage, the availability of the code is checked at all - if it’s on the GitHub is one thing, on the homepage of the university it’s quite another.
If you decide to add something - save all of its source code and verify that it is built and works from these sources. I know a library for .NET with five incompatible forks, and the version numbering is the same.
Responsible
Who and how is responsible for the added code? This could be the specific person who added it, his entire scrum team, the ambulance team on duty or someone else - but if “something goes wrong” in the integration, tests or subsequent code updates on other developers' machines be known who to contact.
Design and documentation
Each component or library requires at least a one-page document describing the basic agreements about its use. If this is not some kind of framework, it is useful to explicitly prescribe a ban on the use of its data types anywhere else other than a “wrapper” above it. For example, HTTP clients like to define constants for the returned status - if you use them "as is" in the logic of your application, when replacing the library you will have to change a bunch of classes.
Technical documentation and deadlines
Many companies require verification of each library by the departments of IP and patents and scanning code analyzers for security - only after that a formal permission to use is issued. Some of them have archives of popular components - but usually only certain versions are stored in them. Also, some licenses require that the documentation for the product indicate the use of the relevant libraries - and some, by contrast, prohibit such links.
One way or another, it can take quite a while to resolve all of this, so if you have a release on the nose, it’s better to introduce a deadline for adding new components in order to be in time.
I hope that this checklist will help you make informed decisions and "reinvent the wheel" only where it really makes sense.
Source: https://habr.com/ru/post/275485/
All Articles