Would you rely on a Chinese-backed OSS component?

[null123]

My team is evaluating different approaches to rework of the core of our app. One of the approaches is replacing a key component with an OSS one.

One of the fitting replacements being an OSS project originally developed, open sourced, and currently maintained by a Mainland China-based organization/contributors.

This brought a lot of questions since we operate within the EU.

Being part of 'the West', would you accept the risk, evaluate the project, and eventually rely on it as a key component of your app or dismiss it immediately?

[anonym29]

>Being part of 'the West', would you accept the risk, evaluate the project, and eventually rely on it as a key component of your app or dismiss it immediately?

Wrong order.

I evaluate the project before accepting the risk. You need to evaluate the project in order to analyze the risks, and you need to have analyzed the risks in order to make a responsible decision on accepting them. With an in-depth code review, it shouldn't be to difficult to discover whether anything nefarious is afoot. As long as there isn't, I'd feel comfortable including that version, albeit without any kind of auto-updating (I'd want to review code changes before running the updated code).

[its-summertime]

Of course, we are looking through diffs between major versions for all our dependencies, right? And sitting on the relevant mailing lists for dependencies too, right?

Does the code look workable? if you needed to make patches, can you? etc etc.

"Risk" feels like a poor choice of word, considering countries like Australia can force any of their citizens to put a backdoor into any software they have access to. This risk has nothing to do with CN/nonCN lines, but on the laws of each and every country.

And that doesn't stop protest-based updates either from other developers in "safe" countries. Which seems to be way more likely.