Choosing tools wisely
managing security & dependencies

Choosing (Open Source) tools

🔬 Joanna needs to analyse some images from a microscope in her lab.

She finds five different tools that provide the features she needs for her analysis. How to choose from them?

Are you allowed to use it? (Licence)

Publicly available code doesn't mean you are allowed to use it.

Where to find the licence?

• Files such as LICENSE, COPYING, COPYRIGHT (repositories highlight those; e.g., on github, on gitlab).

• Comments on the top of the source code.

  # SPDX-FileCopyrightText: 2026 project-x contributors
  # SPDX-License-Identifier: MIT-0
  

• Through an acceptance menu when installing it.

Can you use it? (Requirements)

• Operating System ()
• Hardware requirements (e.g., needs a GPU)
• Installation permissions (e.g., on a university administrated machine)
• You have the required dependencies

Is it documented?

• Does the documentation exists?
• Is it understandable? (Diátaxis)
• Is the documentation up to date?

Is the software maintained?

• Are versions released? (do they follow a pattern?)
• Is actively developed?
  • latest commits (e.g., on GitHub: numpy history, pulse)
  • issue tracker
• How many people are involved? (e.g., on GitHub: contributors graph)

Can you get help?

• Do they have a forum/chat to answer questions? (e.g., napari forum and chat)
• Are they welcoming? (e.g., The Turing way's code of conduct)
• Size of the user community

Is the software correct? (tested)

• What measurements are taken to confirm correctness? (e.g., dplyr's tests)
• What's the coverage? (e.g., dplyr's coverage)

Is it fast? (performance)

• Do they provide some examples?
• Do they compare with others? (e.g., uv comparisson)

As a developer:

• Language / readability
• Contributions accepted
• Open developed (decision making)

Security

Do you trust it?

• The site from where you download it?

• SHA's to check that is what they say (e.g., GIMP downloads page)

  sha256sum package.py 
  

Careful!

• download and install instructions

  /bin/bash -c "$(curl -fsSL https://software.com/install.sh)"
  

• asked to install it as admin (e.g., sudo )

Isolation

• Virtual Machine
• Containers

Dependencies

Find them

• dependencies requirements
• rabbit hole: it-depends

As a developer

• Licenses: are they compatible? compatibility matrix
• Version pinning. Specify which versions are required in your software
• Run tests with development versions of your dependencies

ARC

• Services (software, data, infrastructure)
• Help (drop-ins, support, documentation)
• Community (Slack, TechSocials)
• Education

Open Source Programme Office

• Advocate for Open Source
• Support activities (hackathons, Linux User Group)
• metrics

What questions do you have?