
Backyourstack: discover and sponsor your open-source dependencies - vvoyer
https://backyourstack.com/
======
oliwarner
> If you want to analyze non-public repositories, sign in with your GitHub
> account

Do people really expose their or their employer's source code to random third
party convenience services?

I do understand the convenience factor here, I just think it's dodgy to
encourage developers to be so flippant with privileged access.

~~~
dschep
It also has the option to upload a package.json which is far less exposure,
and can easily be tweaked to omit anything sensitive.

~~~
oliwarner
It's still not no-exposure, and it's still getting a developer in the mindset
that just sending out files on a whim is okay.

I'm not wholly against this sort of stuff, I'm sure we've used similar links
in the past for CI and coverage, but it seems to be the end of the slope,
where we're handing out access to our stuff for something _so_ frivolous. This
is the same sort of mechanism that got everybody and their dog's copies of
Windows XP infected with trojans in the early 2000s. "Sure, I'll install that
toolbar, just let me see Britney naked".

This could be a local, auditable script that fetched a static list of projects
seeking funding.

~~~
thatjsguy
To be fair, I don’t think this is intentionally bad privacy-wise. I think
that, uh, a lot of the JavaScript set doesn’t actually know how to write code
that doesn’t involve uploading shit to websites. When all you have is a
hammer...

------
JanisL
Interesting project, would be great if this supported more than just JS
projects, I'd be very interested to see some of the dependencies that my
current business relies upon.

~~~
XiZhao
Kevin from [https://fossa.io/](https://fossa.io/) here.

We have an open source project just for this:
[https://github.com/fossas/fossa-cli](https://github.com/fossas/fossa-cli). It
currently supports roughly 20+ build systems and languages, and pairs with our
web service for license and vulnerability discovery.

Would love your feedback.

~~~
remram
You claim this is open-source, however I don't see an easy way to run this
myself without relying on your infrastructure and signup up for an account
there. Your "analyse locally" option requires an API key and is therefore very
much misnamed.

------
fs111
Can we add javascript to the title? It is a bit misleading without it.

~~~
deadbunny
Yup, tested it out on a few python projects I have/use and it has 0
dependencies listed which is very, very wrong.

~~~
znarfor
We effectively don't support Python yet but it should not be far away. It's
100% Open Source and we're looking for contributions.
[https://github.com/opencollective/backyourstack/issues/34](https://github.com/opencollective/backyourstack/issues/34)

~~~
ajdlinux
Understandable that you're adding support for languages and packaging
ecosystems as you go, and JS + PHP is as good a place as any to start, but it
would be helpful if this were explicitly highlighted. For those who are
unfamiliar with the ecosystems in question, package.json and composer.json are
just filenames that don't actually tell you anything.

~~~
anoncoward111
It would be helpful, and the site creator should list it. However, let's not
treat this as a fault. They're offering you a free service and can't launch
with every issue already resolved before being identified.

~~~
ajdlinux
Re-reading my comment I can see it reads a bit like that - I totally don't
intend any notion that I expect everything to be perfect, I'm an open source
developer myself and as you say we don't expect every issue to be resolved
instantly!

~~~
anoncoward111
I was probably overly harsh and judgmental in my comment towards you. Glad we
are in agreement!!!

------
kanzure
I've been wondering whether a for-pay alternative to the open-source ecosystem
could be developed.

The problem seems to be that open-source gratis software contributes nearly
zero friction to a company building out its tech, so any alternative would
have to compete against that near-zero friction. I just don't see each company
negotiating separate prices with 100,000 package maintainers to use all of
their software on a custom linux distro just for one of their internal servers
or whatever. It's a tremendous amount of friction for each company to bear.

If that friction could be eliminated, while keeping a requirement to pay for
use of the software, then I think a non-gratis ecosystem could dwarf the
gratis software world within two or three years from its launch.

~~~
wongarsu
How would that be different from the regular Microsoft Ecosystem?

I can spin up a quick testserver using Windows Server, running an IIS
webserver and Microsoft SQL Server, with my software stack written in C#,
programmed in Visual Studio. It covers pretty much everything I could need,
and involves ordering à la carte instead of negotiations.

Obviously it costs more and unless I spin up a cloud server I can't "just spin
up a server" without making sure I have enough licences etc. But AWS/GCP/Azure
solve that mostly.

~~~
kanzure
My understanding is that Microsoft does not auto-publish+sell third-party
libraries in a package repository. So the difference is basically the
distinction made in the old cathedral/bazaar analogies.

~~~
wongarsu
They do have nuget for packages, but that doesn't have an integrated payment
system. Despite this, there are plenty of paid C# packages you can buy around
the web.

------
adrianN
A similar tool with a focus on license compliance is fossology:
[https://www.fossology.org/](https://www.fossology.org/)

------
hnruss
Great idea! It's nice to see an easy way to support open-source software.

Regarding funding open-source software: Companies I've worked for have all
been OK with purchasing licenses for software that saves development time.
They've also been careful to abide by software license terms. I'm surprised
that more open-source libraries/frameworks don't require the purchase of a
commercial license in order to use them commercially.

------
jhare
I think we need less "awareness" and promotion, just more work on peoples'
parts. Seems these projects are asking for a magic bullet to improve their
stacks but find it's missing in their own time and efforts

------
nickjj
I tried putting in my github account on the home page just to see what would
happen.

I didn't create an account or sign in, but it created a public profile on your
domain using my name without my consent.

Is there any way to remove that?

~~~
znarfor
In that case, it's just reading the public data from GitHub on demand, there
is no account, nothing stored.

~~~
nickjj
Ah ok, it looked like maybe it was created and cached and then publicly
accessible at backyourstack.com/foo since that's the URL it forwards you to.

You might want to anonymize that URL for accounts who don't sign up just for
clarity.

------
rubbingalcohol
This is a great tool, and going to keep tabs on it for future use. I
appreciated the package.json upload for my private repos. Kudos to whoever
built it!

------
phyzome
« 56 repositories depending on 0 Open Source projects. »

Well, that's not true. Maybe you could indicate which package systems you
actually are able to analyze?

~~~
znarfor
You're right, it's a common feedback we have, we even have an issue opened for
that
[https://github.com/opencollective/backyourstack/issues/57](https://github.com/opencollective/backyourstack/issues/57)
We explain what we support in the FAQ but that's not enough. What languages /
packages managers are you expecting?

~~~
phyzome
Common ones, I suppose! I have projects involving Java, Python, and Clojure.
Of those, I would expect the first two to be covered by a generic dependency
analyzer.

(It's fine if it doesn't, but it would be nice to know up front.)

------
themtutty
The site offers to analyze your composer.json file, but doesn't seem to
identify even popular libs like Monolog and Doctrine

~~~
znarfor
Monolog and Doctrine should be properly detected. After that, we need to match
detected dependencies with fundraising strategies (today Open Collective, in
the future Patreon and others). Maybe this is why they're not appearing in the
"Projects Requiring Funding" section. Feel free to submit an issue on GitHub
and we can look at that in details.

------
hucker
This is a really good idea! I assume support for more languages / package
managers is coming?

------
mirekrusin
It would be nice if you could paste package-lock file for private repos.

~~~
kubami
You can do that! Check out the section below the button.

------
cavneb
This is absolutely amazing!!

