A development company sold us an open source ASP.Net Starter Kits

We are a non-profit organization that paid over $30,000 to a development company to build us a public Website.

The development company delivered the donation portion of the website as a separate application. After looking at the source code I discovered it to be the open source PayPal eCommerce Site Starter Kit available from ASP.Net or http://dashcommerce.org/. They made a few minor modifications but most of the code is unchanged.

What would your reaction be and how would you respond?
dmoss123Asked:
Who is Participating?
 
tuttlepcConnect With a Mentor Commented:
that's a double edged sword.... i would recommend if they offer, staying on a maintenance contract and be sure they keep up to date with the latest threats and security vulnerabilities out there... open source means you also have a lot more people (sometimes) discovering holes or even better ways of getting the job done...

backup your data.. keep it offsite, and don't store complete financial data ie the entire credit card number etc.... limit your liability...
0
 
tuttlepcCommented:
As long as its working I would think you should be happy? ... is the site fast and efficient? is it delivering all of your needs? .....

if you're answering yes to all of those questions.... then that's good....

on the sidenote... the only real discussion i would see that would not cause problems would be on the topic that you would have liked to of known they were using open source software prior (and they may of already had it in their fine print... so go over your contract) ...

 
0
 
Joel CoehoornDirector of Information TechnologyCommented:
A few thoughts:

1) Software development is all about doing everything possible to avoid re-inventing the wheel.  Even when you build something completely 'from scratch', you're still relying on a massive amount of work done by others.  This includes things like the classes provided in the .Net Framework runtime, to features of the web server, to the underlying operating system API, to 3rd party controls.  You would be a poor software developer to ignore an open source project with an acceptable license that get's you 80% there.

2) Whether a web site is successful often has more to do with it's appearance than it's function.  They will certainly have spent a lot of time getting the look of your site correct, and the donation section is only one portion of the site.  If using an open source project as a starting point allowed them to devote more resources elsewhere, then you should be happy.

3) It's not easy to make even minor changes to complicated software projects.  There's a good chance that they were already familiar with the project, in which case that expertise is part of what you paid for.  That's no different than how you pay any other professional.  You'll pay a mechanic $200 to tighten a nut, because he knows which nut needs tightened.  In this case, you asked them to give you a certain product and agreed on a price.  They delivered.  There's really nothing else to say.

4) One thing I would be concerned with is licensing.  If you're using open source code, and changes were made to that code, depending on the license under which that code is released they may have obligations to give their changes back to the original project.  If that's not done, as the owner of web site that obligation could fall to you.  You're almost certainly okay here, as any modifications are probably specific to your organization.  But it's something to be aware of.

5) Assuming the project has an acceptable license, it's still important that they be open about it's use, even if it's just in fine print.  This information could be important to you for several reasons, including if that project is found to have a security vulnerability, if it gets a significant upgrade you may be able to take advantage of, or when it comes time to start adding new features.  But as long as it's in the documentation somewhere, even if it's buried pretty deep, this is no big deal.

In summary:  It's not a big deal that they based a significant portion of their work on an open source project.  You agreed on a price, they delivered.  It is bad if they are being deceptive about it.  Either way, this isn't a valid reason to withhold any payment.
0
 
dmoss123Author Commented:
What about security? The entire world has access to our source code and it would not be difficult for a hacker who is familar with the Starter Kits to determine that's what our site is built from.
0
 
Joel CoehoornConnect With a Mentor Director of Information TechnologyCommented:
> What about security? The entire world has access to our source code and it would not be difficult for a hacker who is familar with the Starter Kits to determine that's what our site is built from.

I did mention that briefly (see point #5), but it's mostly a non-issue.  There are millions of sites running open source software with no problems.  Looking at this project's web site they have a page that lists a few people using their software.  There aren't many and they're all pretty small, but this looks like a relatively young product.  DotNetNuke is another example open source platform for asp.net, and they have thousands, if not hundreds of thousands, of users.

The main thing is that I would be more inclined to trust a public open source project to be secure than I would trust some one-off job any day.
0
All Courses

From novice to tech pro — start learning today.