Last week, Tidelift co-founders Donald Fischer and Luis Villa sat down with a panel of industry thought leaders including RedMonk analysts Stephen O’Grady and Rachel Stephens, Open Source Program Leader at Fannie Mae John Mark Walker, and Director of Open Source at Indeed Duane O'Brien. Together they discussed the outlook for open source software supply chain security in 2023 and what their predictions might mean for commercial organizations, maintainers, and more. Below are some highlights or you can watch the webinar on-demand now.
Defining the open source software supply chain
The panel set out right away to define the open source software supply chain. The term itself may not be new to some, but agreeing on what we mean by the term was an ideal starting point
Donald started, “Open source software supply chain has become a common turn of phrase—it feels like [this past year was] the first time that many open source creators started considering themselves as potentially part of somebody else's organizational supply chain.”
Rachel added, “...in the context of open source and this global community that is all working together towards software that can function everywhere for everyone, it creates some questions around how this is all going to continue and continue working.”
Luis wondered whether open source creators and maintainers actually even know or signed up to be a part of a software supply chain. “A phrase that we started using a little bit internally is this notion of the accidental supply chain. [...] We [the open source community] removed the friction which meant we could remove the structure, but that means we had these accidental implications that we're still very much thinking through. [For example], accidentally basing our entire government and an economy on [open source software], [made maintainers] accidentally become individual linchpins to this whole system. Switching from accidental to intentional [supply chain]—it's going to be a huge sea change for all of us. And that's not just the 2023 thing…that's going to be the task of many years.”
The response to federal guidelines
With governments in the US and around the world setting deadlines and enforcing guidelines around increasing software supply chain security in 2022, it was unsurprising to see mention of the ramifications of these policies coming to a head in 2023.
Donald kicked off the conversation, “In late 2022, you had specific guidance from the US White House Office of Management and Budgets in memorandum M-22-18, specifically requiring that federal agencies only use software provided by software suppliers who can attest that they're taking specific government specified secure development practices into account. Those practices are very clearly enumerated in a set of standards put forth by the National Institute of Standards and Technologies. It's driving action in the marketplace by federal agencies that are seeking to satisfy this requirement and by private industry organizations who do business with the US federal government (and other national governments)... which is most large companies. Most large businesses, enterprises, have some kind of customer base in the public sector. And it raises this really hard question: how do you attest [to the health, security, and provenance of] a bunch of, not just hundreds, but often thousands of open source components that you're importing from public code repositories. It's a really big puzzle.”
Stephen followed with, “I think the tension is that it's these economic incentives pitched against the scale—if we were talking about a handful of components or dozens of components or even hundreds of components, that will be one thing. But we're literally talking about thousands, if not, tens of thousands. The regulations are creating a different economic incentive. And for better or for worse I believe that economics is one of the only real sort of drivers of change, but it is directly in opposition to the scale from a software standpoint.”
This is just a taste of what was covered in the webinar. Want to learn more? You can watch this on-demand webinar right now.