<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

Improving the health and security of the open source supply chain

Amy Hays
by Amy Hays
on June 29, 2021

Updated on August 25, 2021

Don't miss the latest from Tidelift

Until recently, the term “software supply chain” was rarely uttered outside of the offices of CIOs and senior government officials. But in the wake of high profile attacks like SolarWinds, times have changed. Now, software supply chain security is the subject of terse boardroom conversations and New York Times headlines. 

Partially in response to these incidents, just a few weeks ago the U.S. government put out an executive order on improving the nation’s cybersecurity that may fundamentally change the way software is produced. 

Earlier this month at Upstream, we gathered together an illustrious group of industry experts to discuss the state of the open source supply chain—first by defining what exactly the supply chain is, and then brainstorming ways we can make it safer and more secure. Alex Williams, publisher and founder of The New Stack, moderated the panel, which included Gartner analyst Arun Batchu, Tom “Spot” Callaway of AWS, Shannon Lietz of Intuit, and Donald Fischer, of Tidelift.

Check out the discussion on-demand here.

So what is a supply chain? What are we talking about here?

According to Wikipedia, “a supply chain is a system of organizations, people, activities, information, and resources involved in supplying a product or service to a consumer. Supply chain activities involve the transformation of natural resources, raw materials, and components into a finished product that is delivered to the end customer.”

The software supply chain is like any other supply chain (water, food, gasoline, virus vaccines, whatever), made up of the organizations, people, information and resources involved in the production and distribution of software.

And the open source software supply chain is a subset of the software supply chain… just made more complex because of the wide variety of suppliers and distribution methods involved. 

“Something that’s unlike the automotive or real world supply chain metaphor, a lot of folks in open source communities never signed up to be a part of a supply chain in the first place,” Donald Fischer said. “So to have the full weight of expectations of the traditional supply chain thrown on them, it’s a mismatch.”

“I think in open source, and even in commercial products, we don’t have the sense of a manifest yet, and I think that’s a crucial part of the puzzle,” Shannon Lietz said.

“The maintainers in this supply chain model honestly don’t get a lot of insights into what happens on either side of them, whether it’s upstream or downstream,” Tom Callaway said. “Companies aren't always forthcoming with how they are using this open source code, so it’s really difficult for maintainers to be an informed participant in developing a manifest.”

“There’s a major shift happening,” Arun Batchu said. “You have to think about how software is being perceived in IT departments versus software in software technology companies. There’s always been this idea that you can just buy from somewhere, but that’s not the case anymore. This idea about software supply chain, you should think about your software like digital products.”

You can watch the whole panel on-demand here.

Improving the health and security of the open source supply chain