I am not a supplier (2022)
10 months ago
- #Open Source
- #FOSS
- #Software Supply Chain
- The concept of the Software Supply Chain has gained attention due to incidents like LeftPad and security vulnerabilities in widely used libraries.
- Free and Open Source Software (FOSS) has enabled extensive code reuse through libraries, supported by package managers and lenient licensing.
- The manufacturing industry's supply chain model involves deep relationships with suppliers to prevent disruptions, unlike the FOSS ecosystem.
- Companies face risks from dependencies on FOSS libraries, including security vulnerabilities, malicious code, and political decisions by maintainers.
- FOSS maintainers are not suppliers; they provide code voluntarily without business relationships or obligations to users.
- Many critical FOSS libraries struggle with funding, as highlighted in Nadia Eghbal's 'Roads and Bridges' report.
- FOSS licenses explicitly state that the software is provided 'AS IS,' with no warranties or liabilities from the authors.
- The author emphasizes that FOSS maintainers are not suppliers and rejects the imposition of supply chain rules without compensation.
- The article concludes by reiterating the 'AS IS' nature of FOSS and the lack of supplier relationships.