The Open Source Software Supply Chain Isn't REAL!!

In the realm of technology, anytime a noteworthy event such as the XZ situation occurs—where the software supply chain faces disruption due to a rogue developer, burnt-out maintainer, or an unnoticed transitive dependency—there’s an immediate rush to find solutions. While the typical remedies include financial support and additional manpower, which can relieve stress off maintainers and potentially turn hobby projects into career opportunities, there’s a deeper argument that questions the very existence of a “software supply chain.”

One insightful perspective comes from Thomas Depierre’s blog post titled "I Am Not a Supplier," which delves into the core of what constitutes a software supply chain and argues why this concept might be flawed in the context of open-source software (OSS).

Understanding the Software Supply Chain

Over the past few decades, free and open-source software (FOSS) has gained massive traction, encouraging the reuse of code packaged as libraries. This has been facilitated by a well-established ecosystem of package managers and central repositories, which exist for virtually every programming environment—Python’s PIP, JavaScript’s NPM, Rust’s Cargo, and even C++ package managers. The ability to reuse and remix libraries without legal or financial burdens has propelled the development of modern software projects, which often depend heavily on hundreds, if not thousands, of open-source dependencies.

In traditional manufacturing, a supply chain involves a series of suppliers required to produce an end product. For a car, this could involve acquiring seats, screws, cables, and electronics from various suppliers. Similarly, in the software world, a project might rely on numerous libraries and packages.

The Realities of Open Source Dependencies

Companies frequently discover critical flaws in their products that originate not from their code but from third-party libraries. Historical examples include the "left-pad" incident, the Log4J vulnerability, or even cases where malicious actors infiltrated widely-used libraries. These incidents underscore the supposed fragility of our "software supply chain." Yet, the term "supply chain" might be misleading.

A software supply chain implies defined relationships and responsibilities among all parties involved—much like in manufacturing. However, open-source maintainers often lack formal business relationships with the companies that use their code. This lack of relationship leads to a critical misunderstanding: these maintainers aren’t suppliers.

Data-Backed Insights

Recent reports present revealing statistics:

Synopsis' 2024 Open-Source Security and Risk Analysis Report found that 77% of codebases originate from OSS.
Tidelift's 2023 "State of the Open Source Maintainer Report" revealed 60% of maintainers identify as unpaid hobbyists, while only 13% earn most or all their income from maintaining projects.

From these reports, it’s evident that about 46% of active code in applications is maintained by hobbyists, 13.8% by semi-professionals, and 40% by industry-paid developers. This implies that a significant portion of code in the wild is maintained by volunteers, who cannot be expected to offer the same level of support as paid suppliers.

No Supplier Relationship

A crucial point stressed by the author is the lack of a formal supplier relationship between open-source maintainers and the companies using their code. OSS relies on licenses that essentially declare the software as-is, meaning users take on all risk. Thus, there is no "supply chain" in the traditional sense because open-source developers owe nothing to the users of their code unless a formal agreement exists.

Conclusion and Moving Forward

In light of this, companies heavily relying on OSS should consider financially supporting these projects. By donating regularly to the libraries they depend on, they can help ensure the sustainability and reliability of their software stack.

So, is there really a software supply chain in open-source software? The evidence and logic presented argue convincingly that it might be a misnomer. Open-source is the backbone of modern software, yet it operates on principles distinct from traditional supply chains.

Keywords

Open-source software (OSS)
Software supply chain
Free and Open-Source Software (FOSS)
Package managers
Dependencies
Volunteer maintainers
Thomas Depierre
Financial support
Library vulnerabilities
Supplier relationship

FAQ

Q1: What is meant by a "software supply chain"?

A: In the context of open-source software, a software supply chain refers to the complex network of dependencies and libraries that a software project relies on. However, the notion is argued to be flawed because it implies formal supplier relationships, which do not typically exist in the open-source world.

Q2: Why are volunteer maintainers not considered suppliers?

A: Volunteer maintainers are not considered suppliers because there is no formal business relationship between these individuals and the companies using their code. They contribute code with no obligation or expectation of support, unlike paid suppliers in a traditional supply chain.

Q3: What are the main action points for companies using OSS?

A: Companies should consider financially supporting the open-source libraries they depend on. Regular donations can help maintainers keep their projects running and secure, indirectly benefiting the companies themselves.

Q4: How does the reliance on OSS impact the software industry?

A: While OSS enables rapid development and innovation, it also introduces risks when critical libraries are maintained by overworked volunteers. The industry must recognize and address the sustainability of OSS projects to avoid potential disruptions.