CEO @ Aquia | Cyber Innovation Fellow @ CISA | Chief Security Advisor @ Endor Labs | 2x Author | Veteran
Open Source Maintainers aren’t your “Suppliers”. Increasingly the industry is waking up to the realization that most of the code they use is coming from people who owe them nothing. Just last week the Office of Management and Budget published their FY26 Cyber Budget Priorities It included a section dedicated to open source and supply chain security. It calls for the Federal government and its contractors to begin contributing to open source projects they depend on. This is the way. Open source generally comes with you guarantees and is to be used “as-is”. You can’t make demands around remediating vulnerabilities, fixing flaws, and addressing your concerns. You can ask, sure. But ultimately, you own the risk. If you heavily depend on open source, which nearly everyone does, you should be looking to give back, either financially, or in time and money effort to the projects and maintainers you have a dependency on. In this article I discuss the reality that open source maintainers aren’t your suppliers, and how many still don’t understand this. https://lnkd.in/eUyysDKu #ciso #opensource #supplychain
Vincent Danen
1mo
Thanks for this write up Chris H. You’re spot on. Maintainers are *maintainers*. Suppliers are vendors like Red Hat, Canonical, SUSE, Microsoft, etc the difference? You nailed it. Dollars exchange hands. Contracts are in place. That makes all the difference. It’s free, the risk acceptance is 100% on the end user. That’s why vendors who supply open source are so valuable. Might be confrontational to say, but you’re paying for someone to give support, updates, features, therapy, whatever. A *maintainer* owes you none of those things. It’s fine to ask (we’re a bunch of helpful people and communities!) but _wildly_ inappropriate to demand.
My good friend Arnaud taught me the phrase “open source software is free, like puppy.” I think it’s the best summation.
This has been a topic I have LONG been advocating about. OSS has given so much to all of us, we need to ensure we're giving back!
Lauren Hanford
1mo
There are maintainers who are willing and able to opt into our software supply chains (Tidelift has contracted with thousands of their packages, in fact!) People always forget the last part of Thomas’s post, which he did a fantastic breakdown of on the Open Source Security Podcast Ep 365 “Now, I am more than happy to become a supplier. You want me to work a certain way, I am more than happy to do it. But to do that, I am going to have to become a supplier. Which means you are going to have to start to pay me. A fair price, that we can negotiate. Under a different license. Until then, I am not your supplier.”
Tzachi Zornstain
1mo
This is the way Your software your responsibility
Great post! Thank you for sharing
Stormy Peters
1mo
Maybe the word "supplier" will help more people understand. We used to use the language project vs product, but I think neither the open source community nor the companies that used their software really understood or agreed on the terminology. I think it was hard for open source software projects to not think about their output as a product and it was hard for companies to understand that an open source project didn't necessarily have all the same backing as a company supported product.
SecuriGeek
1mo
Indeed, open source maintainers play a crucial role that goes beyond typical supplier relationships. Ownership of risk is paramount in this ecosystem.
Ken Lavoie
1mo
Open Source Maintainers aren’t your “Suppliers”. ( Agree with 1000% ) I almost wish there was a new OSS license that required you to contribute based on how your company works. Build your product off a open source project, and provide X resources to help. If you’re based on that OSS, you’re in theory fixing those vulnerabilities that the community wasn’t able to, but the difference being the fix is closed source Thanks for starting this discussion topic, looking forward to the threads here!
VP of Security at Anchore, Podcaster, Blogger
1moThe whitehouse paragraph on open source gets so much right. Kurt Seifried and I recorded a podcast about it last night (it'll come out in a week). But I find it sort of funny because I think it's in stark contrast to a post by CISA just a few days earlier https://www.cisa.gov/news-events/news/continued-progress-towards-secure-open-source-ecosystem The theme of that had a very "measure and be afraid" theme. Trying to measure open source using dubious metrics is the drunk looking for their keys under the streetlight The right way is to get involved If you need a score, count how many open source projects you're a part of. If it's zero, you have a problem.