Someone posted on a Slack about a software supply chain attack and was worrying about what they can do, and I replied that IMO (with the caveat that I'm not a security engineer and would defer to one) you either pay someone to review third party dependencies or you pay someone to write them, whether that someone is a contractor or your own staff. Everything else is basically an exercise in shifting around trust in external entities, and ultimately supply chain fears are rooted in loss of trust.
This made me kinda wish that more libraries had commercial plans available to help fund proper code review of incoming contributions and general maintenance without having to sell support hours.
One of Github's greatest missteps was to sleep for so long on library sustainability. A Github that took this seriously would have things like:
- Ability to define and purchase commercial plans for using libraries that meet liability requirements.
- Built-in support for contributor licensing agreements to make the rights of the library owner vs their contributors clear, including shared royalties with contributors if desired.
- Better discoverability suitable to a software library marketplace.
- APIs compatible with major package managers for directly downloading and installing libraries from Github that can enforce commercial access plans via authentication.
- License compliance / enforcement for the most popular software licenses (i.e. flag if you attempt to add a GPLv3 library to a project under the Apache license) to reduce corporate fears of OSS.
They could take their 5% cut and massively improve the opportunities for funding software library development at the same time. Alas.