Are We Thinking About Supply Chain Security All Wrong?
Imagine that you’re running a pharmacy — a CVS, say.
“What can you imagine how a CVS might operate, if every FedEx, Penske, if your shipping company, your trucking company, if all of those were volunteer-run?” asked Ashley Williams, founder and CEO of axo, a developer tool company, in this episode of The New Stack Makers.
“That would be pretty fascinating, right? And so you probably would feel a little bit more questionable going to CVS and buying something.”
The situation is analogous to how the world is being supplied with the software it depends on — open source code that is largely written and maintained by unpaid volunteers, Williams told Alex Williams (no relation), founder and publisher of TNS, in this Makers episode.
Ashley Williams, founder and initial executive director of the Rust Foundation, knows a thing or two about open source. And she’s thought deeply about the issues of software supply chain security and who should be responsible for it.
Her main critique, she said, is rooted in a 2022 blog post by Thomas Depierre, a developer and site reliability manager, called “I Am Not a Supplier.”
“A lot of people in open source reject ‘software supply chain security’ as a category immediately because they do not consider themselves a supplier,” she noted.
She added, “There’s simply no contractual obligation to support that relationship. And so while the software consumer is necessarily a consumer, the maintainer has not been elevated to the level of supplier.”
The Limits of Third-Party Security
But that’s not where the debate ends.
“A lot of people don’t read the last paragraph in this blog post, where ultimately it says, I am not your supplier yet,” said Ashley Williams.
“One of the things that I’ve been really frustrated about with software supply chain security is when people heard, ‘Oh, open source maintainers aren’t suppliers,’ instead of engaging maintainers to participate in supply chain security, it seemed like the entire industry decided that they needed to create this third party, arguably extractive industry, that does all a lot of the supply chain security work.”
Third-party vendors are then hired by companies that consume open source code to deal with the security issues in their software — essentially, at the final stops on the supply chain. “But these third-party companies have absolutely no relationship to the maintainers, right?” And that can result in more vulnerabilities because “there’s no foundation there that actually updates the software, patches the software. Or fixes it.”
Including maintainers in the process will become more important, she said. “Everybody’s been saying that to do software supply chain security right, we need to be doing our analysis. We need to be doing the [software bill of materials] generation, the attestation, all that stuff needs to be happening at build time, which is going to necessarily mean engaging the maintainers.”
Check out the full episode for more of Ashley Williams’ thoughts on the challenges of supply chain security, the increasing demands on project maintainers, her analysis of the various eras of open source, and why she thinks release teams are overworked and underrecognized.
