The New Stack Podcast

Are We Thinking About Supply Chain Security All Wrong?

Oct 3, 2024

Ashley Williams, founder and CEO of axo, discusses the unsettling reliance on unpaid open-source maintainers for crucial software security. She argues that companies often overlook these maintainers while depending on third-party vendors, exacerbating vulnerabilities. Thomas Depierre weighs in on the reluctance of maintainers to be labeled as software suppliers. The conversation delves into the pressures on maintainers and the need for sustainable funding models in the open-source realm, emphasizing the importance of integrating maintainer perspectives into supply chain strategies.

43:48

Creator website

Episode guests

Thomas Depierre

Ashley Williams

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The podcast emphasizes the need for improved engagement between companies and open-source maintainers to enhance software supply chain security.

It discusses the evolving role of open-source contributors amid corporate involvement, highlighting the challenges and pressures they face in maintaining independence.

Deep dives

Challenges in Software Distribution

Distributing software remains a significant challenge, even in 2024, due to the complexity of managing different operating systems and deployment environments. A tool named Cargo-dist, which is being renamed to Dist, aims to streamline the distribution process for software developers by allowing them to select multiple platforms and package managers with a simple checklist approach. This tool focuses on alleviating the common installation issues that developers face, such as compatibility with OpenSSL and glibc versions, enabling creators to focus on development rather than troubleshooting installation problems. By addressing the distribution hassles in one solution, it seeks to foster a more efficient development environment.

Intro

4min

Examining Software Supply Chain Security Challenges

6min

The Commercialization of Open Source

9min

Navigating Software Supply Chain Security in an AI-Driven World

4min

Sustaining Open Source: Challenges and Innovations

20min

In a New Stack Makers episode, Ashley Williams, founder and CEO of axo, highlights how the software world depends on open-source code, which is largely maintained by unpaid volunteers. She likens this to a CVS relying on volunteer-run shipping companies, pointing out how unsettling that might be for customers. The conversation focuses on open-source maintainers’ reluctance to be seen as "suppliers" of software, an idea explored in a 2022 blog post by Thomas Depierre. Many maintainers reject the label, as there is no contractual obligation to support the software they provide.

Williams critiques the industry's response to this, noting that instead of involving maintainers in software supply chain security, companies have relied on third-party vendors. However, these vendors have no relationship with the maintainers, leading to increased vulnerabilities. Williams advocates for better engagement with maintainers, especially at build time, to improve security. She also reflects on the growing pressures on maintainers and the underappreciation of release teams.

Learn more from The New Stack about open source software supply chain

2023: The Year Open Source Security Supply Chain Grew Up

Fortifying the Software Supply Chain

The Challenges of Securing the Open Source Supply Chain

Join our community of newsletter subscribers to stay on top of the news and at the top of your game.

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

The New Stack Podcast

Are We Thinking About Supply Chain Security All Wrong?

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Challenges in Software Distribution

Critique of Software Supply Chain Security

Evolution and Challenges in Open Source Governance

Future Directions for Open Source Monetization

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights

The New Stack Podcast

Are We Thinking About Supply Chain Security All Wrong?

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Challenges in Software Distribution

Critique of Software Supply Chain Security

Evolution and Challenges in Open Source Governance

Future Directions for Open Source Monetization

Get the Snipdpodcast app

AI-poweredpodcast player

Discoverhighlights

Save anymoment

Share& Export

AI-poweredpodcast player

Discoverhighlights

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights