Published 2023-04-14by Seth Larson
Reading time: 2 minutes
Let's talk about Google's newest software supply chain product. Reading the GA announcement
I had many mixed feelings. Starting with the good, compared to other implementations of
"curated open source", there were multiple things I liked:
Use of ecosystem native packaging tools like pip instead of something non-native (like apt, yum, etc).
Automated tools for scanning, fuzzing, and verifying metadata.
Patch vulnerabilities at the source upstream rather than patching internally.
My understanding of Assured OSS architecture
These are great, excellent choices were made here. Unfortunately, there were not-so-great things I saw in this offering:
Obscures consumers dependency tree from the actual source of their packages.
urllib3 isn't maintained by anyone on Google's payroll, but is available in Assured OSS.
Adds more burden to maintainers without compensation by delegating triage, bug fixes, feature requests, vulnerability remediation, and releases for packages that Google is "supplying".
Splits the package ecosystem by rebuilding packages from source with Cloud Build to provide "provenance".
No improvements to sustainability or growth of open source software, only placates consumers by checking compliance boxes.
Free, but not open. You need to input a business email in order to request access.
There’s mention of “Contact your account team for pricing info” which to me reads as: you have to already be paying Google to use this service.
Don't make the service free, charge for the service and pay the maintainers.
There's an opportunity to make enterprise consumers acknowledge the value that securely curated open
source software brings to their organization and to not leave out maintainers as has been done in the past
for initiatives similar to Google Assured OSS.
Live the "pushing left on security" mantra to the fullest and partner with maintainers and compensate
them for their efforts. Not partnering with maintainers leaves many actual end-to-end
security practices on the table that could get delivered to all open source consumers.
Improved the release pipeline to be automated, reproducible, and generate SLSA Level 3 provenance attestations for releases.
Compare this to Cloud Build SLSA provenance which can only attest to Google having built the artifact, not the source's provenance.