Google Assured OSS

Subscribe for more content like this through the mailing list or RSS.

Let's talk about Google's newest software supply chain product. Reading the GA announcement I had many mixed feelings. Starting with the good, compared to other implementations of "curated open source", there were multiple things I liked:

Use of ecosystem native packaging tools like pip instead of something non-native (like apt, yum, etc).
Automated tools for scanning, fuzzing, and verifying metadata.
Patch vulnerabilities at the source upstream rather than patching internally.

My understanding of Assured OSS architecture

These are great, excellent choices were made here. Unfortunately, there were not-so-great things I saw in this offering:

Obscures consumers dependency tree from the actual source of their packages. urllib3 isn't maintained by anyone on Google's payroll, but is available in Assured OSS.
Adds more burden to maintainers without compensation by delegating triage, bug fixes, feature requests, vulnerability remediation, and releases for packages that Google is "supplying".
Splits the package ecosystem by rebuilding packages from source with Cloud Build to provide "provenance".
No improvements to sustainability or growth of open source software, only placates consumers by checking compliance boxes.
Free, but not open. You need to input a business email in order to request access. There’s mention of “Contact your account team for pricing info” which to me reads as: you have to already be paying Google to use this service.

What could Google Assured OSS be?

Don't make the service free, charge for the service and pay the maintainers. There's an opportunity to make enterprise consumers acknowledge the value that securely curated open source software brings to their organization and to not leave out maintainers as has been done in the past for initiatives similar to Google Assured OSS.

Live the "pushing left on security" mantra to the fullest and partner with maintainers and compensate them for their efforts. Not partnering with maintainers leaves many actual end-to-end security practices on the table that could get delivered to all open source consumers.

You may have heard about this model before: Tidelift! Tidelift has been supporting maintainers of urllib3 financially since 2019 and in that time our partnership has produced the following:

Improved the release pipeline to be automated, reproducible, and generate SLSA Level 3 provenance attestations for releases. Compare this to Cloud Build SLSA provenance which can only attest to Google having built the artifact, not the source's provenance.
Achieved the highest OpenSSF Scorecard score across all PyPI projects (at the time of writing: 9.6/10).
Created plans to provide security fixes for the previous major version which we know will be important for consumers before migrating to v2.0.
Added a secondary paid maintainer, Quentin Pradet, in order to protect against maintainer bus-factor concerns.
Passing grade for OpenSSF Best Practices badge.
Created materials for other maintainers to secure their accounts and projects and a template project implementing security best practices.
All above improvements are available to everyone who uses urllib3.

Don't forget that there are people, not just packages, in your software supply chain. 👋

Google Assured OSS

What could Google Assured OSS be?§

What could Google Assured OSS be?