AboutBlogNewsletterLinks

Google Assured OSS

Published 2023-04-14 by Seth Larson
Reading time: 2 minutes

Let's talk about Google's newest software supply chain product. Reading the GA announcement I had many mixed feelings. Starting with the good, compared to other implementations of "curated open source", there were multiple things I liked:

  • Use of ecosystem native packaging tools like pip instead of something non-native (like apt, yum, etc).
  • Automated tools for scanning, fuzzing, and verifying metadata.
  • Patch vulnerabilities at the source upstream rather than patching internally.
Google
Assured OSS
Google...
Google
Assured OSS Consumers
Google...
Maintainers
Maintainers
Source Code
Source Code
Package Repo
Package Repo
Vulns
Vulns
Packages
Packages
Rebuilt Packages
Rebuilt Packa...
SBOM
SBOM
VEX
VEX
SLSA
SLSA
OSS-Fuzz
OSS-Fuzz
Text is not SVG - cannot display

My understanding of Assured OSS architecture

These are great, excellent choices were made here. Unfortunately, there were not-so-great things I saw in this offering:

What could Google Assured OSS be?

Don't make the service free, charge for the service and pay the maintainers. There's an opportunity to make enterprise consumers acknowledge the value that securely curated open source software brings to their organization and to not leave out maintainers as has been done in the past for initiatives similar to Google Assured OSS.

Live the "pushing left on security" mantra to the fullest and partner with maintainers and compensate them for their efforts. Not partnering with maintainers leaves many actual end-to-end security practices on the table that could get delivered to all open source consumers.

You may have heard about this model before: Tidelift! Tidelift has been supporting maintainers of urllib3 financially since 2019 and in that time our partnership has produced the following:

Don't forget that there are people, not just packages, in your software supply chain. 👋

Thanks for reading! ♡ Did you find this article helpful and want more content like it? Get notified of new posts by subscribing to the RSS feed or the email newsletter.


This work is licensed under CC BY-SA 4.0