...
- EO - Mark Cox - https://s.apache.org/3nctr
- SBOM - David Nalley - https://s.apache.org/hccur
- Applying updates - Mark Thomas - https://s.apache.org/5jqab
- Collective action - Phil Steitz - https://s.apache.org/ljzn0
- Volunteers - Sam Ruby - https://s.apache.org/3vkpr
- Contributors/maintenance - Dominik Psenner - https://s.apache.org/3lrk1
- CISA - David Nalley - https://s.apache.org/1gr1c
- White box testing - John Kinsella - https://s.apache.org/hn2ba
- 2016 EU Audit - Dirk-Willem van Gulik - https://s.apache.org/fhoji
...
There are really three main supply-chain related ideas that people need to get:
- While we may not all agree at this point that it works, our biggest defense against vulnerabilities getting introduced is eyeballs, which our open development process supports. Any interested human (or bot) can be a QC inspector in our direct contribution part of the supply chain. We have always welcomed this, especially when reports come with patches.
- There is a natural nesting that happens as software dependencies propagate through applications. Addressing vulnerabilities in base level components (e.g. log4j) has a cascading impact. Unless and until all downstream systems have effectively automated build, test and deployment systems, this creates systemic risk which has nothing to do
with OSS per se. In his original post, markt called this out, along with - End of life is an industry standard concept that we apply at the ASF. End of life means no more patches. End of life software running in critical systems is another systemic risk.
...