Title: I Am Not a Supplier Authors: Thomas Depierre Category:#articles Tags:#technology Number of Highlights: 3 Source URL: https://softwaremaxims.com/blog/Not-A-Supplier Date: 2023-01-12 Last Highlighted: 2023-01-12


This ecosystem of dependencies, a lot of them transitive (dependencies of a dependency), is what the Software Supply Chain model calls the Supply Chain of the project. Inside this model we will find tools that help manage it, like a Software Bill Of Materials (SBOM) that is supposed to hold the information of what libraries are used for this project, where they were found, which version, some hash of the content, etc.


There is a small problem here. We are not suppliers. All the people writing and maintaining these projects, we are not suppliers. We do not have a business relationship with all these organisations. We are volunteers, writing code and putting it online under these Licences. And yes, we put it online for people to use them. But we do not get anything from it.


Hell even worse, a lot of the libraries that underpin the fabric of what we all call the digital economy have trouble getting enough money to pay for food. On this topic, I strongly advise everyone to take the time to read Nadia Eghbal Road and Bridges report to realize the depth of the problem. It is a bit old, as it was written in the aftermath of HeartBleed, but it is as relevant today as it was at the time.