The log4j incident spoiled the weekend for many people, including myself 🙂 . There was similar incident years back when some basic library around padding(read more :left-pad) underscores in nodejs ecosystem was taken off by its maintainer . With open source -contributed modules proliferating across our software stack organizations now need to be mindful of their software supply chain .This is in line with how covid brought the same realization in manufacturing .
Hard fact about digital supply chain
If you are building a spring-angular kind of application , the long list of nested dependencies can be overwhelming .Now multiply that for the server stack you are running on . Below that the OS or cloud vendor would have some such . And below that your Hardware provider would have some . Orthogonal to are your logging solutions-gateways and downstream services . This is like movie inception .A world within a world -a world along side another .Now that we are aware of the rabbit hole ,lets go inside .
Need for mindful package dependencies
When we use library like spring or some apache solution like spark , the main focus is either on license model they have or feature comparison with an alternative .These are building block of our solutions now .Time has come for companies to be actively contributing to them .This could be of course in donations of money or developer time. For companies who dont want to have direct touch point ;new companies can come up to serve this need(check github sponsors ). Such a model already exist when it comes to corporate social responsibilities CSR mandates
Active governance of the stack
More important than the contribution is governance . We know multiple consortium like Foundations that exist via Apache , Eclipse , CloudNative or even old school JCP . Typically its software product vendors that show up here and most of the noise is around features . Sometimes politics 🙂 . There is a need of governance body or bodies that focuses solely on well being digital supply chains .It would be lightweight body focusing on compatibility, security and selection -retirement of dependencies . The mavericks might not like the idea of someone telling them which library to depend on . But such a choice is made by all developers where they consider health of a repo -popularity etc . Moreover remuneration of the maintainer of dependency module is one important aspect . When a disruption similar to log4j had happened with openssl , people were shocked to know about the sole maintainer of this library and how much he was paid ! ( read details here) What if such a sole contributor is sick when zero day issue are found or decides to retire . We are not even thinking of digital equivalent of repo inheritance ! About time we do
Possibility of espionage and cyber warfare
This might look alarming but this is needed to complete the converge of topic . When your code depends on a complex web of dependencies , it is a soft area for enemies to hurt . I am not aware of studies done for this topic (eg china study) . But it is not unthinkable for bad actors to get into role of contributor or some role into these repo . Once the actors are in they can possibly inject deep level backdoor or even a time or event based memory crash is good enough . I don’t want to paint a dark picture here but we have left the fences open for long here …
Politics can get in too
The nodejs issue cited above also has developer-corporate power tussle angle to it . There can always be some conflict between maintainer of a contribution module and the host body . Leaving aside the many ways this can happen , what fall back mechanism we have in such case ? Say a contribution module suddenly is taken off or expelled but your build pipelines have already married to this module , now ? We need a governance here .
At the same time one need to be aware of developer activism . Given that we have across globe developer communities it is not impossible that developer stage some sort of satyagraha ( refer Gandhi) and take down their repos . Or there is some huge anti amazon or anti someone sentiment and they change their licenses .
A more apparent one a country like china or someone against your country taking some action throwing your supply chain in disarray .
Stack Overflow here
It is little bit of expansion but given that a lot of code is copied from stack overflow these days , it is one hidden supply chain we have in our stack . Who owns a deep bug in such copied code ? or a recommendation around using some library . There can be many internal process checks here but stack overflow or its equivalent content site is part of the radar now .