Tech News
← Back to articles

I am not a supplier (2022)

2025-10-31 | original
read original related products more articles

I am not a supplier

31 Dec 2022 - Thomas Depierre

For the past few years, we have seen a lot of discussions around the concept of the Software Supply Chain. These discussions started around the time of LeftPad and escalated with multiple incidents in the past few years. The problem of all the work in this domain is that it forgets a fundamental point.

Before we get there, I am going to define what is usually meant by Supply Chain and suppliers, why we are applying to software. And then why attempts at bringing FOSS under that definition are deeply misguided.

The concept

In the past couple of decade, we have seen the rise of Free and Open Source Software (FOSS). In particular, this has enabled a massive growth of the reuse of pieces of codes, packaged as libraries. This has been possible due to a massive ecosystem of infrastructure that bloomed around that idea. Package Managers exist for every programming language environment under the sun nowadays, with central repositories holding the metadata needed to find the libraries and handle their distributions.

This has been possible due to the FOSS Licenses being pretty lenient, enabling a reuse and remix of these libraries without the massive legal and financial headache that would come otherwise. A modern software project will probably have hundreds if not thousands of these dependencies, from OpenSSL to a test framework or a datepicker, across a wide spectrum covering things like a JSON encoder/decoder library or even the libc of the OS it is deployed on.

This ecosystem of dependencies, a lot of them transitive (dependencies of a dependency), is what the Software Supply Chain model calls the Supply Chain of the project. Inside this model we will find tools that help manage it, like a Software Bill Of Materials (SBOM) that is supposed to hold the information of what libraries are used for this project, where they were found, which version, some hash of the content, etc.

What is a Supply Chain

The idea of a Supply Chain does not come out of nowhere of course. In the manufacturing industry, the supply chain is the long chain of suppliers needed to produce a particular factory’s output. As an example, if you assemble cars, you need seats, a lot of screws, cables, electronics, all kinds of stamped metal sheets, … Your cable supplier needs copper, plastic, energy and probably all kinds of machine tools. Machine tools that probably need other machine tools to be built, screws, bolts, nuts, some electronics too… And we can keep going through this long game of “what do you need to produce this car” until your diagram looks like a massive spaghetti ball.

... continue reading

Related:
Google spots malware in the wild that morphs mid-attack, thanks to AI
How AI is fueling an existential crisis in education
Mathematical Exploration and Discovery at Scale
Mathematical exploration and discovery at scale
From prototype to production: What vibe coding tools must fix for enterprise adoption

© 2025 GoKawiil