OPA is extensively used, so that you count on to see it work out—you wish to see that work out. The truth is you may rely on two arms the variety of commercially profitable open supply companies working at scale. Even amongst these, all have had questions on their business viability at one level or one other. Opposite to fashionable perception, there aren’t any guidelines for what works in business open supply. These items is difficult.
Historical past bears him out. There are successes—Pink Hat (acquired by IBM), Elastic, MongoDB, Cloudera, MuleSoft, Confluent, Temporal, HashiCorp (additionally acquired by IBM)—however every navigated awkward trade-offs on licensing, cloud competitors, or monetization fashions. There’s no single “do that and win” playbook.
Even the place there’s funding, it doesn’t all the time land the place the danger is. In 2022 I famous that OpenSSF’s multi-point plan was commendable, however generalized funding can’t paper over the fact that assault surfaces change sooner than checklists. Probably the most sturdy wins come from requirements for provenance, routine signing, predictable response, and the plumbing that makes “safe by default” boring.
What works and what nonetheless doesn’t
Again to NPM. Why did this compromise “exit with a whimper”? Partly as a result of the adversary deployed amateurish malware and bought caught rapidly. However there’s additionally proof the ecosystem’s guardrails are higher than they have been just a few years in the past:
