Idea for Open Source/Startup: monetising the supply chain

While at Capital One, one of my colleagues was working on a side project to look at dependencies we were using, as a means to better understand our dependency trees, and lead to easier determining of when we needed to do dependency upgrades.

It'd got to a pretty great place, just as we'd started to adopt WhiteSource Renovate, so we were discussing other options for it, as it was now redundant for that original purpose.

Among other options raised, I suggested using it as a way to understand what libraries we were using, across our software estate, and use it to more appropriately distribute (financial) support to our projects.

As the xkcd comic highlights, a tonne of projects are maintained by very few folks, and if you understood that i.e. 80% of your company's critical infrastructure was in the hand of a couple of projects, maybe you'd want to do something about that.

Now, providing financial support isn't always the solution, as you may have hobbyists who just want to work on what they're doing, and not need to answer to paying customers (who may feel a little more entitled for work to be done) nor may the money get through the foundation to the handful of developers on a library, as we saw with Log4Shell.

For instance, I'm a hobbyist who has enough of a problem prioritising my own projects and efforts, as well as the Open Source libraries I maintain, so I can definitely see why being paid for work can be difficult.

But even if the projects aren't set up for financial contributions, there may be other things you can do with that information, even if it's just getting contributions going upstream, or looking at how the maintainers can be supported if they were to need a hand, as well as whether your company could support development through a fork.

I feel like this could work really nicely in partnership with a supply chain healthcheck like Socket.dev, and would be able to provide an easy way for companies to say "we want to give ££££/month for Open Source, where is best?" and it spit out a prioritised list by how much it's in use by your projects.

Maybe I'll end up looking at it one day, but you're welcome to the idea, just gimme a shout out 😉

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#ideas #security #open-source.

Also on:

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.