Learn extra at:
OPA is broadly used, so that you anticipate to see it work out—you wish to see that work out. The truth is you may rely on two palms the variety of commercially profitable open supply companies working at scale. Even amongst these, all have had questions on their industrial viability at one level or one other. Opposite to in style perception, there are not any guidelines for what works in industrial open supply. These items is difficult.
Historical past bears him out. There are successes—Purple Hat (acquired by IBM), Elastic, MongoDB, Cloudera, MuleSoft, Confluent, Temporal, HashiCorp (additionally acquired by IBM)—however every navigated awkward trade-offs on licensing, cloud competitors, or monetization fashions. There’s no single “do that and win” playbook.
Even the place there’s funding, it doesn’t all the time land the place the chance is. In 2022 I noted that OpenSSF’s multi-point plan was commendable, however generalized funding can’t paper over the fact that assault surfaces change quicker than checklists. Essentially the most sturdy wins come from requirements for provenance, routine signing, predictable response, and the plumbing that makes “safe by default” boring.
What works and what nonetheless doesn’t
Again to NPM. Why did this compromise “exit with a whimper”? Partly as a result of the adversary deployed amateurish malware and bought caught shortly. However there’s additionally proof the ecosystem’s guardrails are higher than they had been just a few years in the past: