Last year, Google announced a new service called Assured Open-Source Software. It is one of the smartest moves in the industry I’ve recently seen, but there has been almost no reporting about it.
Open source easily constitutes 80% of your product’s or project’s code base. If you are a startup, it is probably more like 99%. The way your code depends on open source components is called the dependency graph, and the way the code makes it onto your (virtual) premises is called the supply chain. Managing these is a major hassle. It is also important, because software supply chain attacks to breach your (and other parties) software security have been rising steadily.
Managing your dependencies and the supply chain typically means establishing some in-house component management for open source code, vetting said open source code before putting it into the system, and then be spinning the wheels in a continuous catch-up loop with the open source world. It is a lot of work.
Google’s service now seems to make this a much easier process. The service is positioned to both displace existing vendors of component management systems like JFrog (Artifactory) and Sonatype (Nexus Repository) and free you from the reviewing and update burden of changes to open source components. Of course if you were to use it, it would also pull you into the Google cloud ecosystem, which is probably why Google is offering this service in the first place.
As the old saying goes: Developers, developers, developers. (Make life easy for developers and you win their employer’s wallet.)
Disclaimer: I’m not affiliated with Google and don’t know about quality and utility of this service. I do know that I consult to companies who would like to get a handle on using open source in their products and projects. Feel free to get in touch!