OPA is broadly used, so that you anticipate to see it work out—you wish to see that work out. The fact is you possibly can rely on two palms the variety of commercially profitable open supply companies working at scale. Even amongst these, all have had questions on their industrial viability at one level or one other. Opposite to widespread perception, there are not any guidelines for what works in industrial open supply. These items is tough.
Historical past bears him out. There are successes—Purple Hat (acquired by IBM), Elastic, MongoDB, Cloudera, MuleSoft, Confluent, Temporal, HashiCorp (additionally acquired by IBM)—however every navigated awkward trade-offs on licensing, cloud competitors, or monetization fashions. There’s no single “do that and win” playbook.
Even the place there’s funding, it doesn’t all the time land the place the chance is. In 2022 I famous that OpenSSF’s multi-point plan was commendable, however generalized funding can’t paper over the fact that assault surfaces change sooner than checklists. Essentially the most sturdy wins come from requirements for provenance, routine signing, predictable response, and the plumbing that makes “safe by default” boring.
What works and what nonetheless doesn’t
Again to NPM. Why did this compromise “exit with a whimper”? Partly as a result of the adversary deployed amateurish malware and acquired caught shortly. However there’s additionally proof the ecosystem’s guardrails are higher than they have been a couple of years in the past:
