OPA is broadly used, so that you count on to see it work out—you wish to see that work out. The fact is you possibly can depend on two fingers the variety of commercially profitable open supply companies working at scale. Even amongst these, all have had questions on their business viability at one level or one other. Opposite to in style perception, there are not any guidelines for what works in business open supply. These items is tough.
Historical past bears him out. There are successes—Crimson Hat (acquired by IBM), Elastic, MongoDB, Cloudera, MuleSoft, Confluent, Temporal, HashiCorp (additionally acquired by IBM)—however every navigated awkward trade-offs on licensing, cloud competitors, or monetization fashions. There’s no single “do that and win” playbook.
Even the place there’s funding, it doesn’t all the time land the place the danger is. In 2022 I famous that OpenSSF’s multi-point plan was commendable, however generalized funding can’t paper over the truth that assault surfaces change quicker than checklists. Probably the most sturdy wins come from requirements for provenance, routine signing, predictable response, and the plumbing that makes “safe by default” boring.
What works and what nonetheless doesn’t
Again to NPM. Why did this compromise “exit with a whimper”? Partly as a result of the adversary deployed amateurish malware and obtained caught rapidly. However there’s additionally proof the ecosystem’s guardrails are higher than they had been just a few years in the past:
