Speakers
Description
Organizations are increasingly reliant on open-source software (OSS) to accelerate development and reduce costs. However, the health of the communities behind these projects is often overlooked, posing significant risks to the overall supply chain. This talk introduces the open source tool GrimoireLab that can shine lights onto those dark corners of your open source supply chain. We will also show how GrimoireLab was used in a novel Risk Assessment Model for the Maturity and Sustainability of open source dependencies, designed to address this critical challenge.
By using the GrimoireLab tool, combining concepts from the CHAOSS project and cloud-native deployment maturity models, our approach goes beyond traditional Software Bill of Materials (SBOM) analysis to evaluate the ongoing maintenance activity and community health of OSS projects. This enables organizations to:
- Assess the long-term viability of their open source dependencies.
- Make informed decisions about library selection and integration.
- Proactively mitigate risks associated with unhealthy or unsustainable communities.
This talk will delve into the model's design and implementation with GrimoireLab, using Kubernetes as a case study. By adopting this approach, organizations can build a more resilient and sustainable software foundation, ensuring the long-term health of their open source supply chain.