Google to launch repository service for open-source software packages
The paid Assured Open Source Software service will offer common open-source packages after vetting the provenance of its code and dependencies.
Developers across the enterprise space are concerned about the security of the open-source software supply chain which they heavily depend on for their application development. In response, Google plans to make its own security-hardened internal open-source component repository available as a new paid service called Assured Open Source Software (Assured OSS).
The service will contain common open-source packages that have been built from source code after the code’s provenance its dependencies have been vetted and the code has been reviewed and tested for vulnerabilities.
According to Eric Brewer, Google Cloud’s vice president of infrastructure, the company already maintains its own internal security-tested versions of many open-source packages for its own software development pipeline, so the basics for the new service were already there.
The service will start out with a collection of around 500 Java and Python packages that Google uses, but it will be expanded in the future to cover other programming languages. Customers will also be able to submit any open-source packages they rely on to be added and managed through the repository and receive the same security assurance treatment as the existing ones.
This is a good initiative by google. Hopefully we see reasonable level of security in the open source software and quick turnaround time of security fixes are expected. For now Google may be starting this initiative, sure enough other organziations would follow their footsteps and converting the freely available code into business.
This raises the question “what is the fate of open source software and open source community?”, “Can the tech gaints like google influence the users in using their software instead of open source code?”, “Will open source be really an open source in future?”
What do you think?
