Towards a proactive management of Open Source Supply Chains

实现开源供应链的主动管理

• 批准号: RGPIN-2021-02476
• 负责人: German, Daniel
• 金额: $ 2.11万
• 依托单位: University of Victoria
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2022
• 资助国家: 加拿大
• 起止时间: 2022-01-01 至 2023-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=749819
• 关键词: Towards; proactive; management; Open; Source

Open Source Software (OSS), particularly in the form of libraries and frameworks, has become a fundamental part of software development; almost any software today relies on some OSS. A supply chain is a network of entities involved in supplying a product or service to a consumer. An Open Source Supply Chain (OSSC) is a supply chain that involves one or more OSS components that are used without a bilateral agreement between the component creator/maintainer and its customer. Thus, an OSSC is customer managed: the vendor (creator/maintainer of the OSS component being used) is usually not even aware of who its customers (users) are. When organizations incorporate an OSS component, they assume the associated risk with using this component, and cannot rely on support from the creator of the component. Thus, they must be careful when they evaluate and adopt an OSS component into their OSSC. They must also monitor the evolution of their entire OSSC, responding in a timely manner to potential defects (especially security related ones), upgrades, deprecations, and other changes in these components. These challenges are exacerbated by the ever growing number of dependencies required to build a software system today, and the continuous increase in the reuse of OSS components. The goal of this research program is to create models, methods and tools that help organizations proactively manage their Open Source Supply Chains. This will help software organizations reduce the cost and risk of reusing OSS in their OSSC, and improve the quality of the software they build with it.

开放源码软件（OSS），特别是以库和框架的形式，已经成为软件开发的基本组成部分;今天几乎所有的软件都依赖于某种开放源码软件。供应链是一个实体网络，参与向消费者提供产品或服务。开源供应链（Open Source Supply Chain，OSSC）是一个包含一个或多个OSS组件的供应链，这些组件的使用无需组件创建者/维护者与其客户之间的双边协议。因此，OSSC是客户管理的：供应商（正在使用的OSS组件的创建者/维护者）通常甚至不知道其客户（用户）是谁。当组织合并OSS组件时，他们承担使用该组件的相关风险，并且不能依赖组件创建者的支持。因此，他们在评估和采用开放源码软件组件到他们的开放源码软件时必须谨慎。他们还必须监控整个OSSC的发展，及时响应这些组件中的潜在缺陷（特别是与安全相关的缺陷）、升级、弃用和其他更改。这些挑战由于当今构建软件系统所需的依赖性不断增加以及OSS组件重用的不断增加而加剧。该研究计划的目标是创建模型，方法和工具，帮助组织主动管理其开源供应链。这将帮助软件组织降低在其OSSC中重用OSS的成本和风险，并提高他们使用OSS构建的软件的质量。