Be prepared for open source software risks

Companies need to prepare for the risks and responsibilities of using open source software, according to Chainguard's Dan Lorenc. Nothing is ever completely free.

Dan Lorenc, co-founder and CEO of Chainguard, doesn't believe "tragedy of the commons" is an accurate label for what's happening today with open source software.

"It's an easy analogy to make because you see open source as something everyone depends on but no one is incentivized to maintain," he tells TechTarget Editorial's Beth Pariseau in Episode 7 of IT Ops Query: Tech's Tragedy of the Commons.

But unlike a commons such as public park, where overuse can diminish the resource, open source software doesn't deteriorate the more it's downloaded.

That said, Lorenc, who is also a member of the OpenSSF Technical Advisory Committee, doesn't overlook the inherent risks that come with using open source software, especially in terms of sustainability and liability.

Although the source code might be free, there is no such thing as a free lunch, he said. He thinks companies should consider and plan for maintenance given that a vulnerability could have crippling effects on business operations and national security.

"Make sure you know what you're adopting. Make sure you know that it's sustainably developed or not. And have a plan for what to do in case maintenance does slow down or isn't up to the standard you have," he said. "And that plan can't be just file angry GitHub issues and yell at the maintainers."

Governments, too, are focused on open source software maintenance. But the work on this front is tricky, given the lack of a software warranty for open source and the constraints around free speech. In Episode 7 of IT Ops Query, Lorenc explains why, talks about his perspective on open source licensing rug pulls and how companies might be able to avoid such disruptions.

Nicole Laskowski is a senior news director for TechTarget Editorial. She drives coverage for news and trends around enterprise applications, application development and storage.

Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.

Dig Deeper on Systems automation and orchestration

Software Quality
App Architecture
Cloud Computing
Data Center