Towards a proactive management of Open Source Supply Chains

实现开源供应链的主动管理

• 批准号: RGPIN-2021-02476
• 负责人: German, Daniel
• 金额: $ 2.11万
• 依托单位: University of Victoria
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2022
• 资助国家: 加拿大
• 起止时间: 2022-01-01 至 2023-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=749819
• 关键词: Towards; proactive; management; Open; Source

Open Source Software (OSS), particularly in the form of libraries and frameworks, has become a fundamental part of software development; almost any software today relies on some OSS. A supply chain is a network of entities involved in supplying a product or service to a consumer. An Open Source Supply Chain (OSSC) is a supply chain that involves one or more OSS components that are used without a bilateral agreement between the component creator/maintainer and its customer. Thus, an OSSC is customer managed: the vendor (creator/maintainer of the OSS component being used) is usually not even aware of who its customers (users) are. When organizations incorporate an OSS component, they assume the associated risk with using this component, and cannot rely on support from the creator of the component. Thus, they must be careful when they evaluate and adopt an OSS component into their OSSC. They must also monitor the evolution of their entire OSSC, responding in a timely manner to potential defects (especially security related ones), upgrades, deprecations, and other changes in these components. These challenges are exacerbated by the ever growing number of dependencies required to build a software system today, and the continuous increase in the reuse of OSS components. The goal of this research program is to create models, methods and tools that help organizations proactively manage their Open Source Supply Chains. This will help software organizations reduce the cost and risk of reusing OSS in their OSSC, and improve the quality of the software they build with it.

开源软件（OSS），特别是在库和框架的形式中，已成为软件开发的基本组成部分；如今，几乎所有软件都依赖于某些OSS。供应链是涉及为消费者提供产品或服务的实体网络。开源供应链（OSSC）是一个供应链，涉及一个或多个OSS组件，这些组件在组件创建者/维护者及其客户之间无需双边协议而使用。因此，OSSC是客户管理的：供应商（所使用的OSS组件的创建者/维护者）通常都不知道其客户（用户）是谁。当组织合并OSS组件时，他们会在使用此组件的情况下承担相关的风险，并且不能依靠组件创建者的支持。因此，当他们评估并采用OSS组件中的OSSC时，他们必须小心。他们还必须监视整个OSSC的演变，及时响应潜在的缺陷（尤其是与安全相关的缺陷），这些组件中的升级，折旧和其他变化。当今构建软件系统所需的依赖数量不断增长以及OSS组件的重复使用不断增加所需的依赖性数量不断增长。该研究计划的目的是创建模型，方法和工具，以帮助组织主动管理其开源供应链。这将帮助软件组织降低OSSC中OSS重复使用的成本和风险，并提高其构建的软件的质量。