OPA is broadly used, so that you count on to see it work out—you wish to see that work out. The actuality is you’ll be able to rely on two fingers the variety of commercially profitable open supply companies working at scale. Even amongst these, all have had questions on their industrial viability at one level or one other. Contrary to widespread perception, there aren’t any guidelines for what works in industrial open supply. This stuff is difficult.
History bears him out. There are successes—Red Hat (acquired by IBM), Elastic, MongoDB, Cloudera, MuleSoft, Confluent, Temporal, HashiCorp (additionally acquired by IBM)—however every navigated awkward trade-offs on licensing, cloud competitors, or monetization fashions. There’s no single “do this and win” playbook.
Even the place there’s funding, it doesn’t all the time land the place the danger is. In 2022 I famous that OpenSSF’s multi-point plan was commendable, however generalized funding can’t paper over the fact that assault surfaces change quicker than checklists. The most sturdy wins come from requirements for provenance, routine signing, predictable response, and the plumbing that makes “secure by default” boring.
What works and what nonetheless doesn’t
Back to NPM. Why did this compromise “go out with a whimper”? Partly as a result of the adversary deployed amateurish malware and obtained caught rapidly. But there’s additionally proof the ecosystem’s guardrails are higher than they had been a couple of years in the past:
