DEV Community

Cover image for Thoughts on the software supply chain (GitLab)
Volker Schukai
Volker Schukai

Posted on • Edited on

Thoughts on the software supply chain (GitLab)

I know this is a dry subject, but we have to get through it now.

The Register reported

As The Register reported, GitLab wants to delete repos.

When I read that, I thought to myself:

At first, that doesn't sound so tragic.
It should only hit repos that are no longer maintained.
And so many projects don't use GitLab.com yet.

But if you have software that relies on that code, you won't be able to build your product. And what if Microsoft (Github) does the same?

And of course, GitLab has the right to do this to reduce costs. But it is still hard.

But what does it mean for your software.

The software supply chain includes everything we use in the development of software. Be it images for icons or the library for calculating statistics.

Many ecosystems use repositories to distribute and manage code.

Node has npm or yarn, php has composer and go can load software directly or via Google.

For example, many node projects only store the package.json and not the actual packages.

Software components often depend on platforms and systems that we cannot control.

Yes, there are some mirrors, but the resilience is not very high.

When using npm install or go get we should consider what happens when this code is no longer available.

Let's see if GitLab follows through or backs out.

In our company, we have all external software available in source code.

Are you taking care of the software supply chain? What measures are you taking.

References

Top comments (0)