The recently popular post, “I am not a supplier”, made the argument that FOSS developer are volunteers, and not suppliers. While a lot of details were added around this argument, that is the essential logic. Unfortunately, while people like simple arguments, black or white, this or that, supplier or volunteer, things are rarely that simple. In short, you can be both a supplier and a volunteer.
The good news for FOSS volunteers is that being a supplier is not about you, it’s about the people using your code. If you don’t have a relationship with those users, than being a supplier does not change that. Being a designated a supplier is about what they need to do.
While people may mock the ISO quality standards, and certainly they are not always used correctly, they can be a good reference for good quality management. For this particular question, section 8.4 is “Controlling Externally Provided Processes, Products and Services”. A key principle of this section is that organizations cannot outsource responsibility.
The organization SHALL ensure that externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers.
The lengthening list of dependency related incidents, such as LeftPad, HeartBleed, and Log4J, indicates that software companies need to pay more attention to their supply chains. However, it’s not like the software industry has been unaware of the issue. For example, see “Our Software Dependency Problem”. Interestingly and importantly, that articles discusses things dependency consumers should be doing. No where does it suggest that organizations should try to squeeze more out of volunteers.
The increased focus on software supply chains is a good for the industry. It represents a maturing ecosystem, which is perhaps a little late learning important quality management lessons that have been know for years in other industries. If that dependency is provided AS-IS, guess who will be responsible when it break?