Do you want to stop "supply chain compromises" as a company? Here's a very simple way to do so: pay a stipend to a maintainer of something you depend on.
You don't really need dependency tracking tools. You don't need to exactly parcel out the 'right' proportionate amount of money to every maintainer. All of that operational complexity is unnecessary.
It doesn't even matter *which* maintainer you pick, as long as it's one who isn't receiving a stipend yet, and you pay them enough to constitute a salary.
It will cost you exactly one developer salary. If every able company does this, the problem of supply chain compromises is solved tomorrow.
All you need to do is simply *do it*, and talk about it so that other companies will too.
@joepie91@social.pixie.town while this would make it less likely it would in no way stop supply-chain attacks.
@tomasekeli The toot is deliberately simplified; the unstated context is "... within the trust model that corporations typically operate in" (which is based on reputation and popularity, and that is where 'insufficiently supported maintainers' are the #1 risk factor).
There are other types of supply chain compromises, but they are often effectively prevented by existing mechanisms already; it's specifically this one that is near-completely immune to those mechanisms.
@joepie91 There is another advantage to this: it would require traceability.
Specifically, the ability to connect the name of the contributor you're funding to *some* bank account and very likely also tax filing details.
That in itself creates a degree of accountability for the person in question.
A maintainer refusing compensation *does not* necessarily mean that there is something malicious going on, but it certainly is a red flag that probably deserves at least a cursory look.
To expand on this: you don't need to manage them. You don't need to track their progress. You don't need a special team for them, or a 'head of open-source'.
You pay them a salary in the same way that you would pay a salary to eg. someone who you don't really have any work for, but don't want to see leaving for a competitor either: you add them to payroll and just let them do their thing.
They're already a maintainer so they know how to manage the project. There are no further expenses or organizational overhead for you.