Open Source is one person

I feel like there's a lot of misunderstanding of this issue in the software community, because primarily, supply chain risk isn't a software or engineering issue. It's a governance issue.

Someone doesn't have to be a bad actor for a project to have supply chain risk. Nor do all who evaluate supply chain risk have the same security posture and evaluate risks the same as others might. The DoD likely has a very different set of risks they evaluate against for their security posture than you do.

Most supply chain risks are not an indictment of somebody's code or somebody's character. A lot of one person projects are risky just because they're only one person. Having a bus factor of one is a supply chain risk in and of itself.

And while most people don't prepare for war while choosing their packages, it's not unreasonable for a military to do so. During a war, the ability for people to govern themselves and their own projects often changes dramatically, even in democratic countries. It is entirely routine for countries to require cooperation by the force of law in war time, even the US can and has forced private companies to cooperate with war efforts. This is probably not in the security posture calculation for most of us. But it is for some.

Guys say it with me: vendor your packages! VENDER YOUR PACKAGES!

How about: commit your dependency lockfiles, make sure they use content-addressing cryptographic checksums like Cargo.lock does.

This is also needed for both reproducible builds and SBOMs.

If you commit the actual source code you're making things worse, because it makes coordinated source code review efforts a lot harder. Also patch management with actual vendored source code is terrible.