On Tuesday, Google announced a new program around open-source software – and their attempt to secure the supply chain. The new program, Assured Open Source Software, curates and distributes a security vetted collection of open source packages to Google Cloud customers.
Per the Verge, a list of the 550 major open-source libraries being continuously reviewed by Google is available on GitHub. While these libraries can all be downloaded independently of Google, the Assured OSS program will see audited versions distributed through Google Cloud — mitigating against incidents where developers intentionally or unintentionally corrupt widely used open-source libraries. This service is in early access mode and is expected to be made available for broader customer testing in Q3 2022.
While I’m covering Google Cloud, TD Synnex has announced the availability of Google Cloud solutions within its portfolio.
Why do we care?
Cloud available within traditional distribution channels is a notable development and shows the mainstream nature of the technology. A technology, mind you, that is rapidly maturing. I wouldn’t cite this Google program as the perfect solution, but perhaps a solid middle ground for those asking for a software bill of materials? What if the software was built on only security vetted packages? It would undoubtedly make the foundation have a smaller attack surface.
Some savvy teams will be asking questions about how to get to this state.

