Safeguard
Tag

open-source

Safeguard articles tagged "open-source" — guides, analysis, and best practices for software supply chain and application security.

138 articles

Concepts

What Is the Mozilla Public License (MPL 2.0)?

The Mozilla Public License 2.0 is a file-level copyleft license that sits between permissive and strong copyleft. Here is how its per-file reciprocity works and what it means for your project.

Jul 3, 20266 min read
Guides

SCA for Beginners: Understanding Software Composition Analysis

Most of your application is code you did not write. Software Composition Analysis helps you keep that borrowed code safe. Here is a beginner-friendly tour with a first scan you can run today.

Jul 2, 20266 min read
Concepts

What Is the BSD License? 2-Clause vs 3-Clause Explained

The BSD licenses are a family of short, permissive licenses. This guide explains the 2-clause and 3-clause variants, what each permits, and what they mean for compliance.

Jul 2, 20266 min read
Concepts

What Is the GPL License? Copyleft Explained

The GNU General Public License is the best-known copyleft license. This guide explains what it permits, its source-disclosure obligations, GPLv2 vs GPLv3, and what it means for your project.

Jul 2, 20267 min read
Guides

Software Supply Chain Security for Beginners: A Friendly First Guide

New to software supply chain security? This gentle, practical guide explains what it is, why every modern app depends on it, and how to run your very first check today.

Jul 1, 20266 min read
Concepts

What Is the Apache 2.0 License? A Complete Guide

The Apache License 2.0 is a permissive license with an explicit patent grant and a few conditions that set it apart from MIT and BSD. Here is what it permits, requires, and means for compliance.

Jul 1, 20266 min read
Concepts

What Is the MIT License? A Plain-English Guide

The MIT License is one of the shortest and most permissive open-source licenses in existence. Here is exactly what it lets you do, what it requires, and what it means for compliance.

Jul 1, 20267 min read
AI Security

Patch the Planet: What AI-Generated Fixes Actually Mean for Open-Source Maintainers

OpenAI's Patch the Planet, co-founded with Trail of Bits, wants to move widely-used open-source projects from findings to fixes. The ambition is right — but it shifts the bottleneck to maintainer review, patch provenance, and the trust of machine-authored code.

Jun 24, 20266 min read
Industry Events

Black Hat Arsenal 2026 Preview: The Agentic AI and Supply-Chain Tools to Watch

Black Hat USA 2026 runs August 1–6 at Mandalay Bay, with Arsenal August 4–6. Here is an honest preview of the open-source tool categories worth your time — and how to tell signal from demo-day hype.

Jun 17, 20267 min read
Industry Insights

Linux Foundation versus Apache Software Foundation: how governance shapes supply-chain risk

Both foundations host critical software, but they organize it very differently. The Linux Foundation's project-by-project incubation model and the ASF's uniform graduation process produce different risk profiles for the consumers downstream.

May 15, 20268 min read
Open Source

A practical framework for assessing single-maintainer project risk

Truck factor is the headline metric, but it is not enough. Here is a working framework for evaluating single-maintainer projects in your dependency tree without panicking or being naive.

May 14, 20268 min read
Open Source

Maintainer burnout is a supply-chain risk: lessons from xz-utils

The xz-utils backdoor was made possible because a single exhausted maintainer accepted help from a patient and well-resourced stranger. Sustaining critical maintainers is now a security problem, not just a moral one.

May 13, 20267 min read
open-source (Page 2) — Safeguard Blog