open-source
Safeguard articles tagged "open-source" — guides, analysis, and best practices for software supply chain and application security.
138 articles
What Is the Mozilla Public License (MPL 2.0)?
The Mozilla Public License 2.0 is a file-level copyleft license that sits between permissive and strong copyleft. Here is how its per-file reciprocity works and what it means for your project.
SCA for Beginners: Understanding Software Composition Analysis
Most of your application is code you did not write. Software Composition Analysis helps you keep that borrowed code safe. Here is a beginner-friendly tour with a first scan you can run today.
What Is the BSD License? 2-Clause vs 3-Clause Explained
The BSD licenses are a family of short, permissive licenses. This guide explains the 2-clause and 3-clause variants, what each permits, and what they mean for compliance.
What Is the GPL License? Copyleft Explained
The GNU General Public License is the best-known copyleft license. This guide explains what it permits, its source-disclosure obligations, GPLv2 vs GPLv3, and what it means for your project.
Software Supply Chain Security for Beginners: A Friendly First Guide
New to software supply chain security? This gentle, practical guide explains what it is, why every modern app depends on it, and how to run your very first check today.
What Is the Apache 2.0 License? A Complete Guide
The Apache License 2.0 is a permissive license with an explicit patent grant and a few conditions that set it apart from MIT and BSD. Here is what it permits, requires, and means for compliance.
What Is the MIT License? A Plain-English Guide
The MIT License is one of the shortest and most permissive open-source licenses in existence. Here is exactly what it lets you do, what it requires, and what it means for compliance.
Patch the Planet: What AI-Generated Fixes Actually Mean for Open-Source Maintainers
OpenAI's Patch the Planet, co-founded with Trail of Bits, wants to move widely-used open-source projects from findings to fixes. The ambition is right — but it shifts the bottleneck to maintainer review, patch provenance, and the trust of machine-authored code.
Black Hat Arsenal 2026 Preview: The Agentic AI and Supply-Chain Tools to Watch
Black Hat USA 2026 runs August 1–6 at Mandalay Bay, with Arsenal August 4–6. Here is an honest preview of the open-source tool categories worth your time — and how to tell signal from demo-day hype.
Linux Foundation versus Apache Software Foundation: how governance shapes supply-chain risk
Both foundations host critical software, but they organize it very differently. The Linux Foundation's project-by-project incubation model and the ASF's uniform graduation process produce different risk profiles for the consumers downstream.
A practical framework for assessing single-maintainer project risk
Truck factor is the headline metric, but it is not enough. Here is a working framework for evaluating single-maintainer projects in your dependency tree without panicking or being naive.
Maintainer burnout is a supply-chain risk: lessons from xz-utils
The xz-utils backdoor was made possible because a single exhausted maintainer accepted help from a patient and well-resourced stranger. Sustaining critical maintainers is now a security problem, not just a moral one.