Even with commercial software, questions about third-party risk and supply chain security loom large. When those questions extend to open source software, they can become absolutely overwhelming.