The Architect's Supply Chain

When a critical dependency is left unmaintained, becomes compromised, or its sole maintainer becomes overwhelmed, the consequences are not a community problem; they are production incidents. Most architectures rely on a large number of Open Source components whose bus factor would not pass an internal review if the code were owned by a vendor.

This presentation treats Open Source sustainability as a primary architectural concern. We will examine concrete failure modes, such as maintainer burnout, hostile takeovers, advisory gaps, abandoned but still deployed packages, and the slow erosion that occurs when "free" infrastructure quietly becomes load-bearing. We will examine how recent ecosystem responses, such as security advisories enforced inside dependency resolvers, SBOM mandates, and foundation-funded maintenance, change what architects can and should require of their dependency graph.

You will gain a practical understanding of how to treat supply-chain risk in the same way as the risks that architects already manage, and learn which questions to ask during dependency selection. You will also discover what funding, contribution, and vendor diversification look like when treated as resilience controls rather than charity. The thesis is simple: if a dependency is critical to your architecture, its sustainability is your responsibility.

This presentation currently exists only as an idea and has not yet been accepted by a conference.

About me

I am the creator and maintainer of PHPUnit, the de facto standard testing framework within the PHP ecosystem. Used by millions of developers, it is embedded in the build pipelines of start-ups, Fortune 500 companies, and public sector organisations alike. I serve on the board of the PHP Foundation and am a co-founder of thePHP.cc, where I advise organisations on testing strategy, software architecture, and dependency management.

I have over 25 years of experience working with Open Source software, having contributed to the PHP language itself as well as the tools on which that ecosystem depends. This experience — as a maintainer of critical dependencies, a consultant to organisations that rely on them, and a co-founder of the foundation that is now funding the work — informs my writing and speaking on software quality, security, and the sustainability of the Open Source infrastructure on which modern architectures quietly rest on.

Upcoming events

More events
Back to overview