[$] The burden of knowledge: dealing with open-source risks

Organizations relying on open-source software have a wide range of
tools, scorecards, and methodologies to try to assess security, legal,
and other risks inherent in
their so-called supply chain. However, Max Mehl argued
recently in a short talk at FOSS Backstage in Berlin (and
online) that all of
this objective information and data is insufficient to truly
understand and address risk. Worse, this information doesn't provide
options to improve the situation and encourages a passive mindset. Mehl, who works as part of
the CTO group at DB Systel, encouraged better risk assessment using
qualitative data and direct participation in open source.