If the XZ Utils mess taught the tech world anything, it’s that open source isn’t just about code. It’s about people. And sometimes, the wrong person can quietly slip into a project, earn trust, and then pull the rug out from under everyone.
That’s the backdrop for NetRise Provenance, a newly announced tool that tries to answer a question many companies are now asking a bit nervously: not just what code is inside their software, but who put it there.
The company says its platform can map open source components back to actual maintainers and contributors, then track how their code spreads across dependency chains. In theory, that means if a bad actor sneaks into one project, organizations could quickly see how far that risk travels across their systems. After the XZ Utils incident, that kind of visibility sounds appealing.
But here’s where things get a little complicated.
Open source has always run on trust. People contribute code, communities review it, and over time reputations form. NetRise is essentially trying to formalize that trust into something measurable, with signals like contributor history, project behavior, and even geographic attribution.
That last part may raise eyebrows.
Mapping contributors to locations and organizations could help with compliance and risk analysis, especially for enterprises worried about sanctions or supply chain attacks. At the same time, it edges into territory that some developers may find uncomfortable. Open source has long thrived on a certain level of openness and pseudonymity. Turning contributors into risk profiles could change that dynamic.
From a technical standpoint, the idea isn’t entirely new. Software bills of materials, or SBOMs, already give companies a list of components inside their applications. The problem is that SBOMs don’t tell you much about the humans behind those components. NetRise is trying to fill that gap by layering identity and behavior on top of existing dependency data.
Whether that actually solves the problem is another question.
Supply chain attacks aren’t just about who wrote the code. They’re about how trust is built, how reviews are handled, and how quickly issues are detected. A tool can flag risk, but it can’t replace a healthy open source community or careful code auditing.
Still, the demand for something like this is clearly growing. Enterprises don’t like uncertainty, and right now, open source supply chains are full of it. If a tool promises faster answers when something goes wrong, there’s going to be interest.
So yes, NetRise Provenance is launching at the right time. The real question is whether it becomes a useful layer of visibility, or just another dashboard that makes people feel safer than they actually are.
Either way, one thing is clear. The conversation around open source is shifting. It’s no longer just about what the code does. It’s about who you trust to write it.
