Open Source is essential to modern software supply chains, and each used software package may hold risks. We have access to more information than ever about the projects we rely on – through metrics, security reports, or community analysis. Yet this data alone doesn't help if it merely points out potential problems - for which we often don't know whether they will actually have a negative effect - without offering solutions.

This session focuses on the strategic decisions OSPOs and development teams need to make: How do we assess risk in Open Source? How do we decide whether to use a project, invest our own resources to support it, or move away from a dependency? When does it make sense to actively engage with or withdraw from an Open Source project?

This talk cannot provide all answers but gives an overview of feasible options and the foundation for a more informed discussion. It enters an ongoing discussion between "Let's measure everything", "Let's avoid all risky Open Source, which probably is everything but Linux, curl and Kubernetes", and "Let's not look at the data because it might scare off our management".

Coming from an organisation using a 6-digit number of Open Source packages and progressing in understanding its full software supply chain, I will also share some practical insights and learnings.