We all use open source — npm packages, PyPI libraries, GitHub repos — but do we ever stop to ask: where does this code really come from? What if your most used dependency has contributors from North Korea or a sanctioned country? What happens if your CI pulls code written by someone on a global watchlist — and you didn’t even know?
This lightning talk dives into the messy but important question of whether open source should have a "country of origin" tag. Should countries run their own mirrors of npm and PyPI to avoid foreign influence? Is trusting code without knowing who wrote it becoming a national security risk?
Let’s explore what it means when code crosses borders — and whether that’s still okay in today’s world.
You might be using code written by people in sanctioned countries — and not even know it.
Package managers like npm and PyPI don’t tell you where the code comes from or who wrote it.
Some countries are now thinking about hosting their own mirrors to avoid foreign risks — maybe we should too.