I must disagree. Software supply chain is very different than supply chain of physical goods, but, it is still a chain of supplies in the form of software code.
Looking at it strictly from an open source perspective is having too narrow of a focus. If I purchase O365 licenses from a reseller and they buy it from Microsoft, that's a supply chain. If I have an embedded system that has a proprietary OS made by a 3 person company who use a proprietary firmware from other vendors, that is a supply chain.
The npm example is a good example of a convoluted and unreliable supply chain. OSS is an example of a supply chain that is by design unreliable, the suppliers disavow all responsibility to support or guarantee its features. OSS supply chain being unreliable does not mean the supply chain does not exist, it just means you have to compensate for the unreliability yourself. The real life equivalent would be sourcing materials from guys standing at a street corner selling stuff that "fell off a truck" or "made in their garage".
Looking at it strictly from an open source perspective is having too narrow of a focus. If I purchase O365 licenses from a reseller and they buy it from Microsoft, that's a supply chain. If I have an embedded system that has a proprietary OS made by a 3 person company who use a proprietary firmware from other vendors, that is a supply chain.
The npm example is a good example of a convoluted and unreliable supply chain. OSS is an example of a supply chain that is by design unreliable, the suppliers disavow all responsibility to support or guarantee its features. OSS supply chain being unreliable does not mean the supply chain does not exist, it just means you have to compensate for the unreliability yourself. The real life equivalent would be sourcing materials from guys standing at a street corner selling stuff that "fell off a truck" or "made in their garage".