a provider? Finances status, legal situation, even perhaps exclusive provider in certain markets, and others Then we trust the provider, even with cases where source code is not even provided as for example in the automotive industry with a lot of secrecy
but that is not under any commercial relationship, or when there is not a company behind it? You take it, create an internal product, and after certain risk analysis, you move forward and this is part of thee ofﬁcial and internal tech. stack.
does not exist and that is no providing commercial services? Beyond the usual analysis of source code or compliance, have a look at other areas: activity, community, and process. And work with this community as this were another partner. It happens this should be done in a differnt way.