Package manifests record source-level dependencies: pandas depends on numpy's code. The story is different for binary dependencies: numpy depends on OpenBLAS's binaries, but package managers can't easily see this. We must map the OSS ecosystem's binary dependency relationships to reliably (1) identify upstream security vulnerabilities and (2) properly credit and financially support maintainers. I propose solving this problem by creating a global index of binary dependencies, using a global linker that tracks binaries' symbols across the entire Open Source ecosystem, combined with auxiliary strategies like statically analysing build recipes. (read more)