RSS Bilingual Reader

FOSDEM 2026 ran last weekend in Brussels with its usual dense schedule of talks across open source projects and communities. Package management had a strong presence again this year, with a dedicated devroom plus related content scattered across the Distributions , Nix and NixOS , and SBOMs and Supply Chains tracks. Main Track Talks Kenneth Hoste presented How to Make Package Managers Scream , a follow-up to his FOSDEM 2018 talk about making package managers cry. Hoste showcased creative and eff...

Report filed: 03:47 UTC Status: Resolved (accidentally) Severity: Critical → Catastrophic → Somehow Fine Duration: 73 hours Affected systems: Yes Executive Summary: A security incident occurred. It has been resolved. We take security seriously. Please see previous 14 incident reports for details on how seriously. Summary A compromised dependency in the JavaScript ecosystem led to credential theft, which enabled a supply chain attack on a Rust compression library, which was vendored into a Python...

A recent post by Marcelo Emmerich proposes replacing package managers with a “prompt registry.” Instead of publishing code, library authors would publish AI prompts. Developers paste the prompt into their AI tool, which generates a self-contained implementation on the spot. No transitive dependencies, no supply chain attacks, no version conflicts. The code is generated fresh each time, tailored to your language and project. It’s a naive vision, but it points at real problems. Supply chain attack...

Zig shipped a built-in package manager in version 0.11 in August 2023. It uses build.zig.zon files for manifests and fetches dependencies directly from URLs, usually tarballs on GitHub. There’s no central registry yet, though the community runs unofficial indexes like zpm and aquila . 1 The package manager works well enough for declaring dependencies, fetching them, and building against them. The hard part is everything else: the ecosystem of tools, services, and infrastructure that makes a pack...

David Eaves recently argued that the path to tech sovereignty runs through commodification , not duplication. Europe shouldn’t try to build its own AWS. Instead, governments should use procurement power to enforce interoperability standards. The S3 API became a de facto standard that lets you move between providers, reducing switching costs. If governments required that kind of compatibility as a condition for contracts, smaller providers could compete. Sovereignty through standards rather than ...

System package managers and language package managers are both called package managers. They both resolve dependencies, download code, and install software. But they evolved to solve different problems, and the overlap is where all the friction lives. If you drew a venn diagram, C libraries would sit right in the middle: needed by language packages, provided by system packages, understood by neither in a way the other can use. As Kristoffer Grönlund put it in 2017 : “Why are we trying to manage ...

We are excited to announce general availability of Package Chaos Monkey, a new addition to the Resilience Engineering suite designed to help teams build confidence in their software supply chain. Modern applications rely on hundreds of third-party packages, yet most teams have never validated their systems against the failure modes that occur in production. Package Chaos Monkey addresses this gap by padding left on supply chain resilience, continuously injecting realistic faults into your depend...

ForgeFed extends ActivityPub for software forges. The idea is that GitLab, Gitea, Forgejo, and other forges could federate with each other the way Mastodon instances do: follow users across servers, get notified when they push commits, comment on issues from a different instance. It’s been in development since 2019, slow going but still alive. Forgejo is the main implementer. ForgeFed’s spec covers repositories, commits, issues, pull requests. It even has a Release type and ReleaseTracker actor ...

This past week I’ve rewritten git-pkgs in Go. git-pkgs is a git subcommand that indexes your dependency history into a SQLite database. It parses manifests and lockfiles across 35+ package managers, tracks every add, update, and remove through your git history, and gives you commands like git pkgs blame to see who added each dependency, git pkgs history <package> to trace a package’s version changes over time, and git pkgs diff to compare dependencies between branches or commits. The Ruby ...

In 1973, Horst Rittel and Melvin Webber published “Dilemmas in a General Theory of Planning” , introducing the concept of “wicked problems” in urban planning. Wicked problems are problems where the act of trying to solve them changes what the problem is. Problems where you can’t test solutions in advance. Problems where every stakeholder has a different definition of success. Package management fits the definition. I’ve spent years working on package manager data and tooling , and the more I lea...

Writing about testing package managers like Jepsen tests databases got me thinking about what sits underneath all the ecosystem-specific details. We can describe HTTP without talking about Apache or nginx. We can discuss database consistency models without reference to PostgreSQL or MySQL. But when we talk about package management, the conversation immediately becomes about npm’s node_modules hoisting or Cargo’s semver-compatible version deduplication or Go’s minimal version selection, rather th...