RSS Bilingual Reader

Every few months someone declares that “X will kill open source” or that “open source is not sustainable” or that “open source won”, and every time the responses split into factions that seem to be having completely different conversations. People have been pointing this out for at least a decade. Replacement terms like “post-open source” never stuck, because the problem isn’t the label. The phrase “open source” carries so many meanings that people routinely talk past each other while using the ...

It’s Easter, so here’s a tour of the easter eggs hiding inside package managers. The very first known easter egg in software dates back to 1967-68 on the PDP-6/PDP-10, where typing make love at the TOPS-10 operating system’s COMPIL program would pause and respond “not war?” before creating the file. apt and friends A cow-shaped thread runs through the history of system package managers, starting with apt-get moo : $ apt-get moo (__) (oo) /------\/ / | || * /\---/\ ~~ ~~ ..."Have you mooed today?...

Yesterday the axios package was compromised on npm. An attacker hijacked a maintainer account, published two malicious versions that bundled a remote access trojan through a staged dependency called plain-crypto-js , and the versions were live for two to three hours before npm pulled them. Axios gets 83 million weekly downloads. This keeps happening over and over and over and the post-incident conversation always goes the same way: was the maintainer using MFA, should the registry have caught it...

When I added a diff driver to git-pkgs , most of the work was already done. git-pkgs could parse 29 lockfile formats and extract dependency lists, so wiring that into git’s textconv mechanism was a small addition that turned git diff on a lockfile from 200 lines of resolver noise into a handful of dependency changes. That got me looking at what else people had built on top of git’s diff driver system, and at the 28 built-in drivers that git ships, none of which has made it into any forge or GUI ...

Greg Wilson’s recent post An E-Bike for the Mind reminded me of Jorma Sajaniemi’s work on the roles of variables. Sajaniemi found that just eleven roles cover nearly all variables in novice programs: stepper, most-wanted holder, gatherer, one-way flag, and so on. As Wilson puts it, types tell you about a variable’s state at rest while roles tell you about its state in motion. Once you learn the roles, you can look at unfamiliar code and immediately recognize the shape of the algorithm from how d...

10. Dependabot is a surveillance program GitHub’s Dependabot builds a real-time map of which companies use which software, how quickly they respond to security advisories, and how their internal code review processes work. The pull requests are a side effect of the data collection, and the actual product is the response-time dataset, which correlates strongly with engineering team health and is quietly sold to recruiters through a subsidiary that nobody has been able to identify by name. The noi...

I complained on Mastodon about not getting any AI-authored PRs on my open source projects. Mauro Pompilio responded by using Claude to write this post and opening a pull request to add it to my blog. I merged it, which I suppose counts as my first AI-assisted contribution. Enjoy! I maintain several dozen open source repositories across multiple ecosystems. Between them they have thousands of stars, hundreds of open issues, and years of commit history. And yet not a single AI agent has ever opene...

Mike Fiedler from PyPI asked me recently: which package ecosystems have mirroring tools and what protocols do they use? Here’s what I found. This post primarily covers mirroring: tools and protocols for creating and maintaining copies of package registries. It doesn’t cover private registries, artifact storage, or dependency proxying except where those tools also support mirroring. Ecosystems with mirroring tools apt/deb (Debian, Ubuntu) The most mature mirroring ecosystem, with several tools at...

I’ve been thinking about adding policy features to git-pkgs/actions , the GitHub Actions that check licenses, scan for vulnerabilities, and generate SBOMs during CI. The license action currently takes a comma-separated list of SPDX identifiers and the vulnerability action takes a severity string, which is fine for simple cases but obviously not enough once you need to ignore specific CVEs with expiry dates, ban particular packages regardless of license, allow exceptions for vetted transitive dep...

Bastien Guerry from Software Heritage recently nerd-sniped me with an idea for a git-remote-swh that would let you git clone from a SWHID , pulling source code directly from Software Heritage’s archive by content hash rather than by URL. Building that means writing a git remote helper, which sent me back to the gitremote-helpers docs and down the rabbit hole of how many of these things already exist. I covered remote helpers briefly in my earlier post on extending git functionality , but the pro...

Find a comfortable position. Close your laptop halfway, so the screen light softens but the fan noise continues. 1 That hum is your anchor. You will return to it throughout this practice. Take a deep breath in. Hold it. Now run npm install . Breathe out slowly as 1,247 packages are added. Do not look at the output. You are not ready. Body scan We will begin with a body scan. Bring your attention to the top of your head. Notice any tension you are holding there. This is where you store your aware...

The FAIR package manager started as a response to the 2024 Automattic/WP Engine conflict, when Matt Mullenweg used access to the WordPress.org plugin repository as leverage in a business dispute. Plugin authors and hosting companies watched a single person effectively weaponize the central registry, and FAIR was built to make sure that couldn’t happen again, assembling federated package distribution, cryptographic identity with DIDs and ED25519 signatures, and a labeler system borrowed from Blue...

I keep ending up in the same place. With Libraries.io and ecosyste.ms it was package registries that all do the same thing with different APIs and different metadata formats. With git-pkgs it was lockfile formats. The pattern is always the same: open source infrastructure that does roughly the same job across ecosystems, but with enough differences in the details to make working across all of them painful. So you build a common interface and absorb the differences. Git forges are the same kind o...

ENISA, the EU’s cybersecurity agency, published a Technical Advisory for Secure Use of Package Managers in March 2026, a 26-page guide aimed at developers consuming third-party packages. I’ve been writing about package management since November 2025 and wanted to see how their recommendations line up with what I’ve found. ENISA ran a public feedback call from December 2025 to January 2026 and received fifteen contributions. I was publishing nearly every day on these same topics during that exact...

Until now git-pkgs has been a local tool, you run it in your terminal to query dependency history, scan for vulnerabilities, check licenses. Getting it into CI meant downloading the binary yourself, initializing the database, and wiring up whatever checks you wanted by hand. git-pkgs/actions is a set of reusable GitHub Actions that handle all of that. A setup action downloads the binary and initializes the database, and the rest build on top of it. A dependency diff on pull requests is three lin...

A couple of weeks ago I wrote about storing git repositories in Postgres and built gitgres to prove it worked. Two tables, some PL/pgSQL, a libgit2 backend, and you could push to and clone from a database. The post ended with a missing piece: the server-side pack protocol, the part that lets a Postgres instance serve git push and git clone over HTTP without a separate application in front of it. I built that missing piece as omni_git , a Postgres extension that implements the git smart HTTP prot...

I didn’t expect to make it here. Back in November 2025 I was on a call talking about how we should document more of how package managers work so people can more easily build tools to consume the data within them, and one attendee suggested we didn’t need to do that because their open source software provided everything you would need. This was pretty frustrating, so started rage documenting package managers and it unlocked years of material wrapped up inside my head. Around this time paid work b...

This post was requested by Seth Larson , who asked if I could do a breakdown of dependency cooldowns across package managers. His framing: all tools should support a globally-configurable exclude-newer-than=<relative duration> like 7d , to bring the response times for autonomous exploitation back into the realm of human intervention. When an attacker compromises a maintainer’s credentials or takes over a dormant package, they publish a malicious version and wait for automated tooling to pu...

Package managers are usually described by what they do: resolve dependencies, download code, build artifacts. But if you look at the structure of the system instead of the process, nearly every part of it is a naming problem, and the whole thing works because we’ve agreed on how to interpret strings at each layer and because a registry sits in the middle translating between them. Registries When you run gem install rails , the client needs to know where to look. RubyGems defaults to rubygems.org...

Ken Thompson’s 1984 Turing Award lecture, Reflections on Trusting Trust , described a C compiler modified to insert a backdoor into the login program, then modified again so the compiler would replicate the backdoor in future versions of itself without any trace in the source. The source was clean, the binary was compromised, and the only way to discover the backdoor was to rebuild the entire compiler toolchain from scratch and compare the output, which nobody was going to do. The explosion of o...