Latest posts
- Content addressing in package managersJul 07, 2026Andrew Nesbitt
Content addressing identifies a piece of data by a cryptographic hash of its contents rather than by a name or a location. Two copies of the same bytes get the same identifier wherever they came from, a single changed bit produces a completely different one, and because the identifier is derived from the data itself it works as a lookup key and an integrity check at the same time. I keep running i
- This Week in Package Management: 4 July 2026Jul 04, 2026Andrew Nesbitt
Week seven of the roundup, built from the package manager OPML feed collection and whatever I’ve posted or boosted on Mastodon. Releases Hex 2.5.0 adds organisation-defined dependency policies: an organisation publishes a named policy through its repository, a project opts in via HEX_POLICY or the :hex block in mix.exs, and resolution then filters out versions that carry an advisory above a given
- The CRA is not about open sourceJul 01, 2026Andrew Nesbitt
At FOSDEM in February and again at UN Open Source Week last week, the Cyber Resilience Act was the answer on offer whenever anyone asked what governments are doing about open source security, and the foundations and corporate advocates presenting it framed it as good news for open source. It is the largest piece of software legislation the EU has passed, the open source community spent two years l
- Taking Roads and Bridges literallyJun 30, 2026Andrew Nesbitt
I spent last week at UN Open Source Week, where officials from a dozen governments stood up in turn and described open source as critical infrastructure. That framing has been the standard one since Nadia Eghbal’s Roads and Bridges report for the Ford Foundation in 2016, and after ten years it has finally reached the audience it describes. Sitting in a UN conference room full of people whose job i
- Unbundling the standard libraryJun 29, 2026Andrew Nesbitt
I got sent a link to a pull request against Dan Burton’s composition, a tiny Haskell package whose whole gimmick is that it depends on nothing, not even base. The upcoming GHC 10.2 breaks it: built-in names resolve through a real module, GHC.Essentials, which is in base, so from 10.2 every package picks up an implicit base dependency whether the cabal file declares one or not. The PR added a flag
- This Week in Package Management: 27 June 2026Jun 27, 2026Andrew Nesbitt
Week six of the roundup, built from the package manager OPML feed collection and whatever I’ve posted or boosted on Mastodon. Releases Spack 1.2.0 makes the rewritten parallel installer the default, adds concretization groups and concretization caching, and ships SBOM generation alongside experimental build sandboxing and a spack isolate command. pnpm 11.9 computes a tarball’s integrity from the d
- Incident Report: CVE-2026-LGTMJun 26, 2026Andrew Nesbitt
Report filed: 04:13 UTC Status: Resolved (by treaty) Severity: Informational → Critical → Withdrawn → Critical → Negotiated Duration: 96 hours (billable: 2.1 trillion tokens) Affected systems: All of them, plus several we do not own Executive Summary: A security incident occurred. Our AI-augmented defence-in-depth strategy, deployed in direct response to CVE-2024-YIKES, performed exactly as config
- Scrutineer: scanning open source without flooding maintainersJun 25, 2026Andrew Nesbitt
Scrutineer scans open source repositories for security vulnerabilities and then handles everything that follows: verifying each one, working out who to contact, drafting a fix, and tracking it through to a published advisory. I’ve been building it for Alpha-Omega for the past couple of months. Large language models have made finding vulnerabilities in open source code much easier. Point one at a c
- Sunsetting a Package ManagerJun 23, 2026Andrew Nesbitt
On December 2nd 2026, CocoaPods trunk goes read-only. Orta Therox set the plan out in 2024: the server stops accepting new pods and new versions, while the more than 100,000 libraries already published keep resolving through the Specs repo on GitHub and the CDN on jsDelivr, so every existing Podfile resolves exactly as it did the day before. The maintainers had run out of people, Apple’s Swift Pac
- This Week in Package Management: 20 June 2026Jun 20, 2026Andrew Nesbitt
Week five of the roundup, built from the package manager OPML feed collection and whatever I’ve posted or boosted on Mastodon. Releases sbt 2.0.0 moves build definitions and plugins to Scala 3, requires JDK 17, and replaces the caching layer with a Bazel-compatible local/remote cache that the rewritten compile and test tasks use. The project matrix plugin is now built in and a native-image client