Feed Atlas
OPML directory + server-side RSS reader

nesbitt.io

SiteRSSBlogs
Back

Latest posts

  • Content addressing in package managers
    Jul 07, 2026Andrew Nesbitt

    Content addressing identifies a piece of data by a cryptographic hash of its contents rather than by a name or a location. Two copies of the same bytes get the same identifier wherever they came from, a single changed bit produces a completely different one, and because the identifier is derived from the data itself it works as a lookup key and an integrity check at the same time. I keep running i

  • This Week in Package Management: 4 July 2026
    Jul 04, 2026Andrew Nesbitt

    Week seven of the roundup, built from the package manager OPML feed collection and whatever I’ve posted or boosted on Mastodon. Releases Hex 2.5.0 adds organisation-defined dependency policies: an organisation publishes a named policy through its repository, a project opts in via HEX_POLICY or the :hex block in mix.exs, and resolution then filters out versions that carry an advisory above a given

  • The CRA is not about open source
    Jul 01, 2026Andrew Nesbitt

    At FOSDEM in February and again at UN Open Source Week last week, the Cyber Resilience Act was the answer on offer whenever anyone asked what governments are doing about open source security, and the foundations and corporate advocates presenting it framed it as good news for open source. It is the largest piece of software legislation the EU has passed, the open source community spent two years l

  • Taking Roads and Bridges literally
    Jun 30, 2026Andrew Nesbitt

    I spent last week at UN Open Source Week, where officials from a dozen governments stood up in turn and described open source as critical infrastructure. That framing has been the standard one since Nadia Eghbal’s Roads and Bridges report for the Ford Foundation in 2016, and after ten years it has finally reached the audience it describes. Sitting in a UN conference room full of people whose job i

  • Unbundling the standard library
    Jun 29, 2026Andrew Nesbitt

    I got sent a link to a pull request against Dan Burton’s composition, a tiny Haskell package whose whole gimmick is that it depends on nothing, not even base. The upcoming GHC 10.2 breaks it: built-in names resolve through a real module, GHC.Essentials, which is in base, so from 10.2 every package picks up an implicit base dependency whether the cabal file declares one or not. The PR added a flag

  • This Week in Package Management: 27 June 2026
    Jun 27, 2026Andrew Nesbitt

    Week six of the roundup, built from the package manager OPML feed collection and whatever I’ve posted or boosted on Mastodon. Releases Spack 1.2.0 makes the rewritten parallel installer the default, adds concretization groups and concretization caching, and ships SBOM generation alongside experimental build sandboxing and a spack isolate command. pnpm 11.9 computes a tarball’s integrity from the d

  • Incident Report: CVE-2026-LGTM
    Jun 26, 2026Andrew Nesbitt

    Report filed: 04:13 UTC Status: Resolved (by treaty) Severity: Informational → Critical → Withdrawn → Critical → Negotiated Duration: 96 hours (billable: 2.1 trillion tokens) Affected systems: All of them, plus several we do not own Executive Summary: A security incident occurred. Our AI-augmented defence-in-depth strategy, deployed in direct response to CVE-2024-YIKES, performed exactly as config

  • Scrutineer: scanning open source without flooding maintainers
    Jun 25, 2026Andrew Nesbitt

    Scrutineer scans open source repositories for security vulnerabilities and then handles everything that follows: verifying each one, working out who to contact, drafting a fix, and tracking it through to a published advisory. I’ve been building it for Alpha-Omega for the past couple of months. Large language models have made finding vulnerabilities in open source code much easier. Point one at a c

  • Sunsetting a Package Manager
    Jun 23, 2026Andrew Nesbitt

    On December 2nd 2026, CocoaPods trunk goes read-only. Orta Therox set the plan out in 2024: the server stops accepting new pods and new versions, while the more than 100,000 libraries already published keep resolving through the Specs repo on GitHub and the CDN on jsDelivr, so every existing Podfile resolves exactly as it did the day before. The maintainers had run out of people, Apple’s Swift Pac

  • This Week in Package Management: 20 June 2026
    Jun 20, 2026Andrew Nesbitt

    Week five of the roundup, built from the package manager OPML feed collection and whatever I’ve posted or boosted on Mastodon. Releases sbt 2.0.0 moves build definitions and plugins to Scala 3, requires JDK 17, and replaces the caching layer with a Bazel-compatible local/remote cache that the rewritten compile and test tasks use. The project matrix plugin is now built in and a native-image client