Latest posts
- The Mismeasure of Open SourceMay 09, 2026Andrew Nesbitt
Every attempt to score open source projects for criticality, risk, or funding need ends up built on roughly the same dozen signals, because those are the dozen signals you can get from a registry API and the GitHub REST endpoints in an afternoon. I wrote earlier this week about the 2015 CII census, whose formula scored xz-utils a 6 out of 13 and let it sink to row 254, and which nonetheless got mo
- Weekend at Bernie’sMay 08, 2026Andrew Nesbitt
In the 1989 film, two junior employees turn up at their boss’s beach house to find him dead, and spend the rest of the weekend wheeling him around the party with sunglasses on so nobody notices. The other guests keep slapping him on the back and putting drinks in his hand. It works because nobody looks too closely and because everyone has a strong incentive for Bernie to still be alive. I have spe
- Free as in TribblesMay 07, 2026Andrew Nesbitt
The free software movement gave us two prepositions to argue over. Free as in beer: it costs you nothing. Free as in speech: you can do what you like with it. Stallman spent decades insisting the second was the one that mattered and the first was nearly a distraction, which is why the FSF ended up maintaining a page about the word “free” that runs longer than most licences. Somewhere around the ti
- Revisiting the 2015 Open Source CensusMay 06, 2026Andrew Nesbitt
In July 2015, a year after Heartbleed, the Linux Foundation’s Core Infrastructure Initiative published a census of open source projects. The idea was to find the next OpenSSL before it found us: take every package in Debian’s popularity contest, score it for risk, and produce a ranked list of where to send help. David Wheeler designed the scoring, a small team did manual review, and the output was
- Package Manager Threat ModelsMay 05, 2026Andrew Nesbitt
The previous post catalogued the bugs that get filed against package managers: path traversal in the extractor, argument injection in the git driver, XSS in the registry’s README renderer. Things you can find by reading code, point at a line number, and patch. This post is the other half. The properties below are working as designed, so nobody files a CVE for them. They’re also where almost every
- Package Manager CWEsMay 04, 2026Andrew Nesbitt
I went through every public CVE and security advisory I could find that was filed against a package manager itself. Clients and registries both: language package managers, system package managers, self-hosted registry servers, the lot. The same dozen or so failure modes appear independently in tool after tool, often years apart, because the people building package manager number nineteen don’t alw
- A GitHub for maintainersMay 02, 2026Andrew Nesbitt
Mat Duggan wrote up what he’d want from a GitHub replacement and it’s a reasonable list if you’re the one at the keyboard. Stacked PRs, pre-push feedback, offline review, lazy history, graduated approval states. Reading through it I kept noticing that almost every item is a client problem, and the clients are already solving it. Jujutsu does stacked changes better than any web UI is going to. Revi
- Patching and forking in package managersMay 01, 2026Andrew Nesbitt
When a dependency has a known vulnerability and no maintainer to release a fix, you have to fix it yourself. Clone the source, apply the patch, get the patched version back into your dependency tree. The volume of reported CVEs is going to rise, and many will land in packages where nobody is around to cut a release. System package managers handled this a long time ago. Debian’s debian/patches/ wit
- Announcing the 2026 Open Source Fantasy DraftApr 30, 2026Andrew Nesbitt
Registration is now open for the sixth season of the Open Source Fantasy League. Twelve teams, snake draft, standard scoring. The board goes live next Tuesday and as commissioner I’m publishing the rule changes and some notes on this year’s class before everyone starts arguing in the group chat. For anyone joining fresh: you draft a roster of maintainers, you score points when their packages get d
- GitHub Actions is the weakest linkApr 28, 2026Andrew Nesbitt
Pick almost any open source supply chain incident from the past eighteen months and trace it back, and you end up reading a .github/workflows YAML file. Ultralytics shipping a crypto miner to PyPI, the nx packages that turned thousands of developer machines into credential harvesters, tj-actions leaking secrets from 23,000 repositories, Trivy getting compromised twice in three weeks, elementary-da