2025
Open Source Activity in 2025
A look back at my open source work in 2025: ecosyste.ms, supply chain security tooling, and Ruby gems
Community Tools Bring Lockfile Support to GitHub Actions
Community projects gh-actions-lockfile and ghasum address GitHub's missing lockfile support with SHA pinning and integrity verification
Categorizing Package Registries
Sorting package registries by architecture, review model, namespacing, governance, and other structural differences.
Categorizing Package Manager Clients
Sorting package manager clients by resolution algorithms, lockfile strategies, build hooks, and manifest formats.
The Compact Index: How Bundler Scales Dependency Resolution
The append-only index format that saved RubyGems.org, inspired Cargo's sparse index, and could speed up npm and PyPI too.
How to Ruin All of Package Management
Attach financial incentives to open source metrics and watch the spam flood in.
How uv got so fast
uv's speed comes from engineering decisions, not just Rust. Static metadata, dropping legacy formats, and standards that didn't exist five years ago.
Cursed Bundler: Using go get to install Ruby Gems
Go's module system accidentally created a universal, content-addressed, transparency-logged package CDN. You could abuse this for any language.
Package managers keep using git as a database, it never works out
Git repositories seem like an elegant solution for package registry data. Pull requests for governance, version history for free, distributed by design. But as registries grow, the cracks appear.
Could lockfiles just be SBOMs?
Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?
Package Registries Are Governance Providers
Registries host files, but they also decide who owns names, how disputes resolve, and what gets removed. That second job is governance.
Jekyll Stats Plugin
A Jekyll plugin that adds a stats command to show word counts, reading time, posting frequency, and tag distributions.
Federated Package Management and the Zooko Triangle
The trade-offs that make decentralized package management impractical
Package Managers Devroom at FOSDEM 2026: Schedule Announced
Nine talks on supply chain security, dependency resolution, and registry economics
Why JavaScript Needed Docker
How Docker became JavaScript's real lockfile
Docker is the Lockfile for System Packages
Why Docker filled the reproducibility gap that system package managers left open
Typosquatting in Package Managers
A reference guide to typosquatting techniques, real-world examples, and detection tools.
How I Assess Open Source Libraries
What I actually look at when deciding whether to adopt a dependency.
Supply Chain Security Tools for Ruby
Ruby implementations of PURL, VERS, SBOM, SWHID, and SARIF specs.
Building Ecosyste.ms Polite API Rate Limits
Tiered rate limiting that rewards good citizenship: API keys, polite users, and everyone else.
Slopsquatting meets Dependency Confusion
LLMs can leak internal package names, making dependency confusion attacks easier to scale.
Why I'm Fascinated by Package Management
From gaming magazine CDs to dependency graphs
GitHub Actions Has a Package Manager, and It Might Be the Worst
GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning
Package Manager Design Tradeoffs
Design tradeoffs in package managers
What is a Package Manager?
What is a package manager? Perhaps quite a few more components than you might think
PromptVer
A semver-compatible versioning scheme for the age of LLMs.
Documenting Package Manager Data
Six repositories documenting how package managers work: commands, manifests, APIs, hooks, and more.
A Taxonomy for Open Source Software
I'm working on a structured taxonomy for classifying open source projects across multiple dimensions: domain, role, technology, audience, layer, and function.
Revisiting Gitballs
Nine years ago I experimented with storing package tarballs as git objects. A visit to Software Heritage got me thinking about it again.
Community Benchmarks for AI Coding Tools
AI coding benchmarks are heavily skewed toward Python and JavaScript. Framework maintainers could change that by defining what good code looks like in their ecosystems.
Extending Git Functionality
A practical guide to the different ways you can extend git: subcommands, filters, hooks, remote helpers, and more.
Podcast Interviews 2025
A collection of podcast interviews discussing ecosyste.ms, open source metadata, package management, and software sustainability.
Package Manager Timeline
A chronological timeline of package manager releases, major milestones, and significant events in the history of software dependency management.
Package Management Papers
A collection of academic research papers on package management systems, dependency resolution, supply chain security, and software ecosystems.