December 2025
Open Source Activity in 2025
A look back at my open source work in 2025: ecosyste.ms, supply chain security tooling, and Ruby gems
Community Tools Bring Lockfile Support to GitHub Actions
Community projects gh-actions-lockfile and ghasum address GitHub's missing lockfile support with SHA pinning and integrity verification
Categorizing Package Registries
Sorting package registries by architecture, review model, namespacing, governance, and other structural differences.
Categorizing Package Manager Clients
Sorting package manager clients by resolution algorithms, lockfile strategies, build hooks, and manifest formats.
The Compact Index: How Bundler Scales Dependency Resolution
The append-only index format that saved RubyGems.org, inspired Cargo's sparse index, and could speed up npm and PyPI too.
How to Ruin All of Package Management
Attach financial incentives to open source metrics and watch the spam flood in.
How uv got so fast
uv's speed comes from engineering decisions, not just Rust. Static metadata, dropping legacy formats, and standards that didn't exist five years ago.
Cursed Bundler: Using go get to install Ruby Gems
Go's module system accidentally created a universal, content-addressed, transparency-logged package CDN. You could abuse this for any language.
Package managers keep using git as a database, it never works out
Git repositories seem like an elegant solution for package registry data. Pull requests for governance, version history for free, distributed by design. But as registries grow, the cracks appear.
Could lockfiles just be SBOMs?
Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?
Package Registries Are Governance Providers
Registries host files, but they also decide who owns names, how disputes resolve, and what gets removed. That second job is governance.
Jekyll Stats Plugin
A Jekyll plugin that adds a stats command to show word counts, reading time, posting frequency, and tag distributions.
Federated Package Management and the Zooko Triangle
The trade-offs that make decentralized package management impractical
Package Managers Devroom at FOSDEM 2026: Schedule Announced
Nine talks on supply chain security, dependency resolution, and registry economics
Why JavaScript Needed Docker
How Docker became JavaScript's real lockfile
Docker is the Lockfile for System Packages
Why Docker filled the reproducibility gap that system package managers left open
Typosquatting in Package Managers
A reference guide to typosquatting techniques, real-world examples, and detection tools.
How I Assess Open Source Libraries
What I actually look at when deciding whether to adopt a dependency.
Supply Chain Security Tools for Ruby
Ruby implementations of PURL, VERS, SBOM, SWHID, and SARIF specs.
Building Ecosyste.ms Polite API Rate Limits
Tiered rate limiting that rewards good citizenship: API keys, polite users, and everyone else.
Slopsquatting meets Dependency Confusion
LLMs can leak internal package names, making dependency confusion attacks easier to scale.
Why I'm Fascinated by Package Management
From gaming magazine CDs to dependency graphs
GitHub Actions Has a Package Manager, and It Might Be the Worst
GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning
Package Manager Design Tradeoffs
Design tradeoffs in package managers
What is a Package Manager?
What is a package manager? Perhaps quite a few more components than you might think
PromptVer
A semver-compatible versioning scheme for the age of LLMs.