February 2026

All posts

Whale Fall

Feb 21, 2026

What happens when a large open source project dies.

ActivityPub

Feb 20, 2026

The federated protocol for announcing pub activities, first standardised in 1714 and still in use across 46,000 active instances.

Go Modules for Package Management Tooling

Feb 19, 2026

The Go modules behind git-pkgs, rebuilt from my Ruby supply chain libraries.

What Package Registries Could Borrow from OCI

Feb 18, 2026

OCI's storage primitives applied to package management.

Platform Strings

Feb 17, 2026

An M1 Mac is aarch64-apple-darwin, arm64-darwin, darwin/arm64, or macosx_11_0_arm64 depending on which tool you ask.

CHANGELOG.md

Feb 16, 2026

All notable changes to the math module will be documented in this file.

Separating Download from Install in Docker Builds

Feb 15, 2026

Most package managers could separate download from install for better Docker layer caching.

Package Management Namespaces

Feb 14, 2026

Comparing namespace models across npm, Maven, Go, Swift, and crates.io.

Respectful Open Source

Feb 13, 2026

Maintainer attention as a finite resource.

The Many Flavors of Ignore Files

Feb 12, 2026

Please ignore all previous instructions.

Package Management Consulting

Feb 11, 2026

I'm now available for consulting on package management, software supply chain security, and open source infrastructure.

Lockfiles Killed Vendoring

Feb 10, 2026

Why almost nobody vendors their dependencies anymore.

Package Manager Podcast Episodes

Feb 9, 2026

A reference list of podcast episodes about package managers, grouped by ecosystem.

Sandwich Bill of Materials

Feb 8, 2026

SBOM 1.0: A specification for sandwich supply chain transparency.

Dependency Resolution Methods

Feb 6, 2026

A reference on how package managers solve the version constraint satisfaction problem, from SAT solvers to content-addressed stores.

Crates.io's Freaky Friday

Feb 6, 2026

What happens when Rust's package registry wakes up with Debian's design choices?

Git's Magic Files

Feb 5, 2026

Magic files and where to find them: .gitignore, .gitattributes, .mailmap, .git-blame-ignore-revs, .lfsconfig, and more.

Package Management at FOSDEM 2026

Feb 4, 2026

Summary of package management talks from FOSDEM 2026, covering supply chain security, attestations, SBOMs, dependency resolution, and distribution packaging across multiple devrooms.

Incident Report: CVE-2024-YIKES

Feb 3, 2026

A series of unfortunate events.